We have noticed recently that more and more cases have a “cyber” element to them, so we thought we would share one recent experience with our clients and followers.
In one recent case, a client’s vessel was subjected to a virus introduced via Charterers’ cargo representative who went on board when the vessel was in port. It is not clear if the representative was knowingly involved and he may in fact have been a conduit, i.e. the virus may have been introduced to the USB stick by persons at the port. The virus was introduced via a USB stick which contained documents that were printed out via the ship’s computer/ printer. Those on the bridge were apparently unaware that this had been done and it was contrary to Owners’ standing instructions. The virus disabled certain IT systems on board which were pertinent to discharge.
The Owners retained specialist IT consultants to successfully reboot the systems and remove the virus but it took several days. The vessel was sent back to the anchorage and was unable to complete discharge until much later (intervening congestion was by then an issue). The vessel was put off-hire. There were a number of charters in place and Owners had also issued Bills of Lading for the cargo.
Our involvement was to advise whether Owners had any remedy in relation to the costs of removing the virus and as regards recovering the deducted hire. The governing charter was on the NYPE 1946 form but there was no BIMCO cyber security clause nor any other clause dealing with such an incident.
As regards off-hire, there was an interesting issue as to whether the introduction of a virus constituted “damage” to the machinery so as to trigger the off-hire clause and whether the words “or any other cause preventing the full working of the vessel” were wide enough to cover a virus if it was not similar to “damage”. The better view was that software on board would fall under “machinery or equipment” and that software corruption by a virus is “damage”. So, the view was that the vessel was probably off-hire. The more interesting issues, however, were whether Charterers could be said to be in breach by introducing the virus via their representative’s attendance and/or whether it could be said that Owners were negligent in not properly supervising Charterers’ representative and/or not preventing him from introducing a USB stick into the ship’s systems.
Absent any specific clauses dealing with such incidents, the focus was on the general indemnity in favour of Owners who are complying with Charterers’ lawful employment orders and/or the express clause which obliges Owners to allow a supercargo on to the vessel and furnish him with suitable accommodation. It was argued that the supercargo (either knowingly or unknowingly) wrongfully inserted a USB into the vessel’s computers and that Charterers ought to be liable for the consequences. In dealing with that, however, criticism was levelled at Owners as regards their supervision of Charterers’ representatives and their cyber security policy which, it was alleged, allowed the virus to propagate.
The case also produced some interesting spin-off questions, namely whether Owners might declare GA to cover the costs of dealing with the problem so as to complete discharge. Another issue was whether the IT consultants who attended could be said to be akin to salvors, albeit that in this case there was a contract in place and the vessel was in no immediate danger. However, if the situation had been more grave (say, for example, the ship’s navigation had been disabled), then salvage might have been a consideration.
The matter was eventually resolved by negotiation, but a number of real legal issues emerged. The direction of travel is towards increased automation in shipping, so we all need to be alive to cyber threats. BIMCO has gone some way towards dealing with this via their 2019 standard clause, but this is not (yet) in wide usage. Parties need to think about cyber risks when drafting their contracts and make sure that the risks are properly allocated. The 2019 standard clause also introduces the possibility of a limit of liability on the guilty party, although in this case it was apparent that the costs of dealing with such an issue can be very substantial indeed.