‘Buy cheap, buy twice’ is one expression that has followed me around all my life. From shoe purchases, where that all-important cost per wear can be used to justify an eye-watering price tag, to more significant transactions involving family security. Most of us like to get value for our money and be safe in the knowledge that we are well-protected. And usually this means we may have to budget more than we’d like.
But conservative practice shouldn’t mean we are too frugal with the funds we set aside for when things go wrong. Worryingly, the results of IHS Markit’s third annual maritime cyber security survey seem to indicate that shipping is still discounting the cost of a cyber breach, even in an era when punitive fines can be imposed for loss of personal data.
When probed on budget allocation around cyber security, nearly two thirds of respondents (59%) confirmed that they have budgeted less than USD10,000 for responding to a cyber incident and about 46% acknowledged that their annual cyber security spend is below USD10,000. To be fair, of respondents who said that they had been attacked, 69% confirmed that the resultant costs were less than USD5,000. But for 17%, the cost of an incident exceeded USD100,000. Only 12% have budgeted more than USD250,000 for a breach.
With the exception of the Danish bellwether Maersk, which confirmed that the June 2017 NotPetya attack had resulted in a USD300 million bill, there is scant information in the maritime sector about the costs of a cyber incident.
But the absence of information on shipping’s cyber incidents is no excuse. According to the World Economic Forum’s 2018 risk outlook, the financial costs of cyber attacks are increasing. A 2017 study of 254 companies across seven countries put the annual cost of responding to cyber attacks at GBP11.7 million (USD15.4 million) per company, a year-on-year increase of 27.4%. Furthermore, the cost of cyber crime to businesses over the next five years is expected to reach USD8 trillion.
This is not an issue that is going to go away but a comment from a member of the audience at a recent cyber workshop captured the cavalier approach that some shipowners have adopted.
“We don’t see the point of investing in cyber security as we believe the costs of an attack will be less than the annual cost of protecting our company,” the owner’s representative enthusiastically told the room. This was despite him having sat through two hours of presentations that clearly detailed the risk, the industry’s vulnerability, and the associated costs.
Encountering attitudes like that made a recent comment from former Transas chief executive officer (CEO) Frank Coles resonate. “[By raising awareness] shipowners think that they have solved the problem just because they are aware,” he said. “Ship-owners don’t understand the [cyber] problem and they are doing very little about it. This all starts with the CEO’s lack of engagement around the risk,” he added.
It seems that even with some of the household names of shipping – BW, COSCO and Clarksons to name a few – having had to face up to cyber incidents, many in the industry are still of the view that it won’t happen to them and if it does, it won’t hit their wallets significantly. They couldn’t be more wrong.