Page 14: of Maritime Reporter Magazine (June 2019)

I

INSIGHTS: CYBER SECURITY

Captain Andrew Kinsey

Captain Andrew Kinsey, Senior Marine Risk Consultant, Allianz Global Corporate & Specialty

Cyber Risk Management:

What Maritime Professionals Need to Know Before the IMO 2021 Deadline he IMO January 2021 deadline Preparations to prevent or minimize a for shipping interests to incor- cyber incident are your ? rst line of de-

I often tell my clients that porate cyber risk management fense, however, companies still need to

Tinto their existing Safety Man- have a response plan in place that out- cyber security is a race agement Systems is fast approaching. It lines how to respond when a cyber in- without a ? nish. The IMO is critical that stakeholders understand cident occurs. An important part of this their vulnerabilities. The IMO has issued plan is to work with your insurance bro- has given the maritime

MSC-FAL.1/Circ.3 guidelines on mari- ker and underwriters to understand how time cyber risk management that does a to properly manage your risk with ad- industry a deadline to get good job of outlining the many vulner- equate insurance coverage. able systems within marine operations, The key here is to identify what is their cyber risk practices including: and is not presently covered. The big in order by January 2021. unknowns are so-called “silent” cyber 1. Bridge systems exposures in most traditional insurance

It is clear that the work will policies, which were designed when cy- 2. Cargo handling and management ber was not yet a major risk and do not not end there.

systems explicitly consider it. This can create © pickup/Adobe Stock step when examining your company, enterprises. The cyber threat does not uncertainty for businesses, brokers and 3. Propulsion and machinery manage- terminal or vessel’s cyber exposure. All care if you are in port or at sea. As long insurers about which loss scenarios are ment and power control systems parts of your business that are controlled as you are connected to the internet, you covered. Group-wide, Allianz is review- or supported by computer systems need are at risk. The Department on Home- ing cyber risks in property and casualty 4. Access control systems to be identi? ed, and there are likely more land Security has numerous cyber tips (P/C) policies in its commercial, corpo- than you realize. and resources to help you educate your rate and specialty insurance segments 5. Passenger servicing and manage-

The United States Coast Guard has crews and shore-side support staff. This and has developed a new underwriting ment systems very good guidance on how to start un- includes the Stop. Think. Connect. Cam- strategy to address “silent” cyber expo- derstanding and identifying your cyber- paign. Simple information such as this sures, ensuring that all P/C policies will 6. Passenger facing public networks security exposure (https://homeport. should be included as a regular part of be updated and clari? ed in regard to cy- uscg.mil). This guidance includes infor- onboard crew training. ber risks. We want to remove the uncer- 7. Administrative and crew welfare sys- mation from the Department of Home- A more comprehensive program has tainty of coverage for our business cus- tems, and ...

land Security’s Industrial Control Sys- been developed by the National Cyber- tomers. I often tell my clients that cyber tems Cyber Emergency Response Team security and Communications Integra- security is a race without a ? nish. The 8. Communication systems.

(ICSCERT), which provides a wide tion Center Industrial Control Systems IMO has given the maritime industry a range of information, tools, and services (NCCIC). Its industrial controls system deadline to get their cyber risk practic-

The IMO Guidelines also raise an im- that can help companies assess their se- (ICS) team has developed guidance to es in order by January 2021. It is clear portant point on understanding the dis- curity, identify recommended practices, assist owners in preparing their business, that the work will not end there. Cyber tinction between information technology (IT) and operational technology system and improve their cyber security. (http:// and networks, to handle and analyze threats will continue to evolve in fre- (OT). In short, IT focuses on the use of ics-cert.us-cert.gov/) a cyber incident. (https://ics-cert.us- quency and severity as we become more

This brings up a very important point cert.gov/sites/default/? les/FactSheets/ reliant on the technology. The Technol- data as information while OT focuses on the use of data to control or monitor regarding cyber and the maritime envi- NCCIC%20ICS_FactSheet_Cyber_ ogy will be a positive for both increasing physical processes. These distinctions ronment. Often we are faced with unique Incident_Analysis_S508C.pdf ) Guid- vessel safety and reducing risk, however, risks in the maritime ? eld, and while ance such as this should be incorporated it requires staying vigilant for new and become important when it comes time to the cyber threat at sea does have some in the Cyber Risk Management sections emerging threats. This vigilance is es- conduct a risk assessment of your opera- unique characteristics, most threats are of Safety Management Systems as re- sential for the future of the industry be- tions.

Risk assessments should be the ? rst the same as those faced by shore-side quired by the IMO. cause complacency is not an option. 14 Maritime Reporter & Engineering News • JUNE 2019

MR #6 (10-17).indd 14 5/31/2019 9:09:42 AM