By selecting UK flag, you have now set your site language to English. If you'd like to change your language preference again, simply click on one of the other flags.

Close

こちら Japan flag を選択して頂くと、言語設定が日本語に切り替わります。設定変更後は以下の機能が利用可能です。

  • 日本語版ウェブサイトへのクイックアクセスが可能となり、日本語の刊行物をご覧頂けます。

  • 日本語版が閲覧可能な刊行物や記事については、日本語が優先表示されます。表示言語については Japan flag をご参照下さい。

閉じる 言語設定を切り替えたい場合には、国旗のマークをクリックして下さい。

By selecting Japan flag, you have now set your language to Japanese. This has several benefits, including:

  • Providing quick access to our Japan page, which collates all our Japanese content in one place.

  • Ensures that content is presented to you in Japanese first, if we have an article, publication or webpage available in Japanese. Look out for the Japan flag indicators across the site.

Close If you’d like to change your language preferences again, simply click on one of the other flags.

点击选择 China flag,可将网站语言设置为中文。这能帮助您:

  • 快速访问我们的中国区页面,该页面将有网站内容的中文汇总。

  • 在我们的文章、出版物或者网页有中文版本提供的情况下,确保首先向您展示的是中文版本的内容。您可关注站点上的 China flag 按键。

关闭 点击任意其他国旗,可切换您的语言偏好。

By selecting China flag, you have now set your language to Chinese. This has several benefits, including:

  • Providing quick access to our China page, which collates all our Chinese content in one place.

  • Ensures that content is presented to you in Chinese first, if we have an article, publication or webpage available in Chinese. Look out for the China flag indicators across the site.

Close If you’d like to change your language preferences again, simply click on one of the other flags.

North has merged with Standard Club to form NorthStandard.
Find out more about NorthStandard here or continue on this site to access information and resources.

Cyber Risk Management in the USA — A New OPA '90?

Add
PDF

In this article Joe Walsh, Senior Partner – Clyde & Co outlines the latest thinking of the US authorities in relation to cyber risks and shipping.

The United States Coast Guard (USCG) recently published its Cyber Strategy in response to what it perceives is one of the most serious threats to US economic and national security interests. Certainly, the USCG is not alone in this cause. Acting on calls from various maritime sectors, the International Maritime Organization has also recognized the threat to global maritime safety and commerce and is expected to review industry recommended guidelines at MSC 96 in May 2016.

The USCG Cyber Strategy may, however, be a major catalyst in forging a new standard of care. Relying heavily on its core operating concept of “Prevention and Response,” the USCG Cyber Strategy emanates from, and perhaps plugs holes in, the Maritime Transportation Security Act of 2002 (MTSA) enacted following 9/11. MTSA grants the USCG broad jurisdiction and authority over any “incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a articular area.” The USCG’s position is that MTSA provides it with the authority to develop and implement a Cyber Strategy – in effect directing the formulation of best practices or a new standard of care for an organisation in managing cyber risks.

Together with MTSA, the USCG’s Cyber Strategy looks and feels similar to the “Prevention and Response” functions associated with the Oil Pollution Act of 1990 (OPA ‘90). For example, the Strategy obligates the USCG to collaborate with industry on cyber issues using Area Maritime Security Committees to provide recommendations for Area Maritime Security Plans (AMSP) and the National Maritime Transportation Plan (MTSP). OPA ‘90 established Harbor Safety Committees to help develop Area Contingency Plans and the National Contingency Plan. USCG officials charged with implementing the Strategy propose an organisation undertaking a “risk based assessment” in tandem with “performance standards” – terms all too familiar to those who recall OPA ‘90 rulemakings. USCG implementers also suggest that “exercises” might serve as a means to identify procedures necessary to respond to a cyber event for inclusion into an existing security, natural disaster, or environmental response plan.

Risk

They suggest that organizations designate responsible individuals and a team of specialists to assess cyber vulnerabilities, and if necessary to respond to an incident. OPA ‘90 also involves requirements for drills and exercises, the implementation of Vessel (and Facility) Response Plans, and the designation of Qualified Individuals (which led to the invention of Spill Management Teams (SMTs) and Oil Spill Response Organizations (OSROs)).

While similarities to OPA ‘90 may exist, there are, at least for now, significant differences. First, the Cyber Strategy is just that, a strategy. It does not have the force of law – yet. The USCG, however, may soon formulate a Navigation and Vessel Inspection Circular (NVIC) offering “guidance” as to how cyber risk management fits into MTSA. Noncompliance with a NVIC is not a violation of law itself, but is often viewed as conduct below the accepted or expected standard of care. The Third Circuit recently opined that the lack of firewalls and other cyber security measures may be an unfair business practice by a hotel chain in violation of the Federal Trade Commission Act (FTCA) siding with the Federal Trade Commission even though the FTCA does not specifically require such measures. The Court acknowledged the agency’s interpretation of its authority under that statute. Thus, while MTSA itself is rather generic and does not specifically address cyber threats, non-compliance with a cyber-focused NVIC, could serve as a basis for imposing civil or perhaps even criminal penalties, in addition to the liabilities or losses incurred from the underlying event.

At this juncture, it is clear that the USCG views cyber risk “prevention” and “response” as operational responsibilities of a shipping company’s Management; not responsibility of its IT Department. Shipping companies will be expected to establish a reasonably viable cyber risk management program; one that includes continuous assessment, coordinated planning, investment, benchmarking, training, and possibly risk transference (e.g. cyber
insurance). Just as OPA ‘90 received focused attention on “prevention” and “response,” commercial maritime interests would now be best served to:

  • assess and mitigate their potential cyber vulnerabilities related to network access and data protection (prevention); and
  • consider and plan how to respond to a cyber event which might precipitate or run concurrent with a safety, security or environmental incident (response).

Whilst at present there is no requirement to adopt the suggested approach it is likely that the US authorities will, in the  foreseeable future, require cyber risks and security to be managed on ships trading to the US. Given the interconnected nature of modern technology this means that shipping company systems that interface with a vessel will need to be secure.

The proposed strategy at least has the virtue of following the structure of OPA 90, which is well understood by ship owners. It may also be of use to those Members who are concerned about cyber risks by providing them with a ready-made framework for managing these risks.

Many thanks to Joe Walsh for his assistance in providing this article. www.clydeco.com/people/profile/joe-walsh

Welcome to

We've merged with Standard Club to form NorthStandard, this means a new name and look for us, and even better service, support, and cover for you.

You can find out more about NorthStandard on our new website here. As part of the NorthStandard Group, please continue to use nepia.com for your industry news, publications and expertise as well as club rules and contacts.