Insurers warn of third-party cyber thefts

Insurers are warning the maritime sector that its third-party partners need to be assessed for their cyber-security capabilities. Credit: Getty Images
Insurers are warning the maritime sector that its third-party partners need to be assessed for their cyber-security capabilities. Credit: Getty Images

The maritime sector has been told that its ability to protect against cyber attacks is only as strong as the weakest of its third-party suppliers.

Sharif Gardner, cyber training manager at insurer Axis, said, the marine sector is vulnerable because of the potential risk aggregations that an attack on a port facility would involve. “There has been a high focus in shipping on assessing cyber risks at sea and rightly so,” he said. “A vessel that is unable to operate or leave port because its systems are down is an asset not earning money for the business. And it is the business impact arising from this that should grab the attention of shipowners.”

In terms of those who would target the marine sector, Gardner is clear on the major threat. “Criminal syndicates’ primary motivation is financial gain,” he said. “The best way to make money out of shipping for a criminal in today’s climate is still most likely through its supply chain with a simple business email compromise, leading to transactional e-theft or fraud.

“Most shipboard systems are inherently insecure and, by nature, vulnerable to human error and indiscriminate malware introduction. However, data damage to the integrity of critical cargo management and operating systems could lead to widespread business interruption. The human factor is presented a lot in shipping because business owners can relate to it – humans have a tendency to cut corners.”

Gardner said work on internal systems is vital, and third-party partners need to be assessed for their cyber-security capabilities.

“The first point to address when talking about aggregation triggered by cyber threats is that posed by third-party vendors. We are in an age where ‘cloud services’ support the [information technology] infrastructure within a business, whether through web hosting, data hosting, or operational software. It is these services that have the capability to cause large, aggregated losses. Supply chain risk is ubiquitous across all industries and is an enterprise risk that does not discriminate by sector or size of organisation. The most notable attack to cause global disruption and aggregated losses was the ‘NotPetya’ malware, a proliferation experiment that caused serious financial and operational damage at large companies. It did not specifically target the shipping industry but large organisations as a whole.

“This was caused by a third-party software provider and led to hundreds of millions of dollars of losses for Maersk and other organisations in different sectors of a similar size. What it highlights is an over-reliance on technology and a lack of resilience in relative comparison to the size of the organisation relying on such services,” Gardner added.