The Japan P&I Club has issued a comprehensive guidance note to its members on cybersecurity measures, in view of the increased threat of cyber attacks at sea.
The Club’s Vol.42 May 2018 P&I Loss Prevention Bulletin Cyber risk and Cyber security countermeasures noted that the necessity of cybersecurity guidelines for ships has been highlighted by the International Maritime Organisation (IMO).
It noted that while cyber risks have not been specified in the Club rules, a claim regarding the coverage of a cyber attack or cyber breach would be examined in the usual way with reference to the Rules.
“When the cyber attack would not fall under the definition of ‘war’ or "act of terrorism’ under rule 35, a member will be subject to cover along with his normal P&I insurance,” it said.
However, cybersecurity incidents which do not develop into P&I incidents will note be covered.
For example, reported cases where a certain amount of the ship’s store was transmitted mistakenly due to a hacked e-mail, and where a ship’s schedule was delayed because the crew was investigated by the authorities after an uploaded video was found in a personal PC appeared to be associated with terrorism, would not be covered under the P&I policy.
The guidance note covers ship communications devices, their connected onboard PCs, navigation electronics and propulsion equipment.
To mitigate cybersecurity risks, the Club outlined the following:
- Identify it systems: in order to list them up.
- Implement risk assessment: risk assessment is to be implemented by examining the possible outcomes of a cyber attack, frequency and current management method.
- Establish necessary countermeasures: as a result of risk assessment, countermeasures are to be planned, implemented and operated.
- Implement, operate and manage incidents: check the status of additional countermeasures and verify that there are no flaws using reports of incidents and near misses from the ship, or an ISM/ISPS (International Safety Management/International Ship and Port Facility Security) internal audit conducted by a superintendent.
- Incident statistical analysis: companies have to conduct statistical analysis based on the reports of incidents and near misses from the ship, and the results reported from the ism/isps internal audit.
- Review and improve: after a statistical analysis, a review is needed as to whether the additional countermeasures are working, and if the countermeasures are not enough or if a new risk was reported, the risk assessment has to be implemented again.
The full guidance can be found here.