How IMO addresses cyber risk: An overview

The era of digitalization and rapid development of technologies in the maritime sector has called for immediate action, for the protection of the seafarers and the whole industry, which led the International Maritime Organization (IMO) to issue and implement a series of regulations and guidelines on cyber risk management, with, last but not least, the adoption of the Resolution MSC.428(98). This resolution calls companies to report any cyber risk in their ISM Code no later than January 1, 2021. Yet, keeping in mind that cyber risk is a ‘new’ challenge the industry led eyes on, how did the landscape of cyber regulations evolve the past years?

To begin with, in an exclusive interview with SAFETY4SEA, Mrs. Cynthia Hudson, CEO, Hudson Analytix has highlighted that any system which is digitally enabled is vulnerable to cyber-attacks, while these days nearly all systems that are connected are vulnerable, and as the shipping environment is being shaped upon the digital world, companies and all shipping stakeholders seem more vulnerable and exposed.

Cyber risk is a crucial barrier to the shipping industry, with attacks taking place more often than in the past, and shipping companies taking measures to deal with them and be protected, as an attack can cause major disruptions to operations.

Referring to the importance of cyber security nowadays, Mr. Chronis Kapalidis, Cyber Expert, HudsonAnalytix, speaking during the 2019 Hellenic American Maritime Forum stated that

Cyber security has been over the last years the first non-natural threat to the global risk landscape according to the World Economic Forum. This is only going to get worse because of rising cyber dependency. Everything that we do has a cyber element.

Therefore, taking into consideration the impact of cyber-attacks, the cost and time-loss to resolve operations a shipping stakeholder has to deal with, the International Maritime Organization focused on publishing a series of guidelines to help the industry cope with cyber challenges and boost their cyber risk management.

How it all started

It should be highlighted that except the IMO, additional shipping associations and classes have launched guidance and standards to assist the industry dealing with cyber risk.

#1 June 2016 –MSC.1/Circ. 1526

As the shipping industry had to deal with more and more cyber threats and risks, the Maritime Safety Committee approved, during its 96^th session, the “Interim guidelines on maritime cyber risk management”.

These Guidelines set the base for dealing with cyber risks, including recommendations to safeguard shipping from current and emerging cyberthreats and vulnerabilities.

#2 June 2017 –MSC.428(98)

During the 98th session, the Maritime Safety Committee stated that all companies should include in their approved SMS the cyber risk management according with the objectives and functional requirements of the ISM Code.

The Resolution includes further recommendations as well, which can be summarized as following:

• Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
• Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
• Detect: Develop and implement activities necessary to detect a cyber event in a timely manner.
• Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
• Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

#3 July 2017 – MSC-FAL.1/Circ.3

In the 98th session, the MSC approved the Guidelines on maritime cyber risk management, with the guidelines referring to ship owners to be used as guidelines but remain non-compulsory.

A wind of change after 2020

By 2020 shipping companies will be required to assess their risk exposure and develop measures to include in their Safety Management Systems to mitigate cyber threats.

The timeframe between 2020-2021 will be catalytic, as the IMO decided that no later than the annual verification of each company’s Document of Compliance, the 1^st of January 2021, all shipping companies will be mandated to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code).

These guidelines provide recommendations and include functional elements that support effective cyber risk management. In addition, the recommendations can be included in existing risk management processes and are complementary to the safety and security management practices already established by IMO.

The above decision highlights the importance of reporting cyber risks, as it has been previously stated that under-reporting is a crucial threat to the maritime sector. Specifically, Be Cyber Aware at Sea in its July issue noted that there is a gap between the number of cyber-related incidents that occur in the maritime industry and the lower number that are being reported.

Also, IMO’s decision is a major step towards being ready and having a risk management approach under the possibility of a cyber-attack.

Applauding IMO’s decision, Mr Kapalidis has commented that

… when we talk about cyber security, it is not a matter of if you will be attacked but when. In order to deal with that, you should have a risk management approach on it and this what the IMO is introducing.