Managing an incident well can make the difference between an annoying distraction and a disaster.

Basics of Incident Response (IR):

isolate, don’t power off

Creating an IR playbook and response plan

Basic hack detection skills for crew

If you think you’ve been hacked or being hacked:

Shutdown the system

Or turn off the system

Separate the system from network

Restore the system with the backup

Or reinstall all programs

Connect the system to the network

It would be prudent to call the police even if you do not know who or how bad it was.  Gather evidence, and don’t assume it has gone.  Many of the case studies we look at in this book, shows hacks were left dormant for many months if not a year prior to the incident.

The safety management system will already include procedures for reporting accidents or hazardous situations and define levels of communication and authority for decision making. Where appropriate, such procedures should be amended to reflect communication and authority in the event of a cyber incident.

The following is a non-exhaustive list of cyber incidents, which should be addressed in contingency plans on board:

loss of availability of electronic navigational equipment or loss of integrity of navigation related data.

loss of availability or integrity of external data sources, including but not limited to GNSS.

loss of essential connectivity with the shore, including but not limited to the availability of Global Maritime Distress and Safety System (GMDSS) communications.

loss of availability of industrial control systems, including propulsion, auxiliary systems and other critical systems, as well as loss of integrity of data management and control.

The Standard Bulletin in March 2017 looked to provide information on liability and cover.

“How would standard P&I cover operate in such a scenario?

Poolable P&I cover Other than the exclusion relating to paperless trading, there is no express cyber exclusion in the club’s rules. As such, a member’s normal P&I cover will continue to respond to P&I liabilities arising out of a cyber attack so long as the attack in question does not constitute ‘terrorism’, ‘a hostile act by or against a belligerent power’ or another war risk excluded under rule 4.3 of the club’s rules. Whether or not a cyber attack constitutes an act of terrorism for the purposes of the rules will generally depend upon the motivation behind it. In the context of war risks, terrorism is broadly understood to denote acts aimed to kill, maim or destroy indiscriminately for a public cause. Accordingly, if, for example, a cyber attack were to be perpetrated by an individual or group for the purposes of causing general disruption and for no public cause, then this would be very unlikely (without more) to constitute terrorism for the purposes of the rules and a member’s cover will respond in the normal manner. However, in the event of any dispute as to whether or not an act constitutes terrorism, the club’s board is given the power under rule 4.3 to decide and such decision shall be final.”

In March 2018 the UK P&I Club released a Q&A bulletin called “Cyber risks and P&I insurance”

“Are cyber risks excluded from P&I cover?

No.  As a general rule, P&I liabilities which are set out in Rule 2 of the UK Club Rules are not subject to any exclusion of cyber risks.  Nor is the International Group Pooling Agreement subject to a cyber risk exclusion.  Some maritime cyber risks, however, don’t come within the scope of P&I because they don’t arise from the operation of a ship.  An example is the risk of monetary loss where a shipping company is blackmailed to pay a ransom for the restoration of IT data or restoration of IT systems that have been compromised by cyber-attack.”