Cyber security is a topic often making headlines in the maritime media. The most publicised examples were the NotPetya attack on Maersk in 2017 and the recent Cosco Shipping Lines cyber-attack disruption.
BSM has adopted a positive and pro-active view of cyber security and believes it is an essential part of the business’s digital transformation. Aimed at maximising the return in technology investment made through MariApps Marine Solutions, the maritime applications provider of BSM, the ship manager is fully committed in securing vessel and customer data.
Kyriakos Papapolydorou, MariApps Head of Business Development and Communication, said, “Ensuring secure and safe shipboard operation, as more digitalisation and automation is introduced on vessels, is our primary focus.”
As shipping modernises, becoming heavily reliant on the functionality of software systems and digitalisation can make ship owners highly vulnerable to cyber-attacks.
Dorina Georgiou, BSM Insurance and Claims Manager, mentioned, “Cyber-attacks often expose owners to uninsured loss recoveries. The International Maritime Organisation (IMO) recognises the industry’s operational risks associated with cyber-attacks and in 2021 it will require ship operators to consider cyber risk management as part of the safety management system.”
Dorina further explained how in compliance to IMO regulation MSC.428(98) and in line with BSM’s strategic objectives, the Company has implemented detailed procedures and guidelines for their Information and Technology units.
“Cyber security is in our Safety Management Manual and includes a risk management approach that enables us to identify, evaluate and mitigate risks,” Dorina said.
Owners and operators often become liable with ‘Hull & Machinery, Loss of Hire’ and ‘War Risks’ as they do not normally fall under the traditional marine insurance policies. These incidents arise from cyber risks which do not correspond to marine related perils.
According to the Insurance and Claims expert, by default, almost all policies fall under the ‘Institute Cyber-Attack Exclusion Clause’ (clause 380), which excludes cover for any claims related to cyber risks.
“Protection and Indemnity Insurance (P&I) on the other hand, does not exclude cyber risks, which are within the Club rules. As such, P&I coverage will respond to liabilities arising out of cyber-attacks, if the attack does not constitute as an act of terrorism, a hostile act by or against belligerent power or war risk.
Whether a potential loss arising from a cyber-attack falls within the scope of P&I coverage, will depend on the precise cause of the casualty. The decision lies solely at the discretion of the respective P&I Club and its board,” Dorina advised.
The insurance industry is now offering specialised, high quality solutions or packages on cyber risks that cover losses to own ship, loss of hire (without damage), on-shore business interruption, trade disruption, extortion and ransomware. BSM is currently canvassing the market to obtain the best available terms, not only for the Company, but also for its customers.
BSM’s proactive approach to cyber security is carried on board all vessels. Custom security management systems and controls have been implemented that work in alignment with the Company’s established safety and security management systems.
“Cyber security awareness training to seafarers is offered anytime, anywhere through BSM’s Seafarer Portal and on board through MariApps’ PAL Training module,” said Kyriakos.
BSM’s seafarers must take a test after completing their training to ensure that the material has been fully comprehended and an online certificate is issued upon successful completion, which is entered in the PAL crew training record. Working with MariApps and other leading security partners, BSM takes great effort in securing its offices and vessels use a comprehensive defence in-depth approach.
Multiple layers of protection systems are implemented, such as anti-malware and anti-phishing for PCs, devices and emails, firewalls, intrusion detection, prevention systems, web filtering, multi-factor authentication, threat intelligence and vulnerability management system.
A centralised log management portal has been implemented to report and alert on all kinds of security threats and vulnerabilities, as well as a multi-factor authentication system with a dedicated 24/7 information Security Operations Centre (SOC) team that provides monitoring, analysis, response and remediation actions.
“The development of our security systems is done by using the industry’s best practises and guidance as reference, which for example includes the ISO 27001 and BIMCO guidelines on shipboard cyber security.
BSM ensures that updates are continuously in line with the industry’s requirements and regulations, such as the recently implemented General Data Protection Regulation (GDPR),” added Nicholas Li, MariApps Head of Vessel Systems and Governance.
Part of BSM’s dedication to protecting vessels under its management is to establish and maintain security systems, which are regularly reviewed and verified by external security experts, including vulnerability assessment and penetration tests.
This in combination with its in-house experts ensures that a holistic cyber security approach is firmly maintained throughout the Company.