BA and Marriott penalties highlight rising cyber crime risk
‘While 50% of boards consider they have appropriate cyber risk cover, probably only 10% to 20% actually do,’ says Rory Macfarlane of Ince
As British Airways and Marriott International recently demonstrated, fines for cyber breaches can be eyewatering. Best not to go there, experts argue
BOTH British Airways and Marriott International have recently been the victims of cyber crime, after personal data held by the airline and the hotel chain were compromised by hackers.
But that didn’t win them much sympathy from Britain’s data watchdog, the Information Commissioner’s Office, which fined them the eyewatering sums of £183m ($225m) and £99m respectively for their failure to meet the stipulations of the EU’s General Data Protection Regulation.
There, but for the grace of God, goes any company nowadays. If you are a shipping company anywhere in the world doing business in the European Economic Area, hire EEA national employees or carry EEA national passengers, then your business too is almost certainly a ‘controller of personal data’ within the meaning of GDPR.
If shipping executives want to avoid the prospect of their company being fined as much as 4% of their annual turnover — and that’s what GDPR provides for — they would be well advised to invest the time and money needed to ensure compliance.
And if that prospect does not keep shipping executives awake at night, remember that data breaches are not the only thing companies have to worry about. Malevolent hackers have multiple means of causing mayhem, ranging from computer hacks to launching distributed denial of service attacks to demand ransom payouts.
The years 2017 and 2018 alone saw a cyber attack on Maersk, which left the Danish shipping giant nursing a $300m hit; the hacking of more than 20 ships in the Black Sea, causing their GPS systems to give incorrect location readings; the hacking of a tanker’s electronic chart display, which stopped the supply of power to its propeller; and cyber attacks at the ports of San Diego and Barcelona and the Cosco terminal at the port of Long Beach.
As BA and Marriott found to their cost, just because a company a victim, it does not mean that it is not going to be penalised if the worst comes to the worst.
“The fact that a casualty has been caused by hacking would not give an owner an excuse or defence if its ship collides with another one at sea, particularly where ship systems are expected to be secure,” noted Evangelos Catsambas, a dispute resolution specialist at the Athens office of law firm WFW.
Hacking of a vessel’s electronic chart display system may also make it unseaworthy, as highlighted by the recent English High Court decision in CMA CGM Libra.
The High Court found that incorrect charts or passage planning causing a casualty would make the ship unseaworthy and preclude the owner from obtaining a general average contribution from the cargo owners.
Moreover, while an owner while would normally rely on data stored by a voyage data recorder after an incident at sea, these can also be hacked.
Luckily, there are practical means of protecting yourself. In particular, access to the expertise needed to identify and close cyber breaches, and to take appropriate recovery action, will minimise financial and reputational impact.
Let’s begin with GDPR. The need to demonstrate compliance is arguably as important as compliance itself, according to experts.
A good starting point is to undertake a full audit of what data you hold, why you have it, where it is stored, whether you still need to have it, and how you are going to protect it.
Consideration should be given to appointing a data protection officer, usually known as a DPO, to draft and implement policies to deal with subject access requests and reporting requirements, according to Ince partner Rory Macfarlane.
“Privacy policies will need to be updated from time to time, and the DPO should review and amend contracts with data processors to ensure they comply with GDPR requirements,” he added.
If a data breach is experienced, shipping companies should avoid the temptation to try to cover things up, argues Jeremy Robinson, a WFW partner specialising in regulation and competition
“If an incident occurs, shipowners have obligations to notify the data protection authorities without undue delay and, where feasible, within 72 hours after becoming aware of it.”
Given the level of cyber crime targeting our industry nowadays, insurance cover against cyber risk has probably reached the point where it should be considered a must-have rather than an optional extra.
It does not indemnify companies against GDPR penalties, of course. But it could help limit the bill in other contingencies.
Even so, insurance is best regarded as one part of appropriate cyber risk management, not as an alternative to it, Mr Macfarlane advised
“While 50% of boards consider they have appropriate cyber risk cover, probably only 10-20% actually do,” he said
Knowing precisely what perils you are issued for, and which perils fall outside your terms of cover, is important.
Standalone cyber risk insurance and traditional property insurance policies can differ widely in their cover.
When dealing with a cyber security breach, the last thing a company wants is ambiguity in policy wording and uncertainty as to the extent, or existence, of cover.
Many bespoke cyber risk policies will provide an assured party — or policy holder — with access to funds in the event of a cyber-breach incident.
“In my opinion, you cannot overstate the value of this,” Mr Macfarlane concluded.
“The costs of implementing a cyber-breach response plan are usually significant. Most owners in this market will not have adequate funds sitting idle in their account.”