WHOEVER said worse thing happen at sea wasn’t working in the IT departments of CMA CGM or the International Maritime Organization this week.

The world’s fourth-largest container carrier became the world’s fourth large container carrier to suffer a malware attack that took down critical systems and led to suspected breach and theft of data.

That was followed by a statement from the IMO saying it had also had to take down its website following a cyber attack.

Lloyd’s List has every sympathy for both organisations. Since Maersk was first hit by the notPetya attack in 2017, it has become painfully apparent that shipping is not immune to attacks.

It is even more poignant in that CMA CGM is generally regarded as being very on the ball when it comes to digitalisation, and has invested heavily in digital start-ups at its Marseilles-based, start-up incubator.

Being digital means being at risk, and even the best practices will not always be enough to secure a company. As security specialists know, an attacker only needs to get lucky once, while a defender has to be lucky every time.

This time, CMA CGM and the IMO were unlucky.

But while attacks and penetrations may be facts of life that are out of a company’s hands, the response to those attacks is solely in the domain of the company.

One thing that is crucial when faced with a crisis like this is having an effective communication plan in place. The IMO has handled this relatively well, but CMA CGM has done itself a disservice.

The company’s initial response was to deny that it had been targeted. It was not until Lloyd’s’ List presented it with a copy of the ransom note that it admitted the attack.

It then went quiet for more than 24 hours, with no information available on either the one functioning website it had, or on social media.

This may be considered as a minor problem for reporters, but it was not just journalists that could not get information from the line. Its customers, too, were sailing through uncharted waters.

One large customer spoken to by Lloyd’s List could not get a response from his key account manager in Marseille. Another said he had no idea what was going on. Tellingly, another, when asked about the situation he was facing with the line, simply said: “F**king CMA CGM.”

The IMO, on the other hand, has been quick to update its Twitter account, following the same pattern as that used by Maersk, when it turned to social media to keep its customers informed of what was happening while its network was down.

Much of this problem can be attributed to a trend towards media management by companies sensitive to their reputations.

Shipping has hired public relations companies and executives not to shine light on their businesses, but to keep them in the shadows. Many in-house PR specialists seem to only be employed to say “no comment” on behalf of their masters.

But in today’s world, this is not an option. Facts will emerge. Under the EU, General Data Protection Regulation, if personal information is lost, stolen or made inaccessible, regulators must be informed.

Shipping companies would be better to follow the lead of Maersk and the IMO, and get out ahead of the story.

Claiming an external attack is an internal server problem is misleads customers. In the long run, it is better to be the transparent victim of a hack than win a reputation as an opaque company.