{mprestriction ids="1,2"} As a result of recent costly cybersecurity incidents involving large shipping companies, cybersecurity has become a major focus in the maritime industry. The development of the BIMCO Cyber Security Clause has been an important part of BIMCO’s efforts to reduce the threat of cyber attack.
The clause has been written by a small drafting team, led by Inga Frøysa of Klaveness, with representatives from shipowners, P&I clubs and a law firm, and will be published towards the end of May.
“I am very pleased to see BIMCO as the first mover on this important topic. Recent years have shown that there is a clear need for a clause addressing the contractual issues that can arise from a cybersecurity incident,” said Inga Frøysa.
The clause is drafted in broad and generic language, allowing for it to be used in a wide range of contracts and in a string of contracts for easy back-to-back application. It is hoped that the clause will assist parties in obtaining affordable insurance for their cyber security exposure, as the clause introduces a cap on the liability for breaches.
“It was very important to the subcommittee to impose an obligation on the parties to keep each other informed if a cyber security incident should occur, and to share any relevant information, which could assist the other party in mitigating and resolving an incident as quickly as possible,” Frøysa said.
This is done through a two-fold notification process. Firstly, through an immediate notification from the party who becomes aware of an incident to the other party. Secondly, through a more detailed notification once the affected party has had the chance to investigate the incident.
The clause also requires the parties to always share subsequent information, which could assist the other party in mitigating or preventing any effects from the incident.
The level of required cybersecurity will depend on many elements such as the size of the company, its geographical location and nature of business.
The clause takes this into account by stipulating that the parties must implement “appropriate” cybersecurity. The clause also requires each party to use reasonable endeavours to ensure that any third-party providing services on its behalf in connection with the contract, has appropriate cybersecurity.{/mprestriction}