BIMCO reports that it has developed a new standard Cyber Security Clause that will require contracting parties to implement cyber security procedures and systems, to help reduce the risk of a cyber incident and mitigate the consequences of a security breach occurring.
The clause, for publication at the end of May, has been written by a small drafting team led by Inga Frøysa of Klaveness, with representatives from shipowners, P&I clubs and a law firm also involved, BIMCO says.
“I am very pleased to see BIMCO as the first mover on this important topic. Recent years have shown that there is a clear need for a clause addressing the contractual issues that can arise from a cyber security incident,” said Ms Frøysa.
BIMCO notes that the clause has been drafted in broad, generic language so as to be applicable in a wide range of contracts. The clause also aims to help contracted parties to more easily obtain affordable insurance for their cyber security exposure, as it includes a cap on liability for breaches.
“It was very important to the subcommittee to impose an obligation on the parties to keep each other informed if a cyber security incident should occur, and to share any relevant information which could assist the other party in mitigating and resolving an incident as quickly as possible,” added Ms Frøysa.
Information sharing will involve a two-stage notification process under the contract terms. An immediate notification must be made by the party who becomes aware of an incident to the other party upon discovery, which should then be followed by a more detailed notification once the affected party has had the chance to investigate the incident.
The clause also requires the parties to proactively share any subsequently discovered information which could assist the other party in mitigating the impact of the incident.
BIMCO notes that the level of required cyber security demanded by the clause will depend on elements such as the size of the company, its geographical location and the nature of its business, with the wording stipulating that the parties must implement “appropriate” cyber security.
The clause also requires each party to make reasonable efforts to ensure that any third-party providing services on its behalf, in connection with the contract, has appropriate cyber security.