Taking Cyber Risks Seriously
Once, the stars were all that mariners needed to navigate the seas. Today, maritime companies rely on hi-tech systems to operate and navigate equally hi-tech vessels. All of that comes with new and significant risks.
On one side, automation has its benefits, especially as crews grew smaller and ships got bigger. On the flip side, however, marine technology, like most other technology, comes with its own risks. Today’s technologies often require Internet connectivity to function properly. A recent study by Boston-based security company Rapid7 found more than 100,000 devices – from traffic signal equipment to oil and gas monitors – were connected to the Internet using serial ports with inadequate security leaving them vulnerable to breaches or hacking.
Hackers seek and exploit weaknesses in computer systems and networks. They may be motivated by a variety of reasons, such as profit, protest, challenge or just the sport of it. Like most businesses, maritime companies can show weaknesses in their computer systems and networks that many hackers would just love to exploit.
Risk on the Water
Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again. Last October, Tokyo-based cloud security firm Trend Micro Inc. said it discovered flaws in ships’ mandated automated identification systems, installed in an estimated 400,000 vessels, that can let attackers hijack communications of vessels and even create fake vessels. In another well-publicized incident, researchers at Texas A&M University last year “fooled” an $80 million yacht off the coast of Italy as to its location by manipulating its GPS.
In the maritime industry, the number of known cases is low as attacks often remain invisible to the company, or businesses don’t want to report them for fear of alarming investors, regulators or insurers. But while it might be fun and games for hackers, a hacking incident can have significant and costly consequences for vessels and their owners. For the marine industry, areas of vulnerability include:
Company information: Breaches in computer networks can pose a threat to financial, customer, employee and other proprietary data, putting it in the wrong hands. Hackers can take down a website and totally interrupt a company’s online operation. Like most companies, maritime companies stores customer and employee information on computer systems. For one, consider cruise lines who maintain databases of their loyalty customers, in addition to the more than 300,000 people they employ. By law in the US, any breach of data that is deemed Personally Identifiable Information (PII) must be reported. PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. When a breach occurs, most states mandate that companies notify those affected and oftentimes, companies incur costs to provide credit monitoring services.
Ships: In another study, security firm Rapid7 was able to collect information from 34,000 vessels around the world using their automatic identification system (AIS) receiver. Using this information they were able to identify and track individual ships, GPS coordinates and outgoing communications from every vessel involved, which included 29 law-enforcement vessels and 27 military ships. Somali pirates help choose their targets by viewing navigational data online, prompting ships to either turn off their navigational devices, or fake the data so it looks like they’re somewhere else. That doesn’t mean that others are watching in other parts of the world.
Ports: Hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers, made off with their smuggled drugs and deleted the records. A study last year by the Brookings Institution of six U.S. ports found that only one had conducted an assessment of how vulnerable it was to a cyber-attack, and none had developed a plan to response to an attack. Of some $2.6 billion allocated to a federal program to strengthen port security, less than 1 percent had been awarded for cyber security projects.
Insuring Cyber Risks
Insurance can play a key role as companies search for better ways to manage and reduce their potential financial losses from cyber-attacks. It’s important to know that most traditional insurance products such as property and general liability do not cover claims stemming from cyber events (such as hacking). And, to avoid future coverage disputes, more policies are incorporating “exclusions” to clarify that cyber protection is not offered by the policy. The Lloyds of London have already incorporated an Institute Cyber Attack Exclusion Clause (CL 380) into most of the marine policies they issue.
Why? It’s not that insurers are refusing to offer coverage for this business risks. It’s just that these new and emerging technology risks need to be addressed differently than other business risks. Hence, a whole new cyber liability insurance market is developing quickly to do so.
Currently, available cyber liability insurance focuses on two types of risk: first-party and third-party risks. Available first-party coverage includes loss of business income resulting from a data breach, the cost of repairing and restoring computer systems if there is a virus that destroys business software and data, costs associated with forensic analysis and crisis management to respond to a data breach incident. First-party coverage reimburses the insured for the costs of notifying the individuals whose information was or may have been breached. Some of these policies will even cover the cost of setting up ID theft monitoring services for the potential victims.
Third-party risks such as data breach incidents result from unauthorized access to information or personally identifiable non-public information like bank account numbers, credit card numbers or Social Security numbers. Third-party insurance covers the financial damages an identity-theft victim might incur from the breach.
In purchasing cyber insurance, it’s important to remember that there are no off-the-shelf cyber liability policies. Each policy is tailored to meet the specific needs of individual clients. Insurers have extended their coverages to include a wide range of cyberliabilty coverage under one policy form, including network security liability, media content liability, privacy liability, extortion threat, business interruption, credit monitoring, privacy notification costs, and regulatory fines. Some cyber liability policies will cover social media risks, crisis management, and data restoration. Coverage can include direct and indirect costs associated with a breach, ranging from breach notice costs to damages and defense costs.
Cyber liability coverage has greatly evolved since the first products were introduced to the market in the late 90’s, and is still evolving. Insurers are working hard to keep pace with new technologies and the risks that accompany them. There is growing concerns about physical damage that cyber-attacks could potentially cause. Additionally, insurers are looking to see how cyber coverage can help protect intellectual property losses and reputational damage. The cyber liability risks of today will be markedly different tomorrow and so, too, will available insurance coverage.
While a growing cyber insurance market is available to provide coverage, still a company’s first line of protection is its own risk management efforts. Companies need to recognize that they have tremendous potential risk and need to invest in practices and protocols that can boost their online security. Many insurers work with outside security vendors to provide their clients with access to pre-qualified services such as network assessment analyses that is customized to meet a company’s specific needs and budget. These services test a company’s vulnerability to breaches.
Employees play a significant role in staving off cyber risks. It’s important to educate and continuously remind employees of, not only their vulnerability to cyber breaches, but the companies. One lost company laptop can wreak havoc therefore, companies are wise to:
- Train employees and contractors to understand their responsibility in the protection of data assets.
- Ensure that mobile devices are encrypted and that employees understand the organizations’ policies with respect to downloading sensitive information and working remotely.
- Make employees aware of the precautions that should be taken when traveling with laptops, PDAs and other data bearing devices.
In the whole scheme of things, cyber insurance policies and an investment in more proactive cyber security may be very inexpensive when compared to the potentially enormous costs associated with any kind of data breach. As world commerce becomes ever more global and interconnected and dependent on technology, protecting physical assets, information and privacy is going to be a bigger risk management priority for all industries.
(As published in the October 2014 edition of Marine News - http://magazines.marinelink.com/Magazines/MaritimeNews)