In response to recent cyber-attack incidents, which have cost a number of major shipping companies millions, BIMCO has developed and drafted a new cyber security clause.
The clause is designed to address situations where a party is struck by a cyber security incident and that incident affects the party’s ability to perform its contractual obligations. BIMCO said that it was drafted in a way for it to be easily incorporated in a wide range of contracts, as means of allocating cyber security related responsibilities, liabilities and obligations for contractual performance.
BIMCO Cyber Security Clause 2019
In this clause the following terms shall mean:
‘Cyber security incident’ is the loss or unauthorised destruction, alteration, disclosure of, access to, or control of a Digital Environment.
‘Cyber security’ is technologies, processes, procedures and controls that are designed to protect digital environments from cyber security incidents.
‘Digital environment’ is information technology systems, operational technology systems, networks, internet-enabled applications or devices and the data contained within such systems.
(a) Each party shall:
(i) implement appropriate cyber security measures and systems and otherwise use reasonable endeavours to maintain its cyber security
(ii) have in place appropriate plans and procedures to allow it to respond efficiently and effectively to a cyber security incident
(iii) regularly review its cyber security arrangements to verify its application in practice and maintain and keep records evidencing the same.
(b) Each party shall use reasonable endeavours to ensure that any third party providing services on its behalf in connection with this contract complies with the terms of subclause (a)(i)-(iii).
(c) If a party becomes aware of a cyber security incident which affects or is likely to affect either party’s cyber security, it shall promptly notify the other party.
(i) If the cyber security incident is within the digital environment of one of the parties, that party shall:
– promptly take all steps reasonably necessary to mitigate and/or resolve the cyber security incident
– as soon as reasonably practicable, but no later than 12 hours after the original notification, provide the other party with details of how it may be contacted and any information it may have which may assist the other party in mitigating and/or preventing any effects of the cyber security incident.
(ii) Each party shall share with the other party any information that subsequently becomes available to it which may assist the other party in mitigating and/or preventing any effects of the cyber security incident.
(d) Each party’s liability for a breach or series of breaches of this clause shall never exceed a total of USD ______ (or if left blank, USD 100,000), unless same is proved to have resulted solely from the gross negligence or wilful misconduct of such party.