On 24 October 2018, Jones Walker LLP publicly released the findings from its inaugural Maritime Cybersecurity Survey.
The survey—which reflects the responses of 126 senior executives, chief information and technology officers, non-executive security and compliance leaders, and key managers from U.S. maritime companies—confirms that the evolving technologies deployed by the industry to increase efficiencies and competitiveness present significant cybersecurity risks.
The survey’s respondents represent key sectors of the U.S. maritime industry, from small, mid-size and large companies and include vessel owners and operators, port operators and support providers, and cargo shippers.
The survey asked for input on the following: attitudes and perceptions toward cyber threats; threat management and readiness; operations, training, budgeting, and staff committed to cybersecurity; strategic planning; history of data breaches; response plans and security frameworks; and on-vessel security.
The most significant takeaway from the survey: the industry is operating with a false sense of security and is largely unprepared to address these looming risks.
While 69% of respondents believed that the industry as a whole was prepared to address cybersecurity and the associated threats, only 36% of respondents believed that their own company was prepared. Put differently, 64% of respondents believed that their own company was unprepared to prevent a data breach.
The survey’s findings indicate that preparedness is tied directly to company size. 100% of respondents from larger companies (400+ employees) felt prepared to address a potential data breach. However, 94% of respondents from small companies (1-49 employees) and 81% of respondents from mid-size companies (50-399 employees) felt unprepared.
In this respect, the survey responses correlate with actual and potential data breaches. 78% of large companies reported a successful or attempted breach within the past year. Among small and mid-size companies, there were significantly fewer successful or attempted breaches, with 83% of small companies and 60% of mid-size companies reporting no breach. This disparity raises questions: Were there no breaches? Or are these companies simply unaware of breaches?
Preparedness also varied based on the type of company. 31% of vessel owners and operators believed their company was prepared. Among port operators, that number climbs slightly, to 33%, while 57% of cargo shippers surveyed believed their company was prepared. As computerization and autonomy have become more prevalent in the industry, it is no shock that cargo shippers stand in the best position to prevent a data breach.
Where does the industry go from here? Before answering, one must acknowledge that the risk of a cybersecurity threat does not appear to be on the radar for many, particularly the small and mid-size companies. The risks and impacts, though, are well-known. Given the interconnectedness of the industry, with vessel operators working hand in hand with ports and cargo owners, the potential trickle-down effect of an attack on one company can have widespread ramifications on other companies. For proof, look no further than the June 2017 attack on Maersk and the consequences of that breach.
As technology advances, industries must adapt and change. Before that can be done, the threats must be acknowledged and understood. The survey suggests that industry awareness is growing but is not yet at a point where the industry as a whole is prepared to tackle the challenges.
Companies should proactively put into place the strategic plans, policies, and procedures necessary to recognize and address cybersecurity threats. Employee training, threat assessments, and insurance will undoubtedly play a significant role in making companies cyber-secure. As each stakeholder takes steps to embrace and address cyber-security, so too will the industry as a whole.
By: Hansford (“Ford”) P. Wogan, Jones Walker LLP