News and insights

INTRODUCTION.

The maritime sector continuously strives to increase digitalisation of maritime operations and increase connectivity offshore to improve vessel safety and operational capabilities.

Increased technological advancements come with a heightened risk of cyber-attacks. Breach of corporate security can result in costly data recovery, loss of crucial data and legal consequences, all of which may be business limiting. Cyber security awareness in the maritime sector is therefore essential.

According to BlackBerry CyberSecurity, the maritime industry is 10-15 years behind the rest of the world in cyber security awareness.[1] The challenge of cyber awareness in the maritime sector is due to the maritime sector having two networks – offshore and onshore. Both networks are complex in their own ways and have different rates of development.

Most cyber-attacks in the maritime industry have traditionally targeted onshore systems. Yet, individual vessels may also find themselves a target of isolated cyber security incidents. GPS jamming and spoofing, manipulation of cargo handling systems to facilitate stealing of a high value cargo are only few threats. However, human error is still considered the largest cause of offshore incidents – 80% of overall cyber incidents, according to Allianz Insurance.[2]

This article considers the legal implications of cyber security onboard.

SEAWORTHINESS 

Crew Competence. 

In The Eurasian Dream, the vessel was unseaworthy because of insufficient equipment for fire hazards, but also because the crew lacked competence around fire safety onboard. [3] It is likely that a court may apply the reasoning from The Eurasian Dream to cyber security breaches. Specifically, a vessel may be unseaworthy where a vessel lacks sufficient cyber security implementations, and a crew lacks sufficient cyber security training if a prudent owner would be deemed unreasonable in deploying the ship with defective cyber security training.

IMO and cyber security. 

When considering seaworthiness, it is important to refer to guidelines and policies from international maritime organisations, especially the IMO and its recent resolution MSC.428(98).[4]

The resolution aims to raise cyber security awareness in the maritime sector and lists approved management systems in one place in accordance with requirements of the International Safety Management Code (“ISM”). Resolution MSC.428(98) also identifies a cyber-attack as a threat that must be treated in the same way as any physical threat affecting a vessel.

BIMCO developed the Standard Cyber Security Clause 2019 for incorporation into contracts to address the introduction of new cybersecurity measures.[5]

BIMCO CYBERSECURITY CLAUSE 2019.

The clause can be incorporated into maritime contracts to allocate cyber security related responsibilities, obligations, and liabilities for contractual performance. The clause carries out three important functions:

• It raises awareness of cyber security risks;
• It provides a mechanism to help parties to minimise the risks of cyber incidents and prevent incidents from happening in the first place; and
• Where a cyber incident occurs, the clause encourages the parties collaborate to mitigate and resolve the effects of a cyber incident in the aftermath of an incident.

Points to consider.

Parties who incorporate the clause into their contracts should be aware of the following obligations:

• Both parties should implement appropriate Cyber Security measures and systems. The level of “appropriate” cyber security measures will vary depending on what part of the maritime sector the parties operate in.
• If one party encounters a cyber-security incident, it is under an obligation to notify the other party and disclose any information that may help to mitigate or prevent the effects of the incident.
• The party under a cyber-attack must act immediately. The sub-clause obligates the party to act where the incident happened within a “digital environment” which BIMCO defines very broadly to encompass the diversity of the fields in the maritime sector.
• In case a party fails in their obligations under the clause, subsection (d) limits the party’s liability up to US$100,000.

The following limitation of liability may conflict with the shipowner’s liability under the Hague or Hague-Visby Rules. There is currently no direct case law addressing the interaction between traditional common law principles of seaworthiness and the new BIMCO Cyber security clause.

REQUIRED CYBER SECURITY STANDARDS. 

It is essential for shipowners to take active steps in assessing the sufficiency of cyber security implementations onboard their ships. BIMCO’s “Cyber Security Workbook for On Boad Ship Use” (the “Workbook”) is a useful tool to assist shipowners implementing cybersecurity measures onboard their vessels.[6]

CONCLUSION 

Digitalisation of the maritime sector carries higher risks of cyber incidents onshore and offshore. The consequences of cyber incidents are business-limiting and can even carry a legal liability. It is important to consider guidelines and policies from the international maritime organisations such as IMO’s Resolution MSC.428(98) and BIMCO’s Standard Cyber Security Clause 2019. It is unclear at this time how seaworthiness obligations and the BIMCO Cyber Security clause will interact. However, shipowners should be aware of both legal concepts and take active steps to implement sufficient cyber security measures. Checklists from BIMCO Cybersecurity Workbook offer a useful starting point when implementing cyber security goals.

[1] Lloyd’s List Daily Briefing 04.04.24 accessed 04.04.24

[2] ibid

[3] Apera Traders Co Ltd and Others v Hyundai Merchant Marine Co Ltd and another (The "Eurasian Dream") [2002] 2 Lloyd's Rep. 692, [2002] EWHC 118 (Comm)

[4] MSC, Resolution MSC.428(98) < MSC 428 98 (imo.org)> accessed 20.03.24

[5] BIMCO, Cyber Security Clause <https://www.bimco.org/contracts-and-clauses/bimco-clauses/current/cyber-security-clause-2019> accessed 22.03.24

[6] BIMCO, Cyber Security Workbook for On Boad Ship Use (4^th edn, Witherby Publishing Group Ltd 2023)