FW’s Matthew Gore examines the implications of new virtual security regulations
The importance of cyber security to the maritime transport sector was brought into sharp focus in June 2017 when the ‘NotPetya’ malware attack struck organisations in more than 60 countries worldwide, including many prominent organisations within the maritime transport sector.
Incidents such as this demonstrate the need to improve the security of network and information systems across the maritime transport sector. The Directive on Security of Network and Information Systems (EU 2016/1148) (the Cyber Directive), which was transposed into UK law on May 9, 2018, brings cyber security onto a legislative footing. It applies to organisations termed as ‘Operators of Essential Services’ (OES) and requires such organisations to demonstrate that they have implemented ‘appropriate and proportionate’ cyber security measures to prevent, or at least alleviate, the potential harm of cyber security incidents.
The latest UK Government publication on the application of the Cyber Directive indicates that OES within the maritime transport sector will apply to harbour authorities, ports or port operators that either have annual passenger numbers greater than 10m or that account for more than 15% of the UK’s ro-ro traffic, 15% of the UK’s lo-lo traffic, 10% of UK total liquid bulk; or 20% of UK total biomass fuel.
The Cyber Directive will also impact sea freight carriers that handle more than 30% of freight at any UK port that falls within the parameters above and 5m tonnes of total annual freight in UK ports as a whole.
While those identified as OES pursuant to these thresholds will need to comply with the requirements of the Cyber Directive summarised below, it is important to note that businesses that supply or contract with OES are also likely to be affected due to the highly interconnected nature of the sector.
OES within the maritime transport sector will be required to comply with a set of fourteen security requirements based on the following four objectives as defined by the National Cyber Security Centre:
Managing security risk – OES will need to ensure that appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services across their assets and supply chains.
Protecting against cyber attack – This objective necessitates the implementation of proportionate security measures to protect essential services and systems from cyber attack. Examples include managing access to relevant systems, the protection of data and providing staff with appropriate training.
Detecting cyber security events – OES must demonstrate they have the capability to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect essential services.
Minimising the impact of cyber security incidents – This objective centres on an organisation’s ability to minimise the impact of a cyber security incident on the delivery of essential services. It calls for OES to have a robust incident response plan to cover all relevant potential incidents. In addition, any incident having a ‘significant’ impact on the continuity of essential services must be formally reported.
Oversight and enforcement
Once the Cyber Directive is effective, each ‘Competent Authority’ will have responsibility for the oversight of its sector. The Competent Authority for the maritime transport sector will be the Secretary of State for Transport and by extension the Department for Transport. Responsibilities of the Competent Authority will include the designation of OES; monitoring the application of the Cyber Directive; the publication of guidance (including incident reporting thresholds); and enforcement and the imposition of penalties.
The Competent Authority will have the right to impose financial penalties (up to a maximum of £17m) on OES which contravene the Cyber Directive. However, the UK Government is keen to stress that the maximum penalty should be regarded as a last resort – indeed, the latest guidance dictates that the Competent Authority will take a reasonable and proportionate approach to enforcement.
Matthew Gore is a partner at HFW, where he is a specialist lawyer covering the ports and terminals, shipping and logistics sectors. The author would like to thank Mark Devlin of HFW for his input on research and drafting for this article.
Source: Port strategy