Background

Cyber security is an issue high on many companies’ agendas, especially in the wake of recent costly cyber security incidents involving large shipping companies. BIMCO has taken a lead on cyber security – by getting actively involved at the IMO and co-authoring the “Industry Guidelines on cyber security onboard ships”.

As part of the effort to address cyber security risks, BIMCO has developed a standard clause that can be used in contracts to allocate cyber security related responsibilities, liabilities and obligations for contractual performance.

Poor cyber security is often due to a lack of awareness of the risks. The BIMCO Cyber Security Clause fulfils three important functions: The first is to raise awareness of the risk; the second is to provide a mechanism for ensuring that the parties have in place procedures and systems to help minimise the risk of a cyber incident happening in the first place; and the third is to ensure that the parties mitigate and resolve the effects of an incident when it occurs, while also cooperating to assist each other.

Drafting team

The BIMCO Cyber Security Clause has been developed by a team comprised of owners, charterers, P&I clubs and legal experts. BIMCO is grateful to the following individuals for assisting us with this important project:

• Inga Frøysa, Klaveness, Oslo (Chairman)
• Daniel Chu, Navig8, London
• Francesco Tundo, Thomas Miller P&I Club, London
• Elinor Dautlich and William MacLachlan, HFW, London

BIMCO secretariat support was provided by Grant Hunter, Head of Contracts & Clauses and Mads Wacher Kjærgaard, Assistant Manager, Contracts & Clauses.

Explanatory Notes

The following explanatory notes are intended to provide some background to the thinking behind the BIMCO Cyber Security Clause. If you have any questions about the clause that we have not answered in the explanatory notes, please contact us at contracts@bimco.org and we will be happy to help.

BIMCO Cyber Security Clause

This clause is designed to address situations where a party is struck by a cyber security incident and that incident affects the party’s ability to perform its contractual obligations.

By design the clause does not address payment fraud. Although this type of internet-fraud is increasingly common, the subcommittee feels that the risk will not be greatly reduced through a contractual clause. The fraud is successful mainly due to poor verification and authorisation procedures in companies and can be avoided by tightening internal procedures.

During the drafting, the possibility of requiring the parties to insure their cyber security risks was discussed. However, because cyber security risks insurance is still in its infancy, it was decided that it would be premature to oblige the parties to get insurance that might be difficult to obtain. Instead, it is hoped that the clause may be helpful for parties trying to obtain affordable insurance based on the liability cap contained in subclause (d).

Definitions

The first section establishes the definitions that are used throughout the clause.

Subclause (a)

This subclause sets out the requirements for each parties’ cyber security arrangements. The parties are required to implement “appropriate” cyber security measures and systems. The word “appropriate” is used because the level of cyber security will vary depending on various factors. It will depend on aspects such as the size of the company, the geographical location and the nature of its business. The parties are also required to maintain the cyber security measures and systems, not just implement them.

The parties must have plans and procedures that enable them to respond efficiently and effectively to an incident should it occur. Lastly, the parties are required to regularly review their cyber security arrangements to check that they remain suitable to meet potential cyber threats.

Subclause (b)

This subclause requires the parties to use reasonable endeavours to ensure any third party performing services on their behalf has in place proper cyber security, i.e. complies with the requirements under subclause (a)(i)-(iii). For example, shipbrokers and agents provide services and information to owners and charterers digitally – so their systems also need to be safeguarded against cyber risks.

Subclause (c)

This subclause sets out a two-fold notification regime. A first notification is to be given by the party who comes aware of a cyber security incident. It should be noted that this obligation is not limited to incidents within the party’s own systems. For example, one party might detect that data received from the other party is, without their knowledge, corrupted or altered and could damage their own system. In this scenario the party receiving the corrupt or altered data must notify the other party and make them aware that they might be victims of a cyber security incident.

The second notification is found in subclause (c)(i)(2). If one party is affected by a cyber security incident, it is obliged to inform the other party and provide alternative contact details and any information available that might help to mitigate or prevent the effects of the incident. Since time is of the essence in these situations, the clause sets out a 12-hours deadline for this second notification.

Subclause (c)(i)(1) requires a party who is encountering an incident in its “Digital Environment” to immediately take action to mitigate and/or resolve the incident. The action to be taken must be reasonably necessary. This wording was chosen to reflect that a party cannot be expected to take measures that are, eg, too costly compared to the extent of the incident.

Subclause (c)(ii) requires the parties to provide each other with any subsequent information that can be of assistance for the other party in relation to the incident.

Subclause (d)

This subclause contains a limitation of liability and provides a blank space to be filled out with the liability cap. A default limit of USD 100,000 will apply if the parties do not to fill in an amount. 

With the relatively low default figure of USD 100,000 in mind, the drafting team found that the balanced approach was to include an exception to the cap for situations where an incident giving rise to a claim is the sole result of gross negligence or wilful misconduct of a party.