Would you buy fire insurance if you genuinely believed your house could not burn? Would you buy fire insurance if you believe fire damage can be quickly and efficiently repaired?
Obviously, you would answer “no” to both questions if you agreed with the underlying premise that fires either cannot happen, the likelihood of them happening being extremely small or the damage done being limited.
Knowing the likelihood and impact of real fires, companies tend to not only have fire insurance but also spend significant efforts on installing fire-fighting equipment, spending money on fire-dampening construction materials as well as train and inform their staff on fire drills.
The companies do this because the financial risk-reward equation is clearly tilted towards preventative measures. They cost some money upfront, but that investment is very small compared to the potential loss from not doing anything.
Maritime cyber security has to be seen as almost exactly the same.
Recent years have shown that there is indeed a very real likelihood of either office operations being impacted, or equipment such as vessels or port equipment being impacted. But how about the possible financial impact?
In the case of the cyber attack on Maersk in 2017, the company has subsequently stated that the cost of this was between 250-300 Million USD. The same cyber attack also impacted logistics firm TNT express, which is owned by Fedex who assessed the financial impact to be a loss of 300 Million USD.
Maritime insurance company Lloyd’s of London made an assessment in late 2019 indicating that a cyber attack on major ports across the Asia-Pacific could result in a loss of 110 Billion USD.
Such a number might sound fantastical and designed by an insurance company to “scare” prospective customers into buying insurance. But consider the following few examples.
In container shipping, the industry norm until just a couple of years ago was, that freight is not really being “sold” online. It is booked, but against existing contracts. Often bookings begin to pickup some 4 week prior to vessel arrival and are basically done about a week prior. In the 2017 case of the Maersk cyber attack many customers were therefore able to postpone their cargo booking until systems were again operational. But still the cost incurred was extremely high.
Fast-forward to 2021. Where essentially 0% freight was sold purely online in container shipping two years ago, reality today is that approximately 25% of Maersk’s volume is sold online and Hapag-Lloyd (the world’s 5th largest container line) sells 15% of their cargo online. The other shipping lines are quick to play catch-up in this game. That means, that a cyber-attack going forward can have much larger financial consequences in terms of lost business than it had just a few years ago.
Another element to look at is the increasingly automated equipment in ports and on vessels. The highest risk is a cyber attack rendering the equipment non-functional. The impact is enormous. To place this in context, the container ports on the US West Coast were shut down for 10 days in 2002 due to a labor dispute. The estimated cost at that time – 19 years ago – was that this had a cost to the wider US economy of 1-2 Billion USD per day.
A large crude oil tanker vessel has extremely fluctuating daily charter rates. But when the market spikes, they can make 100.000-200.000 USD per day to their owners. It is in these spikes that shipping companies make the money needed to take them through the inevitable downturns in the market. A cyber attack on the equipment on the vessel can render the vessel effectively out of action for days or even weeks.
Seen in the context of the potential financial impact, the cost of improving cyber security is minute. Most often the most important element to start with is not to procure a large expensive “system”. One of the very first steps, which is often the lowest-cost as well, is to get a comprehensive test and assessment of the actual state of affairs. Whenever this is done for the first time, our experience is that it will often reveal a substantial array of security problems – with the positive upside being that the majority of these can actually be fixed relatively quickly and a very limited cost.
For further information about our Maritime security service, please visit: https://improsec.com/en/maritime-cyber-security-vessel-assessment
Also, you can join our Maritime Cyber Security webinar on 4 March 1-2 pm, on how to best approach cyber security in 2021. Read more about the webinar and add it to your calendar here: https://www.linkedin.com/posts/improsec_cybersecurity-maritimecybersecurity-saferandbetterfuture-activity-6765973411916222464-urTJ