At a glance
- While hacking is of course an important source of cyber risk, it is worth noting that the majority of cyber incidents reported to insurers are the result of accidental acts or omissions
- It could be argued that the relatively low public profile of most marine businesses means they are less likely to be the subject of a cyber-attack
- The recent case of MSC Mediterranean Shipping Company S.A. -v- Glencore International AG  EWCA Civ 365 highlights the emerging cyber risks in traditional marine cargo practices
There is a tendency to treat cyber risk as being synonymous with malicious hacking.
While hacking is of course an important source of cyber risk, it is worth noting that the majority of cyber incidents reported to insurers are the result of accidental acts or omissions.
In a marine cargo context, a good example might be where a crew member connects their mobile phone to the bridge in order to charge it, and a loss may occur as a result of a virus (unknown to the crew member), spreading from the mobile phone to the bridge computer system.
It could be argued that the relatively low public profile of most marine businesses means they are less likely to be the subject of a cyber-attack. Nevertheless, the threat is real and the result of a successful attack could be catastrophic.
For example, the lack of any inbuilt encryption or authentication code in the critical systems used for navigation (GPS, AIS, ECDIS) means that shipping is likely to be seen as a soft target – that perception could be enough to provoke an attack. For example an MIT study showed that, for less than US$2,000, it is possible to compromise a ship’s ability to accurately detect other vessels, emit false location information to other AIS users, and stage fake emergencies.
These risks have even been depicted in the popular TV drama McMafia, where a criminal gang recruit hackers to access a port’s database containing the location and security details of every container in the port, in order that valuable cargo can be intercepted before its true owners arrive at the port to collect their goods.
The recent case of MSC Mediterranean Shipping Company S.A. -v- Glencore International AG  EWCA Civ 365 highlights the emerging cyber risks in traditional marine cargo practices.
The case concerned the shipment of cargo by MSC on behalf of the cargo owners and bill of lading holders, Glencore. In the previous 18 months Glencore had made 69 shipments of the same cargo, using MSC as carrier. During the 70th shipment, at the port of discharge, the receiver’s haulier discovered two of the three containers were missing.
In this case it was discovered that ‘unauthorised persons’ had already collected the ‘missing cargo’, illicitly using the release pin code to collect the containers. Such pin codes form part of an electronic release system (ERS), which replaced delivery orders and release notes previously presented to collect goods at this port of discharge.
The pin codes are sent by email, and demonstrate the potential pitfalls of an organisation adopting new technologies within its day-to-day operations, without perhaps considering the full extent of the security or legal implications of doing so.
In this case the Court of Appeal considered the point at which delivery of goods had occurred and whether or not an electronic release system and the subsequent release of a pin code to the receiver’s agents amounted to effective delivery.
It is natural for companies to focus their resources on technological innovation, and the effective deployment of these advances to improve profit margins. Indeed the pace of change in the world today is the fastest it’s ever been and the slowest it will ever be. However technology is outpacing the methods and processes within cargo transport, which are somewhat traditional and outdated.
It is therefore important to consider the implications of new technologies, and the associated risks they present. Perhaps industry players need to lend a greater focus towards mitigating technological risks through improved industry methods and practices.
This article was published as part of our Spring 2018 Claims Quarterly Journal.
For more information, please speak with your local Zurich contact.