The maritime industry has been rocked by a string of cyber-attacks in recent weeks. Two of the most severe incidents involved the United Nation’s shipping agency, the International Maritime Organization (“IMO”), and the French shipping company CMA GCM S.A. (“CMA GCM”). These attacks remind the shipping industry about the dangers of such attacks and the importance of cybersecurity compliance. From a trade and customs perspective, such incidents trigger post incident analysis and other measures as part of the U.S. Customs & Border Protection’s (“CBP”) Customs Trade Partnership Against Terrorism Minimum Security Criteria. We will discuss two of the most severe cyber-attack incidents in recent weeks below and then discuss the trade and customs implications of such attacks.
The International Maritime Organization Target of ‘Sophisticated’ Attacks
Beginning on September 30, 2020, the UN shipping agency, the IMO, was the target of a cyber-attack which forced the agency to shut down its website and public web-based services. In an October 1 statement, the IMO stated: “A number of IMO’s web-based services are currently unavailable, including IMO’s public website… The interruption of service was caused by a sophisticated cyber-attack against the Organization’s IT systems that overcame robust security measures in place. IMO IT technicians shut down key systems to prevent further damage from the attack. The IMO is working with UN IT and security experts to restore systems as soon as possible, identify the source of the attack, and further enhance security systems to prevent recurrence.” Fortunately, the IMO website and public services are now back up and running.
CMA CGM’s Operations Disrupted by Cyber Attacks
The French shipping company CMA CGM saw two of its subsidiaries hit with a ransomware attack that caused significant disruptions to IT networks. The Marseille-based shipping giant is the world’s fourth-largest container liner by capacity, operating over 200 shipping routes between over 420 ports in over 150 countries. The attack on CMA CGM’s two subsidiaries, Mercosul and Containerships, interrupted all of CMA CGM’s internal access to its network and computer application because the company sought to isolate the malware and take protective measures. In its latest press release, the company said that its worldwide agency network is gradually being reconnected.
Trade & Customs Implications of Cyber Attacks
Cyber-attacks on the global shipping industry have obvious trade and customs implications. CBP’s Customs Trade Partnership Against Terrorism (“CTPAT”) is a multi-layered, public/private partnership, which seeks to strengthen international supply chains and improve U.S. border security. The program seeks to closely cooperate with the principle stakeholders of the international supply chain such as importers, carriers, consolidators, licensed customs brokers, and manufacturers in order to be effective.
CTPAT member companies, or partners, agree to implement certain security procedures throughout their supply chains. To become a partner, the applicant needs to identify vulnerabilities in its supply chain and implement security procedures to safeguard their supply chains from terrorism and other illegal activities that threaten the security of the United States. As a result, the program helps CBP achieve its dual mission of securing the nation’s borders while facilitating legitimate trade and travel. In the course of applying, being certified, and thereafter validated, CTPAT applicants/partners are required to submit, via the CTPAT secured portal, business confidential information and sensitive details on how their company adheres to minimum security requirements to join the program.
A key requirement of the CTPAT program is meeting the Minimum Security Criteria (“MSC”). The criteria were updated for the first time in 2019 since their inception in 2001. The new MSC structure includes cybersecurity as a key focus area, alongside ‘security vision and responsibility’ and ‘agricultural security.’
CTPAT members enjoy benefits such as a reduced number of CBP examinations, shorter wait times at the border, front of the line inspections, and assignment of a supply chain security specialist to the company. However, CTPAT members can only enjoy these benefits if they continue to meet and maintain the MSC, including cybersecurity obligations. The recent spike in cyber-attacks in the shipping industry underscore the importance of keeping your supply chain’s cybersecurity in tip-top shape and continuing to meet CTPAT MSC requirements.
Cybersecurity & Sanctions
Cybersecurity risks present sanction concerns, as well. In an October 1 advisory released by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), the office warned the public that “demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business.” The advisory went on to describe how facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. Furthermore, facilitating ransomware payments on behalf of a victim may violate OFAC regulations. This is because U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
If it Looks Like Spam, It Probably Is
One of the most effective ways to avoid cyberattacks is to screen emails diligently before you open them. Phishing refers to scams in which scammers use email or text messages to trick you into giving them your personal information. If emails look suspicious, then it’s probably best not to open those messages. The Federal Trade Commission offers top tips to recognize and protect yourself from phishing and other attempted cyberattacks.
Cybersecurity threats present numerous trade, customs, and sanctions concerns. If you are a CTPAT partner organization, it’s more important now than ever to meet the updated Minimum Security Criteria. To learn more about CTPAT, check out our Bloomberg Law article on CTPAT Validation and Minimum Security Criteria. If you have any questions or require assistance, please reach out to us at firstname.lastname@example.org.