The British Airways IT collapse at the weekend has served as a timely reminder that too much interconnection can have a domino effect when something goes wrong. In Marsh’s just released report on “The Changing Tide of Risk”, Marsh and MMC Company Brink provided an up-to-date analysis of the risk of disruption caused by interconnected systems.
The article noted that, while the marine industry’s use of interconnected systems had brought greater efficiency, cost savings and systems monitoring, there was also a potential downside. Marsh and Brink said that “significant weaknesses have been identified in the cyber security of critical technology used for the operation of modern commercial cargo vessels”. The authors noted that global positioning systems (GPS), automatic identification systems (AIS), and electronic chart displays and information systems (ECDIS) were all “essential aids to navigation in today’s modern ships”. However, they noted that each of these had been identified as potentially vulnerable to a cyber-attack.
A 2016 maritime cyber security survey conducted by BIMCO and IHS Markit found that GPS and ECDIS were the most vulnerable. The previously mentioned cyber security survey of last year found that the vast majority of companies that had been cyber-attacked were hit by malware, phishing, and theft of credentials.
Marsh and Brink noted that this illustrated a trend “in which cyber criminals are looking to gain access to corporate data and IT system functionality, as opposed to shipborne systems and functionality. They also warned that cyber criminals appeared to be learning about the weaknesses of today’s technology more quickly than their targets.
Marsh and Brink noted that marine insurers and reinsurers were increasingly reducing their dependence on the blanket Cyber Exclusion Clause (CL 380), choosing instead to ask more searching questions about the cyber security systems in place within individual companies. “Cyber response plans are increasingly becoming part of the overall marine risk review and analysis, and marine risk engineers are increasingly looking at clients’ abilities to detect cyber abnormalities and threats, incident response capabilities, and past breaches or near misses, so that engineers can incorporate specific recommendations into cyber response plans in overall risk mitigation”, the authors concluded.