The Management of Maritime Cyber Risk

Question 1

What are the threats (tangible and intangible) as they are perceived today and how they are manifested?

Question 2

What is a manager?

Answer 2

• Manager – “a person responsible for controlling or administering an
  organization or group of staff.”

Roles of a manager:
* Plan
* Organise
* Staff
* Lead – decisions, take responsibility, engender teamwork and mutual respect
* Control
* Responsibility

These skills rarely come naturally to people, they are worked on and develope to be a good leader, and requires a lot of practice.

Integrity (if i get something wrong, ill admit it) and respect (i know to be respected i have to respect) is very important in a manager - and before you show integrity you have to have belief in yourself

Question 3

What does a company structure look like?

Answer 3

the General Manager/CEO - to direct and control the company’s operations and to give strategic guidance and direction to the board to ensure that the company achieves its mission and objectives. (and makes sure that everyone is aware of the company mission).

• Direct and control the work and resources of the company and ensure the recruitment and retention of the required numbers and types of well-motivated, trained and developed staff to ensure that it achieves its mission and objectives.
• Prepare a corporate plan and annual business plan and monitor progress against these plans to ensure that the company attains its objectives as cost-effectively and efficiently as possible.
• Provide strategic advice and guidance to the chair and members of the board, to keep them aware of developments within the industry and ensure that the appropriate policies are developed to meet the company’s mission and objectives and to comply with all relevant statutory and other regulations.
• Establish and maintain effective formal and informal links with major customers, relevant government departments and agencies, local authorities, key decision-makers and other stakeholders generally, to exchange information and views and to ensure that the company is providing the appropriate range and quality of services.
• Develop and maintain research and development programmes to ensure that the company remains at the forefront in the industry, applies the most cost-effective methods and
  approaches, provides leading-edge products and services and retains its competitive edge.
• Prepare, gain acceptance, and monitor the implementation of the annual budget to ensure that budget targets are met, that revenue flows are maximised and that fixed costs are minimised.
• Develop and maintain an effective marketing and public relations strategy to promote the products, services and image of the company in the wider community.
• Represent the company in negotiations with customers, suppliers, government departments and other key contacts to secure for it the most effective contract terms.
• Develop and maintain Total Quality Management systems throughout the company to ensure that the best possible products and services are provided to customers.
• Develop, promote and direct the implementation of equal opportunities policies in all aspects of the company’s work.
• Oversee the preparation of the annual report and accounts of the company and ensure their approval by the board.
• Develop and direct the implementation of policies and procedures to ensure that the company complies with all health and safety and other statutory regulations.
• and you cant do all of that by yourself, you have to trust your employees and efficiently allocate job

Question 4

Who is responsible for the cyber security of a company?

Answer 4

1. the general manager/ceo is responsible for the input to cyber security, supported by the company and ship IT manager, as well as the safety manager
2. Ofcourse, the OT systems of the ship must be considered, which are overseen by the ship IT manager, supported by the fleet and safety manager. The ship IT manager is also responsible for the cyber security of the cyber risk assessment of ship IT systems,
3. Crew must be aware of the cyber risks, that’s the HR crew manager.

Question 5

what are the steps to manage cyber security in a company?

Answer 5

• Understand the requirement (rules, regulations, guidelines);
• Understand the organisation you are part of and how operations and business activities are conducted;
• Understand the challenge – Threats;
• Identify the exposure and weaknesses of your specific organisation – Vulnerabilities;
• Understand the appetite of the organisation’s management (CEO/MD and Board) for Risk;
• Formulate a comprehensive risk mitigation strategy that is:
• Relevant
• Appropriate
• Proportionate
• Efficient
• Cost effective

Your safety system should take into account the cyber threats in accordance to the ISM Code objectives by the IMO.

Question 6

what kind of threats should be taken into account when creating a plan to mitigate cyber threats?

Answer 6

Threats are presented by malicious
actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or
user permissions).

In general, these actions expose vulnerabilities (e.g. outdated software or ineffective firewalls) or exploit a vulnerability in operational or information technology. Effective cyber risk management should consider both kinds of threat.

Question 7

What is the ISM Code and why is it important?

Answer 7

The International Safety Managemetn Code is a mandatory code that aims to provide an international standard for safety on board vessels. Companies should use it as a guideline to develop a safety management plan for their voyages.

Question 8

Using cyber consultants

Answer 8

Understand how to and when to use cyber security consultants:

• Ensure they understand and have prior experience and expertise with your type of company/industry (maritime/shipping/ports etc);

How to use consultants:

• Initial assessment of cyber vulnerabilities of company (including penetration tests);
• Discussions around company appetite for risk and data/information prioritisation
  (crown jewels);
• Assistance and support with formulation of company policies, implementation (a good consultant will not do it for you!) and risk transference;
• Provide training support to fulfil stated policies;
• Assist with quality assurance and scenario testing;
• Updating of protection policies and processes as cyber threats evolve;
• be proactive! You heard of a new virus out there - should I be thinking about this? Ask a consultant etc.

Question 9

Why do some insurers avoid insuring cyber risks?

Answer 9

First of all, insurance is not a business entitlement, it is a business transaction!

Under reporting was and remains a significant problem;

• Companies targeted by cyber attacks feared reputational damage
  and losing business to competitors by admitting they had been
  attacked;
• Companies claiming, they had not been attacked were either lying
  or were ignorant!
• Consequently, it was very difficult for insurers to build up sufficient
  case knowledge to assess the risk effectively or the extent of problem, making it impossible for them to quantify premiums.
• Consequently, they used CL380 to avoid underwriting cyber risks.

Question 10

how to develop a cyber security strategy?

Answer 10

1. Identify the threats
2. Identify the vulnerabilities
3. Assess risk exposure
4. Develop Protection and Detection measures
5. Establish Response Plans
6. Respond to and recover from cyber security incidents

Security should be:
* Layered to deter
* Designed to ensure detection
* Define threat
* Delay
* Defeat perpetrator

Security strategy should be:
* Relevant
* Appropriate
* Proportionate
* Efficient
* Cost effective