TM Law’s Alexis Cahalan looks at the real and potential impact of cyber risks on the transport and logistics sectors, and offers some guidance to operators on how to protect themselves.
Thomas Miller Law is a proud partner of the Freight & Trade Alliance (FTA) in Australia. This article appears in the latest edition of FTA’s quarterly publication, “Across Borders”.
The Case for Cyber Risk Management
Businesses will be used to ensuring workplace, health and safety and regulatory compliance and safeguarding against physical threats such as theft. Processes to guard against such events are somewhat more identifiable where the risks are tangible and visible. However, one of the biggest issues now facing business is how to deal with the almost unseen risks which arise when data breaches occur but which have quite tangible consequences. Proper cyber security risk analysis and developing a cyber risk management process should now be considered a key feature of good business management.
The reality of cyber risks
A number of high profile companies have already fallen prey to cyber attacks. In August 2016, the Australia Bureau of Statistics Census Program was hacked and the extent of the data compromised largely unknown. In October 2016, the Red Cross Blood Bank’s donor records were infiltrated and donors’ sensitive personal information was leaked. Closer to the logistics sector, in June 2017, AP Moller –Maersk, the world’s biggest carrier of seaborne freight carrying about 15% of all global trade by containers, fell victim to a massive cyber attack known as Petya. It was believed to have been a ransomware attack where payments are extorted to restore data. It is estimated that the financial losses incurred by Maersk as a result of the incident could be in the region of US$300 million.
The Maersk situation was the result of an untargeted attack and other companies and government institutions were similarly affected. The threat of targeted attacks is also very real. In the recent decision in the English Court of Appeal, MSC Mediterranean Shipping Co SA v Glencore International AG [2017 EWCA Civ 365] the susceptibility of targeted cyber attack in cargo handling procedures was highlighted. In that case three containers of cobalt briquettes were shipped from Freemantle to Antwerp where they were discharged according to an electronic release system (ERS) which had developed over some years. Rather than paper delivery orders being presented against bills of lading, the ERS enabled consignees or their agents to present electronic pin codes to obtain the release of the containers.
When the legitimate recipients of the pin code arrived to collect the containers, only one remained. It is not entirely clear how the remaining two containers were misappropriated, however, it was “tolerably clear” to the Court of Appeal that the pin codes had been accessed due to cybercrime. One of the defences the carrier sought to rely upon was that the chain of causation had been broken due to the shipping agent’s email accounts being hacked. However, there was insufficient evidence to show how the thieves had accessed the pin codes either of the shipper or their agents or MSC’s operating systems. The Glencore case serves as a reminder that where electronic releases can influence the delivery of cargo, access to the system must be monitored as well as the conduct of the persons who have access to those systems.
Cyber risk business check list
It is becoming increasingly important for businesses to create a culture of cyber responsibility and to develop processes to detect and respond to cyber breaches. Some aspects which your business can consider when reviewing its cyber risk profile are:
Not unlike the emergency response procedure which will apply when the physical environment of a business is out of action, develop of data risk response plan and nominate the person or group who can make immediate decisions when communication systems may be down. Take heed of the advice from the CEO of AP Moller-Maersk, Soren Skou whose reflection on lessons learned in the aftermath of the attack was “ isolate an attack quicker and restore systems quicker “;
The effect of a fast response may disrupt operations and obligations to customers. Consider whether cyber insurance will provide some financial support to limit financial losses to the business caused by the disruption and the inevitable rescheduling of services. Insurance may also assist with engaging public relations consultants to curtail potential reputational fallout;
Where you are providing a service, is this subject to your terms and conditions and do the terms and conditions limit liability for incidents caused beyond your control and limit liability to your customers for consequential losses arising from cyber incidents? Do they at least endeavour to allocate the risk appropriately between your business and your customer or other service providers? For example, incorporate indemnities where your own suppliers or customers may be responsible for or fail to mitigate a cyber incident;
Require and monitor your sub- contractors’ compliance with data protection storage, backup and recovery requirements and where applicable privacy and data protection laws. As a result of the new legislated mandatory data notification requirements which will come into effect on 23 February 2018, require your suppliers to notify your business in the event of a safety breach on their part;
Consider if you have sufficient internal resources to deal with a significant cyber incident and if not identify external service providers you may be able to rely upon;
Review third parties who may have access to your businesses systems and customers and the vulnerability to the release of data such as occurred in the Glencore case;
Encourage a culture of cyber risk awareness and integrate general risk management procedures , reviews and risk assessments into the planning of the business;
Cyber risk is no longer something which will require a response just from the “IT group”. It is a responsibility across the whole organisation and can be made so by driving the cyber psyche from management down to all levels of the business. This means that consideration of and responses to cyber risk should be considered at board level and security related policies and procedures implemented throughout the business. This will also be important should it be necessary to prove that all has been done within a business to ensure the integrity of customer information. In the event of a claim, well thought out procedures could be a significant defence;
By being mindful of cyber risk, identifying vulnerabilities, considering effective responses and implementing procedures this will be positive steps towards positioning your business to be ready to respond to the increasing reality of cyber risks.