CYBER THREATS LEGAL IMPLICATIONS FOR THE SHIPPING INDUSTRY DOHA - DECEMBER 2014 Elinor Dautlich, Partner T: +44 207 264 8493 elinor.dautlich@hfw.com
Our clients' sectors
Cyber risks
Intrusion by sector Source:
Most Common Causes of Data Breach Distribution of Ponemon 2013 benchmark sample by root cause of data breach Source:
Cost elements included in many breaches Factors included in calculation of financial losses from security breaches Average cost for crisis services: US$983,000 per event
Analysing Cyber Risk Identifying and locating the relevant "data" held and processed Applicable laws Identifying the risks to the business Scenario planning: what happens in the event of a significant breach Insurance solutions to match risk appetite and risk transfer needs
EU legal approach to data protection Directive 95/46/EC of 24 October 1995 (Data Protection Directive) Directive 2002/58/EC of 12 July 2002 (eprivacy Directive) January 2012: EC proposal for new "General Data Protection Regulation"
Ship Owner's Risk Navigational interference Loss of business secrets Damage to reputation Liability to third parties Operational interference Breach of contract Litigation Security breach Investigation Delay Breach of law Theft of cargo Sanction Misdeclared cargo / illegal cargo Misdelivered cargo Arrest of crew Detention of ships Stowaways Loss of personal data
Valuing the risks Hague Visby Rules Art III 1.(a) "...exercise due diligence to make the ship seaworthy" No specific case law YET Deviation from course Tracking by AIS Theft of information Theft of cargo Electronic bills of lading Loss of business / reputation Destruction of vessel/property Agents and subcontractors
Reliance on ship managers Agency relationship BIMCO's ShipMan No liability to Owners for any loss, whether direct or indirect (including loss of profit in connection with detention or delay of the Vessel) arising in the course of performance of the Management Services UNLESS resulting solely from negligence or wilful default, when liability shall never exceed 10 x annual management fee (save where loss resulted from Managers' personal act, with intent or recklessness, and knowledge loss would probably result) Himalaya clause protection? Ship owner's contractual undertakings - extend to its ship managers?
Industry Response Aviation industry unilaterally developing best management practice Extractives industry Shipping industry little shipping industry specific guidance available at this time low appetite for further regulation response along the lines of Best Management Practice (BMP4)?
Some EU / UK principles for cyber security EU Cyber Security Strategy (2013) UK's National Strategy for Maritime Security (May 2014) NATO's Combined Joint Operations from the Sea Centre of Excellence (CJOS COE) 2014 conference IMO: Canada's presentation to the IMO facilitation committee: "Measures toward Enhancing Maritime Cyber Security" (2014) UK Chamber of Shipping's publication: "Master's Guide to Cyber Security" (2014)
Corporate Governance of Cyber Threat
C suite obligations to protect data and IP assets Directors obliged to promote success, including: long term consequences of a decision interests of employees fostering business relationships with suppliers, customers and others Statutory duty to the company to exercise skill, care and diligence Obligation to take appropriate technical and organisational security measures Personal liability for negligent breach Determine risk appetite and risk transfer needs
10/11/03 CL 380 INSTITUTE CYBER ATTACK EXCLUSION CLAUSE 1.1 Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system. 1.2 Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system or computer software programme or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile.
Insurance the Endorsement Cyber Endorsement Marine Cover
Insurance the Holistic Approach Insuring a shipping business General Liability PDBI/NDBI E&O Crime D&O Marine insurance Cyber risks
Responding to the Risk Do nothing Adopt a "patch" response Consider the risk holistically
Mitigating risk Cyber Security Plan Instill top-down risk culture Develop industry best practice Training Consider specific cyber security insurance with brokers In the event of an attack Report it to the board Comply with regulatory obligations Crisis response team
Holman Fenwick Willan offices
Lawyers for international commerce hfw.com