BIMCO is one of the leading standardization forces in the world of shipping. Here is an example related to cybersecurity.
How do you write a contract that binds participants to provide an appropriate level of cybersecurity? As the article makes clear, cybersecurity has been an issue in several recent shipping incidents. Cyber attack is very real, and shipboard systems are great targets; they have low-speed interfaces to the network, there are relatively few kinds of content transmitted, and they operate in international waters where there is no specific enforcement. And cybersecurity can be expensive, though it is low-cost compared to the damage that could result from just one incident.
Standards are needed. BIMCO springs to the task. The drafting team consisted of a law firm, shipowners, P&I clubs, and Klaveness, a maritime investment firm. There’s a two-fold notification process; immediate notification of an incident, and then a detailed notification once an incident has been investigated.
The parties are required to share the information throughout. This last point is important, because cyber events often require joint resolutions for mitigation and future prevention.
The contract element also requires any third parties employed by the participants to have adequate cybersecurity, and makes the primary firms responsible for seeing to it.
Now we will have to see whether the clause catches on in the contracts we see written. There is always a risk with a top-down driven standard; it may miss the issues the market needs to address.
Research has shown (albeit in other contexts, such as health care) that top-down standard initiation often does not produce the penetration of results that flexible evolution of a standard does. However, someone has to start the ball rolling, and here we have a credible effort.
Let’s now see more innovation in this area of contracting, and let’s see the results in the open, so the best combination of terms emerges and gets global acceptance.