Admiralty & Maritime Law
The Greater Houston Port Bureau is pleased to present an excerpt from “Unseaworthiness in the Age of Cyberattacks”, a prize-winning article by James Andrew Black, J.D. 2019, Boston University School of Law. Black is currently employed by Moran Shipping Agencies, Inc. The article discusses what circumstances could render a vessel to be termed “unseaworthy” and liable for cargo damage and loss after a cyberattack. James’ article was selected as the First Runner Up in the 2019 American Bar Association TIPS Admiralty & Maritime Law Committee law student writing competition earlier this year. The article was published in the Spring/Summer edition of the American Bar Association’s Tort Trial & Insurance Practice Section newsletter. To read the article in full, click here .
Vulnerable Cybersecurity Framework Could Make Shipowners Liable for Cargo Damage, Loss from Cyberattacks
Cyberattacks and Seaworthiness
The advent of cyberattacks in the maritime industry has increased awareness of these potentially disastrous threats.92 Cyberattacks have the potential to misappropriate, damage, or destroy entire cargos onboard a vessel by taking over its navigation, steering control, and any other OT system that is connected to the internet. Unsurprisingly, cyber risk management is an overwhelming concern of the maritime industry, which has taken “a proactive approach to incorporating [cyber risk] management into its safety culture [in order] to prevent the occurrence of any serious incidents.”93
A shipowner must exercise due diligence to provide a seaworthy vessel in order to receive the full benefits of either its package or global limitation rights.94 An unseaworthy vessel is one that is not reasonably fit for its intended use – this includes “a defective condition of the ship, its equipment or appurtenances.”95 Perfection is not the standard; however, shipowners must act reasonably to correct or prevent any conditions that will impede the vessel’s ability to safely deliver its cargo.96 Considering the catastrophic damages possible in the event of a cyberattack, one must necessarily consider under what circumstances a vessel’s vulnerability to such an attack might itself be considered an unseaworthy condition.
In the context of package limitation, shipowners cannot escape liability if their failure to use “due diligence to provide a seaworthy vessel” is a concurrent cause of damage or loss to the cargo.97 Likewise, a shipowner forfeits the right to global limitation based on residual value under the 1851 [Limitation of Shipowner’s Liability] Act if it has privity or knowledge of an unseaworthy condition that causes injury.98 Accordingly, whether a vessel is “cyber unseaworthy” is a crucial factor in determining the rights and obligations of shipowners in the event of cargo loss or damage,99 which could range anywhere from $0 to over $100 million depending on the quantity, value, and damage to the goods being carried.
Today, there is an abundance of industry-promulgated standards and regulatory guidance that “highlight best practices and approaches to address maritime cyber risk management.”100 This means that shipowners “can no longer claim ignorance with regard to [cyber risk] management.”101 Accordingly, it seems certain that a nonexistent or exceptionally inept cybersecurity program will be considered an unseaworthy condition if, thereby, hackers are able to execute a cyberattack that results in cargo damage, destruction, or misappropriation.102
It remains unclear, however, exactly which “policies and procedures, systems, controls and frameworks for data protection” are adequate to prevent a finding of unseaworthiness in the event of a cyberattack.103 The International Maritime Organization refers shipowners to the industry-published Guidelines on Cyber Security Onboard Ships (the “Guidelines”) and to the United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”).104 At a minimum, both the Guidelines and Framework recommend that shipowners “assess risks arising from the use of IT and OT onboard ships and establish appropriate safeguards against cyber incidents.”105 The Guidelines further promote using a third-party risk assessment in order to “drill deeper” to identify potential cyber risks and vulnerabilities.106
While neither the Guidelines nor Framework represent binding maritime regulatory regimes, these documents provide reasonable standards to protect vessels from cyber threats and vulnerabilities. Each of the referenced standards suggest that cyber risk assessments are necessary in order to properly identify and safeguard against cyberattacks.107 An OT system vulnerable to cyberattacks, or infected by latent malware, is a defective condition prone to result in cargo damage or loss. While their cybersecurity systems need not be perfect, shipowners must make a reasonable effort to ensure that its vessels are cyber-seaworthy in order to make them fit for any intended voyage.108 The best means to achieve this result is continuous monitoring and assessment of vulnerable systems. Accordingly, a shipowner must conduct regular cyber risk assessments in order to satisfy its duty of due diligence to furnish a seaworthy vessel free from defective conditions that can potentially lead to cargo damage or loss.
Vulnerability to a cyberattack should be considered an unseaworthy condition, just as certainly as would a leaky hull that might cause a vessel to find its way to the bottom of the sea.111 Shipowners are required to exercise due diligence to provide a vessel that is in seaworthy condition, a vessel that is free of defective conditions that make it unfit for its intended voyage. Accordingly, in order to comply with this duty, shipowners must conduct regular cybersecurity risk assessments on their vessels aimed at identifying and eliminating any vulnerabilities to a cyberattack. The failure to do so will increase a shipowner’s exposure to liability in the event that a cyberattack causes any damage or loss to its cargo.
- Date September 5, 2019
- Tags 2019 August