Poor cyber security could lose business for maritime suppliers

Credit: Getty Images

Maritime organisations would stop doing business with a third-party supplier due to a lack of cyber-security protections, according to an industry survey.

More than three-quarters (77%) of respondents to the 2020 Safety at Sea and BIMCO Maritime Cyber Security survey said they would cancel a contract with a third-party supplier over concerns with their cyber-security practices, or if it was found to be the cause of a cyber incident in the respondent’s own organisation.

Furthermore, 26% admitted they had previously recommended not doing business with a third-party supplier due to concerns over poor cyber security practices.

Respondents said they would base their decision on whether there had been a financial loss as a result of a cyber incident caused by a third-party supplier, as well as taking their company’s risk management and the safety and security of their operations into account. Some noted they would also factor in the willingness of the supplier to rectify the cyber weaknesses in their product or company practices in a timely manner.

The issue of third-party risk remains high on the agenda for maritime companies for a second year running. In fact, 83% of respondents of the 2019 Maritime Cyber Security survey stated they would stop doing business with suppliers of systems if the cyber resilience of their products was called into question.

Consequently, the survey shows that maritime companies are increasingly not only assessing their own systems and work practices in a bid to limit the likelihood of an attack, but assessing the risks being introduced across their supply chain.

“Variety in the cyber-security rigour by integrated suppliers leaves shipowners and operators with an attack surface of the lowest common denominator, usually ruining the controls of the best in class,” Cris DeWitt, operational technology cyber strategist, told SAS. “As owners and operators vote with their wallets, suppliers that have acknowledged the [cyber] problem, that are working the problem, and can show progress are in a great place to win over their competitors and demonstrate a better actuarial picture for their insurers.”

Apart from third-party suppliers, which ranked third at 14% as the respondents’ pick of the biggest cyber vulnerabilities for their organisation, companies see their own people as the biggest vulnerability at 52%, followed by IT systems at 17%.

Respondents have listed that a company’s own staff was its greatest cyber vulnerability to the Safety at Sea and BIMCO Maritime Cyber Security survey, for the fourth consecutive year.

The recent malware attack on Mediterranean Shipping Co.’s Mediterranean headquarters in Geneva, Switzerland, reported on 16 April 2020 – just two days after the survey closed – drives home the cyber risks that companies face daily. Nearly one-third of respondents (31%) to this year’s Maritime Cyber Security survey said their organisation had experienced a cyber incident in the last 12 months, with phishing (68%), spear phishing (41%), and malware (33%) being the most common causes of cyber attack.

The top three cyber attack outcomes were said to be loss of money (28%), systems outage onshore (23%), and reputational damage (15%).

While maritime companies are expanding their assessments into cyber security weaknesses across their supply chain, many of their measures remain firmly focussed on reducing human error.

“Cyber-security training is seen by many as a first line of defence, especially against the most common types of cyber incidents,” said Jakob P. Larsen, head of security at BIMCO. “Eighty-eight percent of respondents indicated that their company offers some sort of cyber training, either internally provided (58%) or externally provided (30%). It is very encouraging to see such high numbers, and they are almost certainly an important part in keeping the loss or damage to a minimum level.”

Respondents to the fifth annual survey work in management-level roles onshore (47%), followed by executive level (28%), shoreside staff (15%), management-level roles at sea (8%), and onboard crew (3%).

To download last year’s Safety at Sea Maritime Cyber Security white paper, click here.