Cybersecurity: A sea of change ahead
In the maritime industry, the numbers are even more shocking. With the industry accounting for over 80% of global trade, a 400% increase in cyberattacks in 2022 compared to 2020 is a clear sign that the already vulnerable supply chain is at risk. In the past couple of years, the world has experienced supply chain bottlenecks, one example being the Ever Given Suez Canal incident. Recently, it has been assessed that such an event is extremely likely to happen again due to hackers using GPS spoofing systems. Another prominent example of the damage cyber incidents can cause is the 2017 Maersk attack, which impacted 76 ports and 800 vessels. This attack seriously affected oil production and tankers as well as left employees in the dark with no access to their computers. Such incidents lead to delays within the supply chain, companies not being able to honour contract terms, crews being at risk and more, all of which results in fleet operators’ reputational damage and further supply chain strains.
Although insurance has a big part to play in companies’ risk strategies and has, in some cases, been detrimental to the continued existence of businesses, it remains a necessity for the aftermath of an attack. The most efficient solution to cyberattacks is preparedness, both from a security and insurance standpoint. It has been proven time and time again that companies that have appropriate defence against cyberattacks and mitigation processes in place are less likely to see their stock prices plummet due to regulatory action and litigation or to incur reputational damage.
In the case of insurance, there are many intricacies businesses must take into account when insuring a vessel. Firstly, a vessel needs to be considered sea-worthy, which can mean anything from proving compliance with current IMO standards, to the crew having appropriate cybersecurity training. One must also consider that there are certain terms and clauses that may eliminate coverage, such as when a cyber incident is considered an act of war or terrorism. In the past few years, we have also seen insurers rightly imposing more penal terms on companies which are not properly prepared for cyberattacks: fees that can further damage a company’s ability to recover after an attack.
It is quite clear that insurance and cybersecurity are intertwined and should not be seen as independent of each other. Both the maritime and insurance worlds need embedded security solutions to determine the possible risks and adequately defend against them. At present, insurance providers are able to consult risk models based on different data points, but to be able to properly assess risk on an individual basis there is a need to stress test all IT and OT on board a vessel as well as onshore technology. On the other hand, the companies seeking insurance are required to uphold a certain level of cybersecurity and adherence to regulations for policies to be valid, which is possible with an embedded solution.
Having a cybersecurity solution is also about more than making sure the company is insurance-ready. When a vessel is attacked, be it through its network, OT or IT, or GPS spoofing, there becomes a real possibility of losing the vessel, having it pushed into foreign waters of hostile countries with the crew becoming at risk, having oil spills from tankers, or the vessel infecting the entire fleet as well as ports. With adequate security these can be avoided and mitigated in due time, meaning the company does not suffer immediate losses or, even worse, reputational damage that can result in ongoing losses.
To be clear, when we talk about an adequate cybersecurity solution, either for the fleet or insurance companies, we are referring to real-time capabilities. Yearly monitoring is not appropriate, especially if the goal is to proactively defend against attacks and not just blindly react. Cyberattacks of any kind happen instantaneously and can have dire repercussions on the supply chain, environment and insurance providers, with the latter seeing increasing loss ratios. For the insurance industry to be able to determine the full scope of risk, it needs to engage with a real-time security solution that can scan and help determine these risks continuously.
“The ingredients for a more mature cyber market are now in place,” says Shay Simkin, Global Head of Cyber at Howden. “Hardened cyber defences have left companies less vulnerable to prolonged disruption in the event of an attack or breach. There is unlikely to be any let up in insurers’ probing of cyber security any time soon. The risk transfer sector has been an important enabler of resilience by working with companies to adopt better risk postures in order to access insurance capacity.”
For fleet operators, reputational damage is one of the top problems when dealing with cyberattacks, and for good reason. Clients need to trust suppliers, especially since they have contracts to honour that depend on freight reliability. If a maritime company is inadequately prepared, its stock tumbles, clients question future partnerships, and it can end up having to pay large amounts of ransom for data that could put operations in jeopardy. There are now very big brands that are choosing to charter their own fleets due to a lack of trust in operations after port congestions and the Ever Given incident, giving them increased control over their supply chain. Coca-Cola and Ikea are notably some of the largest to announce these plans and, looking forward, we expect to see more brands taking matters into their own hands due to lack of faith in the industry.
Source: By Nir Ayalon, CEO and co-founder of Cydome