The latest update is that the ransomware attack on the DNV Ship Manager platform had affected 1000 vessels out of a total user base of 7000. While this will be a harrowing event for DNV management and their clients, it is an important opportunity for information sharing so that the maritime sector as a whole can be stronger in the face of the rapid evolution of the cyber threat. It is also an object lesson, which is necessary, on the importance of good articulation of roles and responsibilities between customer and supplier.
It has been reported that 1000 vessels have been affected by the LockBit ransomware attack on DNV’s ShipManager platform. This does not appear to mean that the vessels’ own systems have been damaged, rather that the software platform has been unavailable. The impact on each vessel, we surmise, will be proportional to the reliance placed on the system.
News of a compromise such as this provokes a number of different emotions. 1000 is a big number; we can only hope it doesn’t grow. But it must be a relief that it wasn’t higher – small comfort to those affected, granted – but understanding why the virus did not spread is as important as understanding how it did.
More importantly, a case such as this provides an opportunity for all ship owners and managers to examine a number of different aspects of their risk management posture.
1. You can’t outsource reputational risk
Many companies recognise that it is cost-effective to outsource aspects of their back office to specialist providers, taking advantage of economies of scale and expertise. Whatever the terms and conditions in any outsourcing contract, it is still your brand on the line if your supplier is unable to provide you with a critical service – and you and your clients suffer as a result. Customers just see your brand and see it failing to perform.
2. Understand the nature of your contract with 3rd parties
Many service providers try very hard to lay off risk in the event of non-performance. Apart from service credits, their terms and conditions may seek to isolate them from any impact of a cyber-attack on you, even if it derives from them. We would recommend that companies oblige their outsourcing partners to describe in detail how they would react should their systems fail , or should they become an attack vector to you. You will need to have confidence in their contingency planning so that their responses are a known quantity.
3. Test your assumptions
You can only know that your contingency plan works if you test it. And you need to understand which systems and/or services are critical for the ongoing success of your business if you are to put together a plan which will work. You cannot assume that your outsource partners will respond in as timely manner as you might need, or be able to come up with a working alternative quickly.
4. Plan for exit – work for success
If you outsource a critical service, at some point you will ned to recompete the contract, and maybe transfer to another provider. As in other dimensions of life, it is very important to know how both sides will behave at the end of the relationship as much as during it. Planning the exit does not mean negotiating in bad faith, however; rather it should guarantee a smooth transition from one provider to another.
Every breach is a nightmare – but also an opportunity to take a good look at how you operate your business. Don’t assume that your suppliers will act in any particular way when the chips are down. Get it in writing, and test it. And keep testing until it is right. Your business deserves nothing less.
If you would like to discuss this, or any other cyber issues, please don’t hesitate to contact us.