Cybersecurity In Shipping Contracts –Maritime India Vision 2030

Although digital transformation through automated navigation, remote vessel monitoring, and integrated port logistics has redefined efficiency, it has also led to exposing India to escalating cyber threats. Cybersecurity is one of the foremost challenges for the entire maritime sector, with threats from both state and non-state actors and is a critical aspect of maritime security in today's times, ignoring which can be fatal.

India's Legal Framework for Maritime Cybersecurity

Specific maritime cybersecurity laws or established landmark cases showing guidance is lacking at the moment, forcing the sector to rely on commonplace general regulatory frameworks.

The Information Technology Act, 2000 (IT Act), provides a general guidance - Section 43 penalizes unauthorized access or system disruptions, however, it lacks maritime-specific provisions. Although the Admiralty (Jurisdiction and Settlement of Maritime Claims) Act, 2017, primarily deals with physical disputes, it may be stretched to cover digital attacks resulting in marine loss or damage.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, require shipping firms and port operators handling crew or passenger data to adopt security protocols, publish privacy policies, and ensure compliance through on-site disclosures.

The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 was a leap in formalizing CERT-In's role in mandating incident reporting from telecom and logistics intermediaries, enabling rapid response to port cyber threats.

In 2017, Cyber Swachhta Kendra launched detection and remedy tailored to disinfect maritime IT endpoints, while the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, required critical port systems to form Information Security Steering Committees and conduct audits for timely threat sharing.

The draft National Cyber Security Strategy, 2020, envisions a coordinated defences for cyberspace, including maritime assets. The Digital Personal Data Protection Act, 2023, imposed steep penalties, up to 4% of global turnover, for mishandling personal data such as in vessel operations.

The Digital Intelligence Platform (DIP) and 'Chakshu' reporting portal by the Department of Telecommunications' also empower to detect telecom-enabled cyber-frauds in shipping routes, yet the absence of a dedicated maritime cybersecurity law has become critical as seen in the Sagarmala Program's port automation expansions and the Maritime Amrit Kaal Vision 2047 amplifying risks in the absence of tailored mandates which may potentially stall MIV 2030's vision too.

Navigating through cyber security in Shipping Contracts

Cybersecurity is now integral to legal duties of care that are expected in the maritime industry. The Maersk cyberattack 2017 or the COSCO Shipping attack of 2018 bear testimony on the subject, highlighting the need for clear terms to allocate risks for delays, data recovery, or regulatory fines.

Data protection in maritime sector is paramount. Risks include data breaches and software attacks on shipping companies or port authorities, manipulation of navigational data or vessel tracking systems, disruption of logistics and cargo management, etc whose impact are wide ranged. Breaches can lead to financial losses, reputational damage, and safety risks apart from operational disruption and claims arising thereof. Ship owners and operators must protect vessels and cargo from cyber threats, as mandated by the ISM Code's integration of cyber risk management. Failure to do so may constitute negligence, exposing parties to liability claims.

Cybersecurity in maritime field is equally a contractual issue and not just an IT concern. Resultantly, Baltic and International Maritime Council (BIMCO) Cyber Security Clause 2019 provides a template structure that shows light to follow. Contracts should include clauses for:

· Define what constitutes a trigger to cyber security

· Cybersecurity Responsibilities: Define who implements measures like firewalls, encryption, and intrusion detection. Each party may undertake to maintain risk management system based on industry standards like the MSC-FAL.1/Circ.3-Rev.3 (Supra)

· Notification and mitigation obligations – Notification to be immediate which aligns with CERT-In Directions, 2022 which mandate reporting in 6 hours from occurring of incident

· Exclusion of liability or limitation of liability as per agreeable terms and indemnity for such incidents should be covered to ascertain whether force majeure or negligence, etc

The above components of the clause also mirrors The International Maritime Organization's (IMO) global efforts to combat maritime cyber threats, with Resolution MSC.428(98) complemented by MSC-FAL.1/Circ.3-Rev.3 - outlining five key functions: identify critical systems, protect assets, detect incidents, respond effectively, and recover swiftly.

Cyber insurance is becoming increasingly vital, though coverage requires careful review of the 'silent cyber risks'. The debate over whether inadequate cyber defences render a vessel unseaworthy adds complexity, potentially impacting liability under maritime law. Weaknesses in these areas could impede MIV 2030's aim.

Way Ahead?

Maritime industry's digital evolution has immense potential but, it also heightens cyber security issues that demand urgent action. India presents a significant lacunae in dedicated maritime cybersecurity laws, a notable shortfall that must be addressed through focussed aims.

To fortify its maritime security, India may begin with empowering entities like the Coast Guard, enhance authority and tools to manage cyber incidents and set minimum cybersecurity requirements like the Coast Guard's regulations under the Maritime Transportation Security Act of 2002 in US.

Collaborating with CERT-In could provide targeted training and necessary insights from historical cyber events enhancing effectiveness of response.

Strengthening stronger public-private partnerships to tackle threats, leveraging CERT-In's existing ties with industry while prioritizing firms at vital Indian ports, especially those on risk to adversarial actions from nations, may be explored. This burden-sharing model—distributing costs, risks, and duties between government and operators— may mirror successful approaches in critical infrastructure protection and anti-piracy efforts, where clear mutual benefits encourage compliance with regulations and transparent incident reporting.

Investing in cybersecurity upgrades is vital, such as modernizing port facilities and implementing cutting-edge technologies to enhance resilience.

Parallelly, introducing or fortifying cybersecurity clauses in shipping agreements is essential, with explicit provisions on duties/responsibilities, data safeguards, and accountability to mitigate obligation. Without addressing these gaps, weak cybersecurity could severely impair MIV 2030's principles preventing India from attaining its goal of a global maritime leader by 2030.

Authors:

Paramita Banerjee, Associate Partner at MCO LEGALS (Meharia & Company)

Bhavna Sharma, IPR Head at MCO LEGALS (Meharia & Company). Views are personal