BIFAlink November 2018

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

BIFAlink

Legal Eagle

The scourge of cyber-attacks and the maritime sector

Following further cyber- attacks on the supply chain, the UK government has issued a consultation paper requiring companies above a defined size to comply with appropriate security measures

www.bifa.org

The world’s media continues to highlight the frequency with which cyber-attacks take place on the transport and supply chain. China Ocean Shipping Company (COSCO) had its US office knocked out of action by a ransomware attack in late July this year. COSCO is China’s largest carrier of containerised goods and the fourth largest maritime operator in the world. Its US website, as well as its email and telephone lines, were all reportedly rendered inoperable by the outbreak. COSCO staff were forced to use Twitter and free Yahoo email addresses to handle enquires.

Recent attacks Last year, Maersk suffered substantial losses when it was infected by the Wannacry ransomware. The banking sector continues to attract unwanted attention from hackers. Two Canadian banks, the Bank of Montreal and the Imperial Bank of Commerce, announced in May that 90,000 customers had their personal data stolen. In the UK, the chief executive of TSB has just stood down following an IT meltdown in April. That meltdown allowed hackers to access customers’ accounts and withdraw funds. In the UK, the government has recently put

pressure on large companies in the maritime sector by requiring “essential services” to demonstrate that they have implemented appropriate and proportionate cyber security measures. This is a response to the EU Network and Information Security Directive (NIS) which

8

came into force on 6 May 2018. The directive requires essential services to have certain levels of cyber security standards so as to minimise cyber-attacks. The UK government has issued a consultation paper that requires the companies providing essential services to determine whether they are large enough to come within the threshold size. Commentators have suggested that any harbour authority or port with annual passenger numbers greater than 10 million will fall into that category, as will those operating 15% of the UK’s ro-ro or lo-lo traffic, or 10% of the UK liquid bulk market, or 20% of the UK’s bio-mass fuel market. The consultation paper also indicates that

water transport companies that handle more than 30% of the freight at any UK port, or 5 million tonnes of annual freight through UK ports, will fall within the definition of those providing essential services. Companies that carry 30% of passenger numbers at any individual UK port, and companies with more than 2 million passengers, also need to adhere to the NIS. The list is not exhaustive and the words “water transport company” are not defined. The new rules cover risk management, asset management and supply chain issues. One of the key features is that there will be a mandatory incident reporting regime. Companies will be exposed to fines if they fail to implement appropriate and proportionate security measures. There are a range of penalties that

can be applied for non-compliance. At the top range of those penalties is the ability to fine a company £17 million, or 4% of its worldwide operating profit, in some circumstances. Although large companies presently come within the definition of essential services, it may well be that in due course middle-size companies are also targeted.

Gaining access

Many cyber attackers can gain access to large companies through smaller companies who may operate less sophisticated cyber software than their bigger counterparts. Although larger companies are being required to show that they have taken sufficient steps to meet the NIS requirements, it seems likely that those companies will be looking to indemnify themselves in the event a hacker gains access to their mainframe via the route of a smaller company.

The impact of a cyber-attack to any company should not be underestimated. From a financial and practical stance, it may well be that all companies in the maritime sector should be taking note of the minimum standards set out in the UK government’s discussion paper.

We are grateful to solicitor Linda Jacques of BIFA Associate Member LA Marine for permission to reprint this article that first appeared in its Logistics and Trade Newsletter www.lesteraldridge.com

November 2018

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20