Cyber issues in shipping

CERT-LatestNews Malware Security News ThreatsCybercrime ThreatsStrategic

Sally-Ann Underhill, Philip Thomas & Tom Summers from ReedSmith urge caution against email scam which has become a frequent incident nowadays. They refer to a recent case in which an email sent by scammers posing as law firm, was circulated amongst all interested parties and they recommend reasonable steps to protect owners, charters and ships from cyber risks.

We have had reports of an email scam being circulated amongst owners and charterers and, in particular, being sent to ships. These emails are being sent by scammers posing as law firms in order to distribute malware, including the latest ransom-ware.


Dear Sir,

We have been appointed to proceed with legal steps in arresting your vessel due to your inability to clear your long overdue payment with our client. Our client claims that several reminder has been sent to you on this subject matter without getting any response from you.

Find attached lawsuit filed by our client including Court and lawyer cost. Kindly review and revert with your comment. Meanwhile, vessel will be arrested by the court till further notice.

Your urgent response will be appreciated.



It is extremely important that both owners and charterers are made aware of these potentially dangerous emails. Anyone receiving these unsolicited emails should be very careful and, if in doubt as to their authenticity, should send them to their IT support team before opening any attachments or links contained therein.

This follows on from the seminar Reed Smith delivered in Cyprus last month in relation to the increasingly pertinent issue of maritime cybersecurity. Shipowners are becoming increasingly exposed to cyberattacks – often from accidental interference rather than malicious attack.

It is important for owners to discuss with their clubs which of their P&I liabilities will be covered and what their responsibilities are when protecting against any potential future attacks. In general terms, owners are likely to be required by their respective insurers to demonstrate that they are taking reasonable steps to avoid or minimise cyber risks under their insurance, and to avoid or reduce the risk of cargo claims. Owners are strongly encouraged to be proactive in developing effective cyber incident response plans internally.

Risks are of course not limited to cyberattacks via email. Researchers also point to significant holes in the industry’s three key navigation technologies: GPS, marine Automatic Identification System (AIS), and Electronic Chart Display and Information System (ECDIS). Precautions should also be taken in respect of the potential corruption of computers on the bridge, in the engine control room, and in relation to cargo control mechanisms and port systems.

Similarly, charterers must also take steps to ensure the authenticity of any emails received containing invoices or payment demands. Cyber attackers posing as brokers or trusted third parties are also increasingly common and, with significant sums of money being transferred amongst charterers and owners, all industry players are reminded to remain vigilant. For example, when bank account details for payment are changed unexpectedly or an email does not quite look right, often a simple telephone call can help to clarify any uncertainty and can save millions of dollars.

Failure to take reasonable steps to avoid or minimise cyber risks may also expose owners to potentially significant fines and/or enforcement action under applicable data protection laws.  Where owners operate within the EU, the potential to incur fines will increase exponentially once the General Data Protection Regulation (GDPR) becomes fully effective on 25 May 2018.  Under the GDPR, EU national data protection authorities will have powers to fine organisations the greater of 4% of worldwide annual turnover or €20m for the most serious of data security breaches.  Failure to implement appropriate steps to safeguard against malware can qualify as a breach of the minimum security obligations under EU data protection laws.

Written by Sally-Ann Underhill, Philip Thomas and Tom Summers, ReedSmith LLP

Above article has been initially published at ReedSmith’s ‘Ship Law Log’   and it is reproduced here with authors’ kind permission

The views presented hereabove are only those of the authors and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.

About Sally-Ann S.Underhill

Sally-Ann deals with all types of charterparty, bill of lading, ship management and shipbuilding disputes, as well as worldwide logistics issues. She has worked on a number of disputes involving highly technical issues leading to claims under charterparties and bills of lading, as well as force majeure, off hire and demurrage disputes; and also involving complex deficiencies arising in shipbuilding matters. She has wide experience of disputes relating to cargo claims including the carriage of oil and gas products, drybulk cargoes and containers, as well as pharmaceutical products.Sally-Ann is also a specialist in procedural applications, including anti-suit injunctions, freezing orders, and arrests, and has extensive Commercial Court, arbitration and mediation expertise. She has considerable experience of drafting standard form amendments to charterparties, COAs, pool agreements, ship management agreements and freight forwarding agreements. The economic downturn also led to her being involved with a number of high profile insolvency issues. Sally-Ann works largely with clients based in Europe, (including the UK, Italy and Greece), the U.S., Korea and China, acting for, inter alia, owners, insurers, managers, and pharmaceutical companies. She regularly lectures on bill of lading and charterparty issues, and is responsible for our in-house training in the Shipping Group. She is also editor of the Shipping Group’s blog: Ship Law Log. Sally-Ann is recommended as a lawyer in Legal 500 UK 2016, being described as ‘brilliant’.

About Philip Thomas

Philip is counsel in the in the Information Technology, Privacy & Data Security team and a member of the IP, Information & Innovation Group, as well a technology and outsourcing specialist. Philip specialises in complex IT contracts including outsourcing transactions and IT procurement and supply contracts (acting for both customers and service providers). He has particular experience in advising clients operating within the technology, telecoms, marine and logistics sectors. Philip advises on global and European data protection laws including data protection strategy and compliance, privacy impact assessments, privacy by design, cross-border transfers of personal data, online behavioural marketing, IT and organisational security and the development of privacy and data retention policies. Philip joined Reed Smith in 2013, having previously worked at another City firm. Philip has also held in-house positions at ntl (now Virgin Media) and Nortel Networks.

Related Posts