CYBER ATTACKS IN MARITIME TRANSPORTATION AND LEGAL LIABILITY
CYBER ATTACKS IN MARITIME TRANSPORTATION AND LEGAL LIABILITY
I. Introduction
In maritime trade, digital systems are no longer merely auxiliary tools used in administrative processes. Today, ship dispatching, monitoring of engine systems, cargo temperature monitoring, port entry procedures, container tracking, freight payments, and the preparation of transport documents are largely carried out through information systems.
On ships, electronic chart display and information systems, global positioning systems, radar, automatic identification systems, engine and steering control systems, ballast management, cargo pumps, and communication infrastructure can work together in an interconnected manner. In ports, terminal operating systems, crane automation, entry and exit records, customs systems, and maritime single window applications are based on digital infrastructure.
This transformation has added a new type of risk to classic maritime hazards. In addition to physical events such as storms, collisions, fires, or groundings, malware, ransomware, phishing, unauthorized access to systems, data manipulation, and satellite spoofing also threaten the safety of ships and the continuity of maritime trade.
The International Maritime Organization's updated guidance, dated May 28, 2026, defines maritime cyber risk as the potential for operational, safety, or security failure in maritime activities due to the disruption, loss, or hijacking of information or systems as a result of threats to computer-based systems. The guidance calls for a joint assessment of information technology systems on ships and operational technology systems that control physical processes.
II. Types of Cyber Attacks in Maritime Communication
Cyberattacks in the maritime sector can manifest in different ways depending on the targeted system and its consequences. An attack might target the ship's control network, or it might directly target the navigation, engine, or cargo control systems.
Ransomware attacks encrypt the IT systems of a shipping company or port, rendering them inaccessible, and demand payment to restore access. These attacks can disrupt booking, cargo tracking, customs declaration, invoicing, and port operations.
In "spoofing" attacks targeting satellite positioning systems, the ship receives inaccurate location information. In interference known as "jamming," the reception of satellite signals is prevented. This can cause the ship to follow an incorrect course, enter dangerous waters, or risk a collision with another vessel.
Altering automatic identification system data can create inaccurate information about a ship's name, location, course, or cargo. Manipulating electronic charts can cause navigational hazards to be omitted from the chart or to be displayed as hazards that do not actually exist.
Attacks on operational technology systems can have more serious physical consequences. Remotely affecting the main engine, rudder, ballast systems, fuel transfer, cargo pumps, or cooling devices can cause the ship to lose its propulsion capability, spoil the cargo, or cause environmental pollution.
Cyberattacks don't necessarily have to be carried out externally. Abuse of authority by personnel, weak password practices, connecting personal devices to the ship's network, opening fake emails, and unauthorized software updates can also lead to security breaches.
III. International Regulations and the IMO Approach
One of the fundamental international pillars of cybersecurity in maritime transport is the IMO's Guidance on Cyber Risk Management in Maritime Transport. The fourth revision of the Guidance, dated 2026, envisages the joint management of risks arising from digitalization, automation, third-party suppliers, embedded systems, and software-hardware supply chains. It states that cyber resilience should be ensured not only during the operational phase but also throughout the design, manufacture, integration, use, and maintenance of ship systems.
In the IMO approach, cyber risk management is based on establishing a governance structure, identifying and protecting critical systems, detecting attacks, responding to incidents, and recovering systems. It is recommended that senior management assume responsibility, designate an authorized person, create a digital asset inventory, identify connections between critical systems, and prepare business continuity plans.
IMO Maritime Safety Committee Resolution MSC.428(98) mandates the inclusion of cyber risks in the safety management systems of shipping companies under the International Code of Safety Management. Administrations are required to ensure that cyber risks are addressed in the safety management systems of companies during the first annual verification of their conformity certificates after 1 January 2021.
Technical standards have also been developed by classification societies regarding the cyber resilience of new ships. The International Association of Classification Societies' UR E26 and UR E27 regulations address the overall cyber resilience of the ship and the security of the systems and equipment used on board. The revised rules apply to new ships within the scope of the scope, with construction contracts signed on or after July 1, 2024.
Even if these regulations do not directly create private law liability in every case, they are important in determining the scope of the duty of care. A shipping company's complete failure to implement widely accepted cybersecurity standards could result in unfavorable outcomes for the company in terms of foreseeability of damages and fault assessment.
IV. Cybersecurity and Seaworthiness of the Ship
According to Article 932 of the Turkish Commercial Code, seaworthiness is defined as the ship's ability to withstand the usual dangers of the voyage in terms of its essential parts such as the hull, general equipment, and machinery. The ship's organization, loading condition, fuel, provisions, and the adequacy of the crew are also considered within the scope of roadworthiness. The suitability of the compartments allocated for the carriage and protection of goods is also a condition for cargo suitability.
According to Article 1141 of the Turkish Commercial Code, the carrier is obligated to maintain the vessel in a condition seaworthy, navigable, and cargo-worthy in all types of freight contracts. The carrier is liable for damages to cargo resulting from unseaworthiness, except for deficiencies that could not be discovered before the commencement of the voyage despite the carrier's exercise of the care and diligence expected of a prudent carrier.
The law does not explicitly define cybersecurity as a separate concept. However, if a ship's navigation, engine control, or cargo security depends on digital systems, a serious cybersecurity vulnerability can affect the ship's seaworthiness, voyage, or cargo suitability. Outdated electronic charts, software with known vulnerabilities, lack of network separation, absence of a backup control system, or lack of training for personnel to use the systems can be considered in the assessment of unsuitability.
Not every software vulnerability automatically renders a ship unsuitable. The deficiency must be significant enough to affect the ship's ability to safely complete a particular voyage. Factors in this assessment include the ship's type, cargo, cruising area, the level of system connectivity, and the availability of manual operation options.
V. Responsibility of the Shipowner and Operator
The shipowner is the primary actor responsible for the commercial and technical operation of the vessel. According to Article 1062 of the Turkish Commercial Code, the shipowner is liable for damages caused to third parties as a result of the faults of the crew and pilots while performing their duties. Special provisions regarding the carrier's liability for damages arising from the faults of the crew apply to passengers and persons involved with the cargo.
The shipowner may be held liable if a cyberattack occurs as a result of a seafarer opening a forged email, connecting an unauthorized USB device to the system, or violating security procedures. However, the incident cannot be considered solely the fault of a single employee. It must also be investigated whether the shipowner has established the necessary organizational structure regarding training, supervision, access authorization, password policy, and system security.
The supplier may try to absolve themselves of responsibility by claiming the attack was highly sophisticated and unavoidable. However, if they failed to address known vulnerabilities, perform system updates, establish proper backups, or prepare an incident response plan, the fact that the attack was carried out by a third party does not negate their fault.
If a cyberattack results in a collision between two vessels, damage to port facilities, or an oil spill, the shipowner may be liable to third parties. Multiple grounds for liability may exist if the damage is caused by both the attacker's actions and the company's security deficiencies.
VI. Carrier's Liability for Damage to Cargo
According to Article 1178 of the Turkish Commercial Code, the carrier is obliged to exercise the diligence expected of a prudent carrier in loading, stowage, transportation, protection, supervision, and unloading of the goods. The carrier is generally liable if the loss, damage, or delayed delivery of the goods occurs during the carrier's period of control.
Cyberattacks can cause cooling systems to malfunction, leading to spoilage of food or medicine. Loss of control of cargo pumps can damage liquid cargo, and failure of container tracking systems can result in cargo being unloaded at the wrong port. Delivery delays caused by the collapse of port and carrier systems can also raise carrier liability.
To be absolved of liability, the carrier must prove that the damage did not result from their own intent or negligence, or that of their agents. Article 1179 of the Turkish Commercial Code places the burden of proof on the carrier.
If the damage arises from an action related to the navigation or technical management of the ship, the carrier may be held liable only for its own fault under Article 1180 of the Turkish Commercial Code. However, failure to establish a cybersecurity policy, inadequate technical infrastructure, or failure to address known system vulnerabilities may be considered direct faults related to the carrier's organizational area. Furthermore, measures that must be taken to protect the cargo are not considered within the exception of technical management.
VII. Responsibilities of Captains and Crew Members
The captain's responsibility for technically navigating and managing the ship, ensuring navigational safety, and taking necessary precautions in emergency situations continues in cyber incidents. If there are indications that electronic systems are providing inaccurate information, the captain should not blindly rely on this data; alternative methods such as radar, visual navigation, paper charts, or independent positioning sources may be necessary.
It is crucial for personnel to detect cyberattacks in a timely manner and implement established procedures. This includes disconnecting the infected system from the network, switching to manual control, informing coastal management and relevant authorities, preserving records, and ensuring that evidence is not deleted.
However, in complex cyberattacks, it is not accurate to place all responsibility solely on the captain or crew. Organizational shortcomings of the company—such as failing to provide adequate training, modernize outdated systems, and support personnel with appropriate procedures—should be considered first.
VIII. Responsibility of Port and Terminal Operators
Ports are hubs where numerous ships, cargo owners, customs authorities, transportation companies, and service providers connect through the same digital infrastructure. Attacks on port automation can lead to disruptions in ship docking queues, lost containers, delivery to the wrong person, crane shutdowns, or alteration of hazardous materials information.
The port operator's liability may be determined within the framework of operating agreements, terminal service terms, the Turkish Code of Obligations, and tort provisions according to the specific circumstances of the case. The systems provided by the operator must have a reasonable level of security, access rights must be restricted, records must be kept, and backup operational capabilities must be prepared.
In the event of a security vulnerability in the port system leading to malware infection on a ship or an attack originating from the ship spreading to the port network, mutual fault may arise between the parties. Therefore, it is important that responsibilities at the ship-port interface are clearly defined in contracts.
IX. Responsibility of Software and System Providers
In maritime applications, software, hardware, and remote maintenance services are often provided by third parties. If the system provider fails to meet the security standards committed to in the contract or fails to address a known vulnerability in a timely manner, resulting in damage, they may be held liable for breach of contract.
Manufacturers and suppliers are liable if defective software disrupts the ship's maneuvering system or causes load control devices to produce incorrect data. However, the manufacturer's liability and the shipowner's maintenance and update responsibilities should be separated. The operator who failed to perform updates despite the manufacturer's warning may have contributed to the damage.
The IMO's current guidance also requires an assessment of cyber risks arising from third-party vendors, embedded systems, maintenance equipment, and software and hardware supply chains.
X. Cybersecurity Law and the New Regime in Turkish Law
The Cyber Security Law No. 7545 entered into force on March 19, 2025. The law has a broad scope of application, covering public institutions, individuals, legal entities, and unincorporated organizations that operate, conduct activities, or provide services in cyberspace. Cyber security is defined as the sum of activities aimed at protecting systems from attacks, ensuring the confidentiality, integrity, and accessibility of data, detecting incidents, and restoring systems to their pre-incident state.
The law grants the Cybersecurity Directorate broad duties and powers regarding the identification of critical infrastructure, asset inventory and risk analysis, the establishment of cyber incident response teams, testing and certification processes, and audit and enforcement mechanisms. If port, transportation, and logistics infrastructures are classified as critical infrastructure, more detailed obligations may arise for the relevant businesses.
The law prescribes criminal and administrative sanctions for acts such as conducting cyberattacks, disseminating data obtained through such attacks, violating certain obligations, and failing to provide necessary information or systems to supervisory authorities.
XI. Protection of Personal Data
Ship and port systems can process a large amount of personal data relating to crew, passengers, cargo owners, agent employees, and visitors. Passport information, health records, contact information, camera footage, location records, and personnel documents can be compromised as a result of cyberattacks.
According to Article 12 of Law No. 6698, data controllers are obliged to prevent the unlawful processing and access of personal data, to ensure the preservation of data, and to take the necessary technical and administrative measures for an appropriate level of security. If data is obtained through unlawful means, the breach must be reported to the data subjects and the Personal Data Protection Board as soon as possible. If the data processing activity is entrusted to a service provider, the data controller and the data processor may share joint responsibility for security measures.
Therefore, a shipping company needs to establish an integrated cybersecurity system that covers not only the security of its ships but also the security of the personal data it processes.
XII. Sharing Cyber Risks in Contracts
Charter agreements, ship management contracts, terminal contracts, and software service contracts must clearly define liability arising from cyber incidents. These agreements should specify which security standards each party must adhere to, the timeframe for reporting incidents, which party is responsible for updating systems, the liability of subcontractors, and the limitation of damages.
The BIMCO Cybersecurity Clause 2019 is a standard provision designed to regulate cybersecurity measures, breach notification, mitigation of damages, and distribution of liability between parties in maritime contracts.
However, simply including the standard clause in the contract may not be sufficient for every project. Special arrangements must be made taking into account the technical specifications of the vessel, the sensitivity of the cargo carried, the port systems used, and third-party connections.
XIII. Cyber Risks in Marine Insurance
A cyber attack may result in physical damage to the vessel, cargo damage, business interruption, third-party liability, or data breach. Whether these damages are covered under a hull and machinery, cargo, protection and indemnification, liability, or specialized cyber insurance policy will be determined according to the policy text.
Traditional marine insurance policies may contain clauses excluding cyberattacks or only covering specific physical consequences. Therefore, the insured should examine whether the policy explicitly covers cyberattacks, excludes war or state-sponsored attacks, consider ransom payments, business interruption damages, and data recovery costs. This issue, known in the insurance industry as "silent cyber risk," arises from coverage discrepancies due to the policy not explicitly including or excluding cyber risk.
According to Article 1473 of the Turkish Commercial Code, in liability insurance, the insurer covers the insured's liability to the injured party arising from an event covered by the policy, up to the limit specified in the contract.
XIV. Problems of Proof and Causality
One of the most difficult issues in cyberattack disputes is determining how the attack occurred and what vulnerability caused the damage. The attacker may conceal their identity, use systems in different countries, or delete records after the attack.
Therefore, electronic records, server logs, access information, software update dates, user activity, ship data recorder data, electronic chart records, radar images, and personnel correspondence must be preserved. Uncontrolled system reinstallation or overwriting of records immediately after an incident could lead to the loss of crucial evidence.
The court will assess, through expert examination, whether the attack was a purely external and unavoidable event, or one facilitated by the company's security deficiencies. If multiple parties are at fault, the damages may be apportioned among the attacker, shipowner, carrier, port operator, and service provider according to their respective degrees of fault and causality.
XV. Conclusion
In maritime affairs, cybersecurity has evolved from being merely an IT issue for technical experts to a matter of maritime law directly affecting seaworthiness, carrier's duty of care, shipowner's liability, port security, personal data protection, and insurance relationships.
The fact that a cyberattack is carried out by a third party does not automatically absolve the owner or carrier of responsibility. It should be investigated whether the business has taken known threats into account, created a system inventory, kept its software up-to-date, isolated its networks, trained its personnel, and has an effective incident response plan.
Cyber vulnerabilities that significantly affect a ship's navigation, machinery, or cargo systems may render the ship unseaworthy, unfit for voyage, or unfit for cargo, depending on the specific circumstances. If the cargo is lost, damaged, or delayed as a result of a cyber attack, the carrier's liability under the Turkish Commercial Code arises. Furthermore, if the ship causes damage to another ship or port facility, the shipowner may be liable to third parties.
Effective management of cyber risks requires the combined application of technical and legal measures. Including cyber risk assessment in safety management systems, identifying critical systems, conducting regular testing and updates, maintaining manual backups, providing personnel training, developing incident response plans, and including clear liability clauses in contracts are of fundamental importance.
In conclusion, cybersecurity is not a secondary IT expense for maritime businesses; it is a mandatory duty of care required for the safe operation of the vessel and the proper fulfillment of its transportation obligations. As reliance on digital systems increases, cyberresilience will become an integral part of the classic understanding of seaworthiness.