From 1 of January 2021, cyber security will come under the remit of the International Safety Management System (ISM) Code, supported by the IMO Resolution MSC.428(98), requiring shipowners and managers to assess cyber risk and implement relevant measures. Following new technology, more autonomy and greater connectivity, all contributing to greater cyber risk, experts at Lloyd’s Register and Nettitude address the need for superyacht owners and managers to take a proactive approach during interactive webinar last month.
Even before the COVID-19 outbreak, the frequency of known attacks in the maritime sector had risen by more than 40% in just one year, according to an early 2020 survey by BIMCO and Safety at Sea. However, since the start of the pandemic, cyber-crime generally has increased by more than 400%, according to some estimates.
More opportunities for attack
In both information technology (IT) and operational technology (OT), the risk curve is rising as criminals see more opportunities for attack, de Boer warned. This poses a growing threat to owners and managers, superyacht crews, guests and shoreside facilities including harbours and service providers.
Engel conceded that privacy is a key feature in a sector that is made up of the rich and famous. But, he said, more information exchange – perhaps on a confidential platform – would be helpful both in tackling the incidence and severity of superyacht cyber-crime. The cost of inaction is high, he warned, with risks including espionage, reputation damage, invasion of privacy, vessel and personnel safety, hijacking, ransom and, in the very worst case, assassination.
From the beginning of 2021, commercial vessels of more than 500 gross tons will have to comply with new IMO requirements. A vessel’s cyber security resilience will now become necessary as part of the ISM Code, requiring shipboard cyber arrangements to be included in vessels’ safety management systems, with valid Documents of Compliance to be carried on board.
However, de Boer also pointed out that the IMO’s new regulations are not the only ones of which those involved in the sector need to be aware. Other authorities, including the US Coast Guard, are also stepping up requirements.
Hackers don’t check
And, de Boer said, just because the IMO’s cut-off point is 500 gross tons should not let owners of smaller superyachts off the hook. A hacker doesn’t check on the size of the vessel before he attacks; he is an opportunist looking for the best available chance.
Brendan O’Shannassy is a superyacht captain for Isle of Man-based Döhle Yachts. He compared the risk of cyber-attack to COVID-19. “We never thought about a biological virus until its arrival,” he said. The risk of cyber-attack is very similar … it doesn’t matter much until it happens to you.
Superyachts captains and their crews have plenty on their plates already, O’Shannassy said. What they want most is to feel confident that appropriate risk management systems are in place across vessel operations and communications, guest connectivity, use of devices, and entertainment.
“I’m speaking as an end user,” O’Shannassy declared. “Twenty years ago, we were talking about physical attack. Now it’s cyber-attack.”
Proactive approach
From a practical point of view, Nettitude specialists Joe Donohue, Senior Information Security Expert, and Lukasz Michalski, Senior Security Expert, explained what owners and managers should do to prepare for the new requirements. An IMO Readiness Assessment is a good place to start, Donohue said, providing the basis for a cyber risk plan “in weeks”.
LR has a series of guidelines in place, formalised in the LR Cyber Security ShipRight Procedures, for example. And Nettitude has developed a remote process, he revealed, enabling owners and managers to provide relevant information by questionnaire, at least for part of the process.
Responding to a question on outsourcing of the cyber security process, Michalski replied that this could save money but introduced another layer of risk. Third parties would have to be thoroughly vetted, he said, and their access to systems would have to be secure. And he added that some vessel service providers preferred to have ‘always-on’ connectivity arrangements; however, this was not always necessary and should be assessed.
One webinar participant asked for the experts’ views on compliance versus risk-based systems. Donohue summed up by saying that compliance usually means being able to handle risks that were already evident, and sometimes at only a level sufficient to meet regulations. A risk-based strategy, on the other hand, would provide a more proactive approach, exceeding minimum requirement as he believes is now necessary, with a rapidly diversifying range of risks to cover.
Finally, a wake-up call for those hoping to sail under the radar, particularly owners and operators of vessels under 500 gross tons, exempt from the January regulations. They should examine their vessel insurance policies closely.
New cyber risk clauses introduced by underwriters, require that cyber security systems must be in place and seen to be operating effectively. Owners and managers can no longer merely pay lip service … if there is no effective system in place, then insurance policies are invalidated.
LR has a 42% share of the 5,570 superyacht market and is classing close to half of the vessels on order, as measured in gross tonnage.