Fishing or Phishing: How Cyber Secure is Your Business?
August 1, 2019
Chances are, you have been notified by email at one point or another that you won the Nigerian lottery. Simply pay the taxes and collect your fortune! The kind gentleman who sent the email is happy to handle the specific details if you wire him the money. This type of scam, known as “phishing,” is simple and should be easy to identify, but it continues to catch people every day. Even worse, these phishing attempts can be used to infect your computer with malware, a type of software designed to interfere with a computer’s normal functioning. Hackers can also use malware to lock users out, steal data (also referred to as a data breach) or otherwise harm the host computer. When these hackers demand payment to unlock the computer, often in bitcoin or another form of cryptocurrency, they are initiating a ransomware attempt.
Hacks, Hackers and Hacktivists
If it seems like everyone you know has been notified that their personal data may have fallen into the wrong hands as part of a data breach, it’s because it likely has. According to the Data Breach QuickView Report, more than 1,900 breaches were reported through March 31 of 2019, exposing approximately 1.9 billion records. The number of breaches is up 56.4 percent, and the number of exposed records is up 28.9 percent compared to last year. When shipping giant A.P. Moller-Maersk was hit with a 2017 ransomware attack at a reported cost of between $200-300 million, it was a wake-up call for the maritime industry. If that wasn’t enough, in 2018 the Port of San Diego was the victim of a highly sophisticated cyber attack that resulted in severe disruptions to port operations.
What does any of this have to do with your fishing operation? Cybercriminals only target huge corporations and governmental entities, right? Wrong! Cybersecurity exposures should concern everyone in the fishing industry, from the largest vertically integrated processors to the smallest independent operators. The threats are everywhere, and most businesses are playing catch up. According to the 2018 Jones Walker Maritime Cybersecurity Survey, the U.S. maritime industry is being specifically targeted by cyber attackers. The Survey also notes there is a false sense of preparedness in the industry and that small and mid-size companies have few, if any protection measures in place, exposing them to potentially huge losses. Does your operation understand the origin of common cyber threats? Do you know how to spot them? And do you have a response plan in place if a cyber event occurs? Finally, if worse comes to worst, will your current insurance program cover your losses?
Fishing-Specific Cyber Risk
In many ways, today’s modern fishing boat is a floating cyber risk. Electronic navigation aids (GPS, AIS, VMS, and route-planning software); communications systems (satellite phones, weather radar, the internet); catch-reporting or catch accounting systems that transmit data to regulators or the home office; and IoT (“internet of things”) solutions that enable the various systems on board to “talk” with one another, all present opportunities for cyber intrusion. Sadly, most of these vulnerabilities are easily exploitable by a motivated hacker, typically with nothing more than a laptop.
Even shore-based operational duties carry cyber risk for the industry. If you manage multiple boats or track quota for your co-op, you’re probably on the receiving end of data coming off the boats. If you’re in sales or distribution, you have stored data about your customers, or you may have supply chain management software. If you’re in purchasing, you have vendor and supplier data. If you’re in HR, you have personal information about current and former employees. Does your website handle online orders? Do you use a payment plug-in for your phone or tablet when selling directly to customers? Again, each of these payment portals represent an easily exploitable exposure that could be catastrophic to your business. Potential losses include lost revenue, business interruption, first-party fines and costs from regulators, third-party liability claims and reputational damage – just to name a few.
If this discussion makes you nervous, it should. The risks are real, and the threats are closer than you think. You already manage a variety of risks in your operation. You take safety precautions. You insure the hull and machinery, and buy liability insurance in case of an accident. Cyber risk shouldn’t be viewed any differently. The 2018 Jones Walker Maritime Cybersecurity Survey notes that 92 percent of small companies and 69 percent of mid-size company respondents confirmed that they do not have cyber insurance. If you are unsure if you have cyber coverage – or the right cyber coverage – speaking to a knowledgeable insurance broker is critical. Additionally, cyber insurance can include much more than just the financial transfer of risk. Cyber insurance can also include pre-cyber event training, threat updates, and post-cyber event or privacy breach service providers, including law firms, IT forensic firms and ransomware response vendors. All of these can typically be negotiated into the policy premium.
Having a plan in place is key to minimizing the disruptive and costly impacts of a cyber event. If you already have a plan, consider yourself ahead of the curve. Lean on your broker to help pinpoint areas of potential cyber impacts, identify gaps in coverage and recommend ways to transfer cyber risk. You wouldn’t cut the boat loose without insurance, so why risk it with the computers, communications equipment and data that are so vital to your operation? Next month, we’ll go in-depth regarding some specific cyber risks and talk about insurance products and related services to help you address those risks. In the meantime, explore and consider what cyber threats may be specific to your business.
Mark Gleason represents USI Insurance Services in the maritime and related markets. He has spent 24 years in the maritime industry, including 13 years as a commercial fisherman in Alaska, Washington, and California, and as Executive Director of a fishing industry trade association.