The following is text of a news release from BIMCO:
(LONDON) — BIMCO’s Documentary Committee has agreed a new standard Cybersecurity Clause that requires the parties to implement cybersecurity procedures and systems to help reduce the risk of an incident and mitigate the consequences should a security breach occur.
In the wake of recent costly cybersecurity incidents involving large shipping companies, cybersecurity has become a major focus in the maritime industry. BIMCO has taken a lead position on cybersecurity issues through its active role at the International Maritime Organization and by co-authoring the “Industry Guidelines on Cybersecurity Onboard Ships." The development of the BIMCO Cybersecurity Clause has been an important part of this initiative.
The clause has been written by a small drafting team, led by Inga Froysa of Klaveness, with representatives from shipowners, P&I clubs and a law firm, and will be published toward the end of May.
“I am very pleased to see BIMCO as the first mover on this important topic. Recent years have shown that there is a clear need for a clause addressing the contractual issues that can arise from a cybersecurity incident,” said Froysa.
The clause is drafted in broad and generic language which allows for it to be used in a wide range of contracts and in a string of contracts for easy back-to-back application. It is hoped that the clause will assist parties in obtaining affordable insurance for their cybersecurity exposure, as the clause introduces a cap on the liability for breaches.
“It was very important to the subcommittee to impose an obligation on the parties to keep each other informed if a cybersecurity incident should occur, and to share any relevant information, which could assist the other party in mitigating and resolving an incident as quickly as possible,” Froysa said.
This is done through a twofold notification process. Firstly, through an immediate notification from the party who becomes aware of an incident to the other party. Secondly, through a more detailed notification once the affected party has had the chance to investigate the incident.
The clause also requires the parties to always share subsequent information, which could assist the other party in mitigating or preventing any effects from the incident.
The level of required cybersecurity will depend on many elements such as the size of the company, its geographical location and nature of business.
The clause takes this into account by stipulating that the parties must implement “appropriate” cybersecurity. The clause also requires each party to use reasonable endeavors to ensure that any third-party providing services on its behalf in connection with the contract has appropriate cybersecurity.