Rory Macfarlane from Ince & Co in Hong Kong warns the recent WannaCry global attack is just the tip of the iceberg.
When a major cyber-security attack, perhaps on the scale of the ‘WannaCry’ ransomware incident just a few weeks ago, takes place in the global shipping industry, the popular imagination suggests it will be a ‘James Bond’ moment. Hollywood-inspired visions of cyber-attacks conjure up notions of vessels being ‘taken over’ by nefarious forces, with devastating consequences to follow.
Cyber-attacks certainly do have the potential to be deleterious to the physical assets of shipping and offshore operators, as well as crew safety and the environment. There are well documented examples of pirates gaining access to ship manifests, oil rig power management, or draw-works systems manipulated in order to suspend production and vessel AIS and ECDIC data being manipulated. The industry is right to be alert to vulnerabilities arising from onboard digitalisation and ship to shore connectivity. But the shipping industry must not be lulled into the complacency of believing that only their assets at sea are at risk of cyber-breach. The truth is more mundane, but potentially far more costly.
In an increasingly digitised world, cyber-breaches can have far reaching consequences for any business within the shipping, logistics, port and transport sectors. One estimate suggests that the annual global cost of cybercrime is forecast to rise to $2.1trn by 2019.
In reality, most cyber-attacks will target the shore-based operations of businesses within these sectors. This may not be outwardly visible in any way, but can be no less damaging, commercially, financially and reputationally. Such attacks can take many different forms and are more likely to be indiscriminate than targeted. Indeed, although the chances of a successful cyber-breach can be reduced through pro-active preventative measures, that there will be a cyber-attack on your business is almost inevitable.
Despite the risks, many companies in the shipping and transport sectors remain unaware and unprepared for the consequences of a cyber-breach to their shore-based operations. WannaCry proves a potent example of how costly an attack can be. That said, to view the WannaCry losses in terms of “ransoms paid” is a mistake; the losses in terms of business interruption, rectification and reputation will run to many millions of dollars. Clicking on the wrong e-mail attachment could prove to be a very expensive mistake.
For those working within cyber-security, WannaCry came as little surprise. Some estimates already place the global number of victims of cyber-crime as high as 300 million per year. But the reputational damage for companies within shipping could have an even bigger, hidden cost. A pristine track record for timeliness and regulatory compliance could all but evaporate in the event of a severe, public breach. While the costs of this type of damage would be hard to quantify, it adds yet another reason in a long list of reasons to invest in appropriate cyber-security systems and employee protocols.
With regulators currently encouraging self-initiative on the part of companies rather than laying out punitive measures for non-compliance, the onus is on each business to develop its own contingency plans. The extent of such plans will vary from business to business, depending on how it uses, stores and disseminates its data. Every organisation also needs to be alert to relevant regulations governing data protection and cyber-security in their jurisdictions. For example, China has just implemented a new law on data surveillance and storage for all companies operating within the PRC.
Companies should also take steps to ascertain if their insurance coverage extends to cyber breach losses. While insurance provides a financial safety-net – and is no substitute alone for good cyber-security practice – the assurance of assistance in the event of a breach is a comforting element of any contingency plan. Responding to a cyber breach can be costly. In these challenging market times, many ship operators simply do not have the surplus cash to mount an aggressive and effective response. There are insurance products available in the market which provide access to funds for this very purpose.
The best form of defence is a proactive approach to minimising cyber-risk. Directors who ignore the need for appropriate cyber-security systems could be in breach of their fiduciary duty to their companies. Ince & Co is working with the leading cyber-security team at Navigant to offer a cyber health-check, which will assess your IT systems, employee protocols, regulatory and contractual obligations, insurance cover and your cyber-response plan. It is now common for cyber-criminals to remain in your system for up to six months after an initial breach, waiting for the most appropriate moment to strike. It may well be that you are already more at risk than you care to think.
Improving your cyber protection need not be costly. Significant improvements can be made for a modest investment. However, prevention is better than cure and a pro-active, top-down culture of cyber-security is absolutely essential if your business is serious about mitigating the threat of cyber-crime. As shipping embraces the benefits of the cyber-age and digitalisation in all its forms, from ship to shore, it is only prudent to ensure that we also manage the risks.