Marine Insurance Law in the Age of Cyber Piracy

I. INTRODUCTION

Like many other sectors of global economies, the shipping industry is increasingly integrating with technology developments and the cyber world. Larger vessels use the Automatic Identification System (AIS), cranes use satellite-based GPS systems, maritime navigation systems are linked to IT systems, complex cargo systems use digital utilities, and two Inmarsat use GPS (Global Position System) (Cyber Risks and Insurance in the Marine Industry, 2016). [1]These technology systems are in charge of managing the enormous sums of money, ships, cargo, and other assets that multinational maritime corporations’ control. But the new threat to the modern world is cyberattacks, which include data theft, security lapses, and hacking. These dangers are all become more common. However, marine insurance can be a "tool" that is essential to aiding the global maritime industry in recovering from cyberattacks. The threats in the marine sector are linked to two main goals: a) cyberattacks on ships; and b) cyberattacks on the corporate headquarters of maritime firms, which rely on computers and other digital equipment to function.

[2]Although insurers are aware of the risks posed by cyberattacks, the primary challenge is comprehending the issue. Additionally, determining the cost of exposure is the primary obstacle preventing the marine insurance sector from addressing the issue (maritime 3 companies do not disclose information to the public if they have been the target of cyberattacks, as they fear losing customers, stock declines, and frightening shareholders). The aforementioned issue prompts insurers to include the "paramount clause"—the Cyber Attack Exclusion Clause (CL 380) 10/11/2003 (The Risk of Cyber-attack To the Maritime Sector, 2014)—in their policies in order to exclude cyberattack losses. Any loss, harm, or liability resulting directly or indirectly from the use of a computer and the systems and software that go along with it is excluded by this provision. [3]The term "cyber" is another troublesome issue facing the marine insurance sector. The phrase "cyber" is extremely general and can refer to a wide range of traits, attributes, and specifics. It is extremely difficult for insurers to come up with a single solution to the issue. Furthermore, it's critical to understand that every cyberattack is a unique occurrence that poses a threat to a specific ship, for instance (The Guidelines on Cyber Security Onboard Ships, 2017).

Modern technologies and international maritime trade are becoming increasingly intertwined as they develop. Thus, the primary danger to the global maritime trade industry in the future will be cyber-security. [4]The marine insurance sector needs to be equipped with specialized knowledge to manage cyberthreats. More work has to be done to inform and assist insurance businesses by supplying them with specialized scientific research materials. The topic of cyber-security is becoming increasingly significant. Modern civilization must focus more on increasing awareness of cyber-security for the secure and sustainable growth of the economy.

II. DEFINITONS OF CYBER- ATTACK

Legally defining the word "cyber-attack" is crucial from the standpoint of maritime insurance. Contracts and clauses that specify terms for the sake of contractual duties come in a wide variety these days. [5]A "cyber-attack" is generally defined by a variety of terms used in various industries worldwide, but for the purposes of marine insurance, the term should at the very least be related to (a) a shipping company, (b) a ship owning company, (c) a charterer, or (d) a port management company or other port handling organization. Although they may occur for a specific amount of time, each cyberattack on the shipping industry is a distinct incident and activity (The Guidelines on Cyber Security Onboard Ships, 2017).

The important definitions of cyber-attacks and cyber-risks:

• [6]According to UK P&I Club Q&A document (2018): “Cyber risks can be defined as the risk of loss or damage or disruption from failure of electronic systems and technological networks” [7]BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI produced “The Guidelines on Cyber Security Onboard Ships” (The Guidelines on Cyber Security Onboard Ships, 2017) states that Cyber-attack is any type of offensive manoeuvre that targets IT and OT systems, computer networks, and/or personal computer devices attempting to compromise, destroy or access company and ship systems and data.”

  
  

• [8]IMO Interim Guidelines on Maritime Cyber Risk Management published on 1st June 2016 (MSC.1/Circ.1526) “maritime cyber risk refers to a measure of the extent to which a technology asset is threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.”

  
  

• [9]In its P&I Loss Prevention Bulletin published in May of 2018 (Vol. 42) Japan P&I Club provides a definition of cyber-risk: “Cyber-risk” is a potential risk to lead to operation failure of the IT systems, which will cause financial loss, disruption or damage to the reputation of an organization. Cyber-risk includes external factors (such as computer virus, Trojans, or attack over network, etc.) and internal factors (malfunction, miss-operation, or system bug, etc.).”

  
  

• North P&I Club specifies that cyber-risk may be the failure of an onboard GPS receiver due to a fault with the equipment, extending right through to the catastrophic scenarios of vessel systems being attacked and the vessel being disabled, run around or taken over by malicious third parties (Cyber Risks in Shipping, 2017).

III. GUIDELINES ON CYBER SECURITY ONBOARD SHIPS

"The Guidelines on Cyber Security Onboard Ships" (The Guidelines on Cyber Security Onboard Ships, 2017) was jointly released by industry leaders BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF, and IUMI. The Guidelines are a thorough guideline that covers all of the relevant cyber-security concerns. The Guidelines are significant because they provide insight into how the industry is responding to the hazards because they were created by industry representatives rather than the IMO.

The threat identification component of the BIMCO Guidelines is the most crucial one. The rules claim that states, state-sponsored organizations, terrorists, criminals, opportunists, and activists—including disgruntled employees—are the ones that commit cyberattacks. The intentional attack is the shared goal of these identified offenders. Although each player has different reasons for acting, the three most significant ones from the standpoint of marine insurance are financial and commercial gain, operational interruption, and reputational harm.

According to the Guidelines, the goals of the cyberattack include data destruction, sensitive data publication, media attention, blocking access to the targeted service or system, selling stolen data, ransoming stolen data, impairing system functionality, coordinating fraudulent cargo transportation, obtaining intelligence for more complex crimes, pinpointing the location of the cargo, and off-vessel transportation and handling plans. The maritime insurance industry may find this information very helpful in assessing the risks. The Guidelines provide a thorough approach to account for all potential losses and damages brought on by a cyberattack.

IV. CYBER SECURITY AND MARITIME SECURITY

[10]Up until now, terrorism has not posed such a danger to maritime security; nonetheless, Somali pirates and terrorist organizations such as al-Shabaab have already gained access to internet marine tools in order to take over vessels. But when these organizations deliberately seek out hackers to fulfill their objectives, the danger will increase.

Many states have begun preparing in response to the concerns. "The UK National Strategy for Maritime Security" (National Strategy for Maritime Security, 2014) was drafted by the UK in 2014. [11]According to the publication, one of the maritime security threats for 2014–15 is "Attack on UK maritime infrastructure or shipping, including cyber- attack" (Bueger, 2015). As a result, one of the world's leading maritime nations is already incorporating marine cyber security into its national security guidelines.

[12]More digital services have begun to be included into gas networks' operations in recent years (Myrvang, 2018). Digital technologies could be used for data collection, analysis, and visualization in order to maintain, repair, and run gas networks. Gas network digitization has its own set of risks. Cyberattacks on digitalized gas networks may result in decreased output, increased risks to human health, safety, and the environment, expensive damage claims, insurance condition violations, harm to one's reputation, and a loss of operating license. Oil networks are included in addition to natural gas networks.

For many nations, the seas' natural gas and oil networks have strategic significance for STeconomic security. [13]Their economy is reliant on the safe and secure import and export of oil or gas. In addition, the networks traverse numerous jurisdictions. Strong cyberattacks have the potential to undermine global marine security. Guidelines for applying the International Electrotechnical Commission's IEC 62443 standard, which covers security for industrial 17 automation and control systems, have been released by DNV.GL, industry leaders in quality assurance, risk management, and classification activities (DNVGL-RP-G108 Cyber Security in the Oil and Gas Industry Based on IEC 62443, 2018).

[14]The aforementioned patterns will be crucial to marine security in the future. The term "hackers" refers to the emerging players in international maritime security. These days, it is quite difficult to determine who they are, who supports them, and their objectives change depending on the situation. [15]It might be undermining massive offshore oil drilling platforms and resulting in catastrophic oil spills or inciting major maritime powers; for instance, China's Ministry of State Security broke into the contractor for the US Naval Undersea Warfare Center and stole 614 gigabytes of data.

The material included details on a covert operation called Sea Dragon as well as top-secret submarine communications data (Morris, 2018). Therefore, the situation is not just about maritime insurance; the international community also needs to address the growing threat and work with the governments to establish common ground.

V. STRENGTHENING CYBER SECURITY IN THE INDIAN OCEAN

The use of automated logistics and smart shipping has increased the complexity of cyberthreats in the marine sector. Ransomware assaults, AIS manipulation, GPS spoofing, and port-based hacks are some of the most alarming cyberthreats. Ship navigation relies on GPS and AIS, which cybercriminals can tamper with to steer ships off course or pass off pirate ships as authentic ones. The use of AIS spoofing by Iranian tankers to circumvent U.S. sanctions was suspected in 2019. Attacks using ransomware against transportation companies have also highlighted the associated financial implications.

In 2017, Maersk, the world’s largest shipping company, was hit by the NotPetya[16] ransomware, disrupting operations and causing losses of $300 million. Indian ports have not been immune either. In 2021, Jawaharlal Nehru Port Trust (JNPT) faced a cyberattack that disrupted cargo handling. Given the economic impact of such incidents, cyber piracy is not just a technical issue but a national security concern. A disrupted maritime supply chain can affect energy imports, trade, and even military logistics.

The Indian Ocean region is particularly susceptible to these threats due to its high volume of trade and strategic importance. It is critical for countries, especially India, to recognize that cyber piracy is more than just a criminal issue; it is a real geopolitical menace[17]. The rise of state-sponsored cyber warfare has added another dimension to this threat. For instance, cyberattacks on maritime networks could be used as a tool of economic coercion or as a prelude to military action. While major naval powers such as the United States and China have invested heavily in cyber defence for their maritime infrastructure, Indian Ocean nations must urgently develop similar capabilities. This necessitates drafting better laws that directly address maritime cyber piracy. Amending existing laws, such as the IT Act and the Admiralty Act, to include provisions on cyber threats at sea would be a significant step forward. Regional cooperation among Indian Ocean Rim Association (IORA) member states could also lead to a more coordinated approach to cybersecurity, including intelligence sharing and joint cyber patrols.

India and other Indian Ocean nations must update their legal frameworks to address cyber piracy effectively[18]. Some proposed reforms include amending the IT Act to introduce specific provisions for maritime cyber piracy, with penalties proportionate to the economic and security damage caused. Indian courts should recognize cyber piracy as part of maritime law, allowing affected parties to seek redress under the Admiralty Jurisdiction. Regional legal cooperation should also be established through organizations like IORA and BIMSTEC to handle cross-border cyber piracy cases. [19]Cybersecurity in maritime infrastructure must be enhanced through AI-based threat detection, blockchain for cargo tracking, and ethical hacking audits. International collaboration is also essential. India, through its Indo-Pacific strategy, has been increasing maritime cooperation. The QUAD’s Indo-Pacific Cybersecurity Initiative can help in intelligence sharing on maritime cyber threats[20]. The Information Fusion Centre – Indian Ocean Region (IFC-IOR), based in Gurugram, can be expanded to focus more on cyber threats. Joint naval exercises such as MILAN and Malabar should incorporate cybersecurity training to prepare for potential digital threats in maritime operations.

VI. IMO GUIDANCE AND STANDARDS AND WAYS TO IMPROVE IT

The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by IMO.

Cybersecurity is crucial for specialized IT/OT systems which is used by ships, like Automatic Identification System, Electronic Chart Display and Information System, Automatic Radar Plotting Aid, Voyage Data Recorder and Emergency Position-Indicating Radio Beacon.

Shipping Vessels should be made ready to step up the security measures due to their vulnerability to incidents. Above all, it is imperative to make sure that the internal network is divided and isolated from the public networks. To find any unusual activity or irregularities in network traffic, continuous monitoring is also required. According to research, a large number of businesses in the industry still exclusively use firewalls to protect their IT and OT environments. That is undoubtedly insufficient. One solution should not be the foundation of cybersecurity; rather, it should include many instruments that cooperate in a systematic manner.

It is best to draft a security policy that outlines the desired level of security and is contained in a separate document. On the basis of that, implementation protocols are created that outline specific steps for proactive threat prevention and attack response. This document must be familiarized with by the entire crew and the onshore staff that support the vessels.

To properly prepare for the identification, blocking, detection, and reaction to attacks, one must adhere to the NIST principles. The EU's NIS2 Directive, on the other hand, is a set of rules designed to raise the level of cybersecurity throughout the EU, including protecting partners in the IT supply chain. Its full implementation is scheduled for October 17, 2024. The main objective of NIS2 is prevention. Conversely, E26 and E27 pertain to the fundamental onboard systems and are specifically related to maritime transportation. Beginning in July 2024, both Directives will be required for all new boats.

Even though the good practices suggested by the aforementioned regulations are not yet required, it is nonetheless beneficial to put them into practice. Given the current digitalization of the industry, which necessitates extra caution to protect data, this is the proper course of action.

Cyber Risk Management should

1. Identify the roles and responsibilities of users, key personnel, and management both ashore and on board.

2. Identify the systems, assets, data and capabilities, which if, disrupted, could pose risk to the ship’s operations and safety.

3. Implement technical measures to protect against a cyber incident and ensure continuity of operations. This may include configuration of networks, access control of networks and systems, communications and boundary defence and the use of protection and detection software.

4. Implement activities and plans to provide resilience against cyber incidents. This may include training and awareness, software maintenance, remote and local access, access privileges, use of removable media and equipment disposal.

5. Implement activities to prepare for and respond to cyber incidents.

Author:  Anika Tarar, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  

[1] https://commons.wmu.se/cgi/viewcontent.cgi?article=1606&context=all_dissertations

[2] https://articles.manupatra.com/article-details/LEGAL-CONTROVERSY-AND-ISSUES-UNDER-MARITIME-LAW

[3] https://docs.manupatra.in/newsline/articles/Upload/33B67566-3C40-406C-8F89-E95D227F553F.pdf

[4] https://www.indiacode.nic.in/handle/123456789/2256

[5] https://docs.manupatra.in/newsline/articles/Upload/33B67566-3C40-406C-8F89-E95D227F553F.pdf

[6] https://www.manupatrafast.in/NewsletterArchives/listing/Hariani/2018/Feb/The%20Admiralty%20(Jurisdiction%20and%20Settlement%20of%20Maritime%20Claims)%20Act,%202017.pdf

[7] https://www.bimco.org/

[8] https://www.imo.org/

[9] https://www.igpandi.org/

[10] https://docs.manupatra.in/newsline/articles/Upload/DF00C465-AB53-4F85-8027-F1D7E6E62D14.2-F__cyber%20laws.pdf

[11] https://docs.manupatra.in/newsline/articles/Upload/4CF7696D-4B8E-4ABA-BCBA-E12AE1C7988F.pdf

[12] https://www.imo.org/en/OurWork/Security/Pages/Cyber-security.aspx

[13] https://www.ics-shipping.org/wp-content/uploads/2021/02/2021-Cyber-Security-Guidelines.pdf

[14] https://www.maritime-cybersecurity.com/

[15] https://marine-offshore.bureauveritas.com/marine/cybersecurity

[16] https://indiafoundation.in/articles-and-commentaries/navigating-legal-frontiers-combating-cyber-piracy-in-the-21st-century/#_edn17

[17] https://indiafoundation.in/articles-and-commentaries/navigating-legal-frontiers-combating-cyber-piracy-in-the-21st-century/#_edn18

[18] https://www.imo.org/en/OurWork/Security/Pages/PiracyArmedRobberydefault.aspx

[19] https://imo.org/en/OurWork/Security/Pages/Cyber-security.aspx

[20] https://www.imo.org/en/OurWork/Security/Pages/Cyber-security.aspx