Asia (Other)

InceCo_Rory MacfarlaneBy Rory Macfarlane, Partner, Ince & Co Hong Kong



“Nothing is certain but death, taxes and cyber-attack”


Had Benjamin Franklin been alive today he would have probably added ‘cyber-attack’ to his list of life’s certainties. It is no longer a question of ‘if’ your business will face a cyber-attack; but a question of ‘when’. With 60 percent of companies that suffer a successful cyber-breach going out of business within six months1 this issue is no longer one that a prudent board can ignore.
Cyber-attack now sits at the top of most tables depicting business risk2. As with any form of crime, the perpetrators are looking for the easy victim; the low hanging fruit. Ensuring that your business is better protected than your competitors is a significant step in the right direction.

Recent attacks
It seems likely that when we reflect on 2017 in years to come it will be viewed as the year in which cyber-attacks, and the complementary issue of cybersecurity, reached the wider public consciousness for the first time. This is particularly true in the shipping, transport and logistics industries where the impact has been acute. But the lessons to be learned, and the warnings such incidents give, apply to all businesses across every market or sector.
Consider the recent ‘not-Petya’ cryptoware or ‘data wiper’ attack. It drew headlines around the world, notably within the global transportation sector, for temporarily shutting down parts of the leading Danish shipping company Maersk Line. That the attack did not impact Maersk’s ability to physically load and transport containers, but instead targeted data-driven processes such as obtaining customs and port clearance, did not prevent it causing considerable operational difficulties for Maersk. This in turn led to significant disruption at key ports around the world.
That high-profile attack, coming so soon after the ‘WannaCry’ ransomware incident earlier this year, provided yet another reminder of just how damaging cyberattacks can be. No organisation or business sector is immune. One-third of the UK’s National Health Service was affected by Wannacry, and the victims of not-Petya ranged from the radiation monitoring system at Chernobyl, to a European pharmaceutical company and a global advertising agency.

The attack threat — popular perception vs reality.
Every company will have its own vision of what a catastrophic cyberattack could look like for it. However, the popular imagination tends to lean towards Hollywood-inspired images, perhaps of an oil rig or a ship being remotely ‘taken over’ by nefarious forces, to devastating effect. However, the reality for most organisations is very different.
That is not to say that a vessel, a vehicle, an industrial facility or any equipment that has internet connectivity and digital operating systems couldn’t be ‘hijacked’ remotely; they have been. Future cyber-attacks certainly do have the potential to be deleterious to the physical assets of an organisation, to the safety of the people working on, or in, them and to the wider environment. Each sector must address the unique c\hallenges that its’ physical infrastructure poses. For the shipping industry, there is rightly a lot of attention right now on the vulnerabilities that arise from increasing levels of on-board digitalisation, automation and ship to shore connectivity.Screen Shot 2017-08-30 at 11.53.33 am
But neither the shipping industry, nor any other business sector, should be lulled into the complacency of believing that it is only physical assets that are attractive to cyber-criminals or cyber-terrorists. Your data, and your money are the primary targets. Most cyber-attacks will focus on the operations that are not outwardly visible, but that can be no less damaging, commercially, financially and reputationally. These attacks can take many different forms and are more likely to be indiscriminate than targeted.

Cost of a successful breach
In an increasingly digitised world, cyber-breaches can have far-reaching consequences and costs. Individual losses from a single event can be huge. Last year’s now infamous hack of the Bank of Bangladesh systems resulted in a US$81 million loss from a single event3. One estimate suggests that the annual global cost of cybercrime is forecast to rise to US$2.1 trillion by 20194.
Despite these of risks, many companies still remain unaware and unprepared for the consequences of a cyber-breach of their operations. Both not-Petya and WannaCry provide examples of how damaging and costly an attack can be. Indeed, Maersk has recently said that it is “too early” to fully ascertain what their losses might be from the not-Petya attack5. Second- and third-quarter financials will reveal the true cost of what was — at its origination — a relatively small cybersecurity breach.
According to a Bloomberg report, the attackers behind the Wannacry ransomware and the not-Petya data wipe earned just US$160,000 in bitcoin6. However, to quantify the impact of ransomware and phishing attacks solely in terms of ransoms paid or monies mis-appropriated is a mistake. The losses in terms of business interruption, rectification and market reputation can run to many millions of dollars. When the additional costs from lost sales and remedial action are factored in, it is estimated that the Wannacry and not-Petya cyber-attacks will have resulted in hundreds of millions of dollars of revenue foregone by the affected businesses7.
The impact on individual affected companies is similarly staggered. A large European skincare product manufacturer claims to have lost over US$41 million in sales in the first half of 2017, which does not include the cost of held inventory and halted production in its 17 plants. The company’s HQ in Hamburg, as well as computers from over 160 offices around the world, were infected. Similarly, 2,000 servers and 15,000 laptops were attacked at a UK-based consumer goods company, resulting in lost sales of US$118 million, with manufacturing capacity severely affected.

Has the boardroom been too slow to react?
The best form of defence is a proactive approach to minimising cyber-risk. It is increasingly becoming clear that security protocols and a cyber-response plan are not optional ‘nice to have’ extras, but something that should be considered and addressed at the very highest level within every organisation. That in many cases this is still not happening is confounding.
One reason might be traced back to the unfounded hype surrounding the last big IT scare, namely the Millennium Bug or Y2K panic. This was the feared computer bug relating to the formatting and storage of calendar data. It arose because 20th century computer software only recoded dates in four digits, with the last two representing the year. The fear was that on the turn of the millennium computers would not be able to differentiate between the year 2000 and 1900. The media was awash with predictions of planes falling from the skies, life savings disappearing and millions being wiped off the stock markets. None of this ever happened. It was the bug that did not bite. The tens of thousands of dollars that companies spent on contingency plans and safety nets was wasted. However, its legacy may be that many executives view cyber-crime risk in a similar light and are accordingly hesitant to invest in protection. That would be a mistake. While the Millennium Bug may have been a fiction, cyber-crime is not. Directors who ignore the need for appropriate cybersecurity systems are not just exposing their businesses to risk, but could themselves face personal sanction for breach of the fiduciary duty they owe to their companies.

Protecting your business
For those working within cybersecurity, these recent high-profile attacks came as little surprise. But might they be the tip of the iceberg? There have been over 70 different ransomware attacks in the four months since Wannacry although these have been largely ignored by the mainstream media. Some estimates already place the global number of victims of cyber-crime as high as 300 million per year8 but the reputational damage for companies could have an even bigger, hidden cost. A pristine track record for service, reliability and regulatory compliance could be irreparably damaged in the event of a severe, public breach.
While the costs of this type of damage are hard to quantify, they add yet another reason to an already lengthy list of good reasons to invest in appropriate cybersecurity systems and employee protocols. The importance of this latter step, employee protocols, cannot be emphasised enough. To some it may seem counter-intuitive to focus on staff when implementing defences to cyber-attack; but it isn’t. In more than half of the successful cyber-attacks the source of the breach can be traced back to an ‘insider’ — someone who works for the company. Sometimes it is a disgruntled ex-employee with an axe to grind. But more often it is the innocent, unintentional act of a loyal employee unfamiliar with the technological or social-engineering tricks employed by cyber-criminals.
With regulators generally currently encouraging self-initiative on the part of companies rather than imposing punitive fines for non-compliance, the onus is on each business to develop its own contingency plans. What constitutes an appropriate plan will vary from business to business, depending on how it uses and stores its data. Every organisation also needs to be alert to the regulations governing data protection and cybersecurity in their jurisdiction.
Improving your cyber protection need not be costly. Significant improvements can be made for a modest investment. Moreover, in some jurisdictions, for example Hong Kong9, funding is available to assist companies in meeting the cost of improving their protection.
Steps should be taken to ascertain if existing insurance coverage extends to cyber breach losses. Although insurance provides a financial safety-net, it is no substitute for good cybersecurity practice. Whilst the added assurance of assistance in the event of a breach is a comforting element of any contingency plan, responding to a cyber breach can be costly. Most organisations do not have the funds immediately available to mount an effective response to a cyber-breach, even if they do have an appropriate response plan in place. There are insurance products available in the market which provide access to funds for this very purpose.
Ince & Co is working with the leading cybersecurity team at Navigant to help companies address their businesses cybersecurity needs through a cyber health-check. This product can be tailored to meet specific needs. It usually covers a technical review of the IT systems, an evaluation of relevant protocols, contracts and policies, a summary of applicable regulatory obligations and an analysis of insurance cover. The health-check is intended primarily to be used to minimise the chances of a breach occurring. However, it also has a role to play as part of the response to a successful attack in order to plug holes, revise protocols, ensure a system is not still compromised and provide a list of ‘lessons learned’ to the board for future strategic planning. With it now being commonplace for cyber-criminals to remain in a system for up to six months after an initial breach before striking, it may be that your business is already more at risk than
you realise.

Prevention is always better than cure. A pro-active, top-down culture of cybersecurity is absolutely essential if your business is serious about mitigating the threat of cyber-crime. But the lead must come from the board; it cannot be left to the IT team. To be effective it is something that must be imbedded into the culture of a business. Whilst applying software patches is crucial, it is not enough on its own. As global businesses across every sector of our economy embrace the benefits of the cyber-age and digitalisation in all its forms, it is only prudent to ensure that we also manage the risks.


End Notes:








Tel: 852 25877 3221

Fax: 852 2877 2633

Tags: Cybersecurity
Related Articles by Firm
Foreign Banks Allowed to Operate in Myanmar
After more than 50 years of banning, the Central Bank of Myanmar has issued the first final licenses allowing four foreign banks to operate in Myanmar.
Tanzanian Draft National Energy Policy of 2015
Highlights on the ongoing and upcoming industry developments with focus on the transition of the energy sector since the introduction of the Big Results Now! campaign
Mineral Rights Available in Tanzania
Overview of the mineral rights available in Tanzania, with specific focus on the various categories of mineral rights
The Legal Framework of the Aviation Sector in Tanzania
As attention turns to Tanzania’s trade and energy opportunities, the spotlight has fallen upon the nation’s infrastructure. This update focuses on the capabilities and issues of the Tanzanian aviation sector.
Oil price volatility - Offshore oil storage
Are there any legal concerns with tankers being used for floating storage?
Oil price volatility - risks and opportunities in 2015
While many companies can weather the oil price slide and volatility, some industry players face a real risk of insolvency.
India: Union Budget 2015
A bullet-point overview of changes in Direct Tax, Indirect Tax and Goods and Service Tax in India in light of Finance Minister Arun Jaitley’s first full-year Budget…
Prohibition against transfer of personal data outside Hong Kong
Section 33 of the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of personal data to places outside Hong Kong, except in circumstances specified in the PDPO.
Security of payment under FIDIC contracts: more secure, for now
The High Court of Singapore recently handed down an important judgment in relation to the enforceability of Dispute Adjudication Board (DAB) decisions under the FIDIC forms of contract.
Insurance Laws (Amendment) Bill passed as Ordinance in India
The long-awaited Insurance Laws (Amendment) Bill has become a provisional law in India. The Bill amends the Insurance Act (1938), the General Insurance Business (Naturalisation) Act (1972), and the Insurance Regulatory and Development Act (1999).
SICC: now open for business
On Monday 5 January 2015, the Singapore International Commercial Court ("SICC") was officially opened...
Myanmar insurance update
Clyde & Co partner Michael Horn recently visited Myanmar's commercial capital Yangon and reports on the current state of the insurance market...
Launch of the online mining cadastre transactional portal
Plus, a summary of the key mineral rights available in Tanzania; and, a look at the manner in which mineral rights can be transferred.
Restrictions imposed on holders of mineral rights
This briefing looks at some of the restrictions imposed on holders of mineral rights in Tanzania by the Mining Act 2010
Draft local content policy for the oil & gas industry in Tanzania
The first draft of the long-awaited local content policy for the oil & gas industry in Tanzania has now been published by the Ministry of Energy and Minerals ...
Tanzania: Revocation of mining licences
The Tanzanian government recently announced the cancellation of a total of 174 mining licences. This mining update examines the key continuing obligations imposed by the Mining Act upon mining licence holders.
Mining Development Agreements
In this month’s mining briefing we look at Mining Development Agreements (MDAs) and the role that they play in the mining sector in Tanzania.
The Tanzanian railway system: current legal framework
The railway system of mainland Tanzania has a total track length of 3,676 kilometers (km) with two separate networks, run by two separate organisations ...
Related Articles
A new bed — a shared dream?
A discussion of the new China Foreign Investment Law and the creation of an Expert Committee to produce template documents for in-house counsel ...
UAE – Dynamism in business and dispute resolution in the Gulf
With a variety of new legislation in the emirates, Louise Bowmaker of Horizons & Co looks at some of the most significant recent and upcoming changes ...
SCIA’s innovation: Optional appellate arbitration in China
A substantive appellate mechanism constitutes a beneficial complement to the finality of single-instance arbitration ...
Related Articles by Jurisdiction
Reducing and removing involvement in modern slavery
The first of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues ...
3rd annual Representing Corporate Asia survey, including Firms of the Year, 2009
The issues affecting in-house counsel’s choice of external counsel, and a full list of the winning firms as voted by our in-house counsel community ...
Legal innovation in BigLaw
For many people in the legal sphere, the word ‘innovation’ has become synonymous with ‘disruption’ — for others, the overuse of the word has relegated it to just another corporate buzzword ...
Latest Articles
Press Release: New Bilingual Standard Templates for China’s New Foreign Investment Regime
Top multinational and China SOE in-house lawyers and heavyweight Chinese and international law firms join forces with legaltech start-up docQbot and The In-House Community™ to help create new bilingual standard templates for China’s new foreign investment regime ...
New challenges for investors in the US – CFIUS
It would be a mistake to underestimate the growing power of CFIUS to regulate foreign investors in US companies.
New transparency registry for all private BC companies in the offing
If the bill comes into force it will have far reaching compliance consequences for all private BC companies.