2nd mci webinar - maritime insurance answers | shoreline ltd

THE SUCCESSFUL MANAGEMENT OF A

MARITIME CYBER ATTACK –EXPERT RESPONSE

PRESENTERS

Laetitia FouquetGlobal Head of Cyber

Oliver HutchingsManaging Director - Marine

Nicholas TaylorConsultant - Shoreline Ltd

Maritime Cyber Risk and Solutions

MCI Objectives

Introduction to CTA

Debunking myths about cyber

What is Incident Response Management?

Case Studies

MCI as an aid to compliance

Q & A

Shoreline MCI Webinar September 2020

The Maritime Cyber Attack Landscape

Sunday Times Interview with retiring GCHQ CEO, Ciaran Martin

“What keeps me awake at night is worrying about the

damage a rogue, state-backed or stateless criminal group

could do with a cyber-tool they don’t fully understand and

can’t control once they have launched it”

MCI Objectives

Aiming at:

• SME ship owners and operators

• The entirety of their operations – on land and at sea

• The financial losses suffered following a cyber or cybercrime attack

• Policy provision of immediate access to responsive service upon the discovery of an attack

• Embedding the responsive service into owners’ contingency plans and remediation strategy

About Charles Taylor Adjusting

Cyber Incident Response Team

Long-term relationships with insurers, brokers and panel vendors

Enabling efficient response to minimise negative impact on policyholders’ operations

In-house business interruption specialists and forensic accountants with knowledge of cyber-related BI

Expert support from our Marine team with expertise in: Adjusting including Average Adjusting, Surveying,

Technical and repair services for Marine Liability, Ports & Terminals, Yachts & Cargo

6 years experience in cyber programs

55+ adjusters

Global reach and multilingual response

300 claims each year

Responses include ransomware to major global data breaches.

From SME to big corporations.

Involved in cross border and major loss events

Debunking myths

It only happens to big companies and SME are not the target.

Other industries are more at risk, such as financial institutions or

manufacturing.

The risk is mainly financial and onshore.

Cyber is only an IT issue. My antivirus software is enough protection against cyber losses.

Paying the ransom is the best solution, and we can restart immediately once this has been paid.

We don’t hold valuable data/we have good backups, so we know we can get all of our data back if attacked.

Staff use corporate devices, we have a VPN and our WiFi is password protected, which protects

all communications.

We do social engineering training, so our staff can’t be fooled.

Our own IT department / vendor put the system together, so they know how to support us in case of an attack.

What is Incident Response Management?

Insureds’ internal plan to detail

• Key responder

• Mobilisation plan etc in case of a

major event

• Activating the Incident Manager (IM) at CTA to provide support

and access specialist resource

CTA coordinates support from vendors from the first call and leads remediation strategy

Time is critical to minimising financial losses & reputation harm

Notification to Cyber Incident Management

Centre

Incident Manager

conducts Triage Call

IM & Experts remediate the

incident

IM arranges experts on

Insured's behalf

Canopius issues coverage position

IM issues 48 Hour Report to

Canopius

Within 2 hours

IM requests confirmation of insured status from Canopius

IM sends WP letter to Insured

Canopius confirms status

to IM

Within 24 hours

Canopius directs IM as needed

Within 3 days

Emergency Escalation

Case Study 1: Offshore – Ransomware

Background information

• Crew member brought in “pirate” films on a USB key

• PCs in engine control room and bridge compromised, one of ECDIS systems not working (constant reboot)

• No immediate ransom note

• Ship approaching the harbour with pilot sent onboard

• The master reaches out to IT Manager for diagnosis

• Vessel berthed and cargo discharged

• Remediation / charts re-loaded / re-testing systems

Shoreline MCI Webinar June 2020 2020

Case Study 1: Offshore – Ransomware (continued)

Work done

• Discovery of a core compromise with backdoor for continuous attacks

• IT forensics costs for cleaning the systems

• Restoration costs for the lost data

• Adjustment of Business Interruption claim

Lessons learnt

• Benefits of a ship not equipped with a navigation or power management

system connected to the internet (offshore/onshore transmission)

• Need for BYOD policies & training of staff on bringing potentially corrupted

equipment on board

• Benefits of strong back up policy

• Get the right people in early to avoid repeated issues


Case Study 2: Data Breach


• Notified as a Social Engineering Fraud with no apparent security breach

• Insured was using O365 for email communications

• Forensic analysis showed email account had been compromised

Work done

• Vendors appointed to investigate

• Difficult compilation of accurate data which included direct clients and

other parties + across jurisdictions

• Potential complaints: compensation payments covered

Lessons learnt

• Importance of questioning initial findings of Insured’s IT

• Ensuring data subject notifications are issued accurately + with minimal

delay


Case Study 3: Onshore – Ransomware


• Ransomware affecting logistics systems .

• Demand was accompanied by threat to double if not paid in time.

• Access to critical business information blocked.

• Insured was keen to pay the ransom to resume normal work

Work done

• Recommended a panel IT vendor to confirm if the backups could be used

• Panel IT vendor negotiated payment of Bitcoin ransom

Lessons learnt

• Data was considered critical for the continuity of the business

• The importance of continuous and remote back-up routines

• Appropriate support is required to validate and minimise the loss

• Paying the ransom is just the beginning


Case Study 4: Social Engineering


• Chain of emails for a large transaction had been breached

resulting in a fraudulent payment: intrusion confirmed

Work done

• IT forensics to investigate origin of the intrusion: identified as a

sub-contractor

• Lawyers appointed to

• investigate potential liability

• assess viability of recovery action

Lessons learnt

• Importance of questioning findings of sub-contractor

• Potential cross-over between Cyber and Crime Policies.

• Avoided complaint & managed reputational damage but also kept

costs under review


Accessing the best resource for the type of attack experienced

IT Forensics & Remediation

ID Protection

Public Relations

Compliance

IMO Resolution MSC.428(98) in force 1st January 2021

Documents of Compliance will require evidence of readiness

Response/mitigation procedures which integrated into MCI can also be built into SMS

Why MCI? Answer: Design, Cost and Service

• Shoreline’s MCI policy provides comprehensive coverage in a modular format enabling delivery of cover within budgetary requirements

• Shoreline has control over pricing and service for its SME shipowner clients, thereby guaranteeing a prompt and efficient client service

• Support service is central to the value of the product Shoreline offers: the response agent – CTA – is written into the policy as an integral part of the purchase

• Shoreline has the integrity, experience and track record as a proven independent provider of specialist marine products to an established client base

QUESTIONS

Shoreline MCI Webinar June 2020

FIND FURTHERINFORMATION AT:WWW.SHORELINE.BM

Capt Thomas [email protected]+1 (441) 505-1002

Shoreline MCI Webinar June 2020

Nick [email protected]+ 44 7770 866 530