At the 98th session of its Maritime Safety Committee (MSC), IMO adopted resolution MSC 428 (98), encouraging national administrations to ensure that cyber risks are appropriately addressed in SMS no later than the first annual verification of the company's Document of Compliance after 1 January 2021. In October, USCG issued its cyber risk management guidance for Marine Inspectors and PSC Officers.

If objective evidence is found that the ship failed to implement its SMS with respect to cyber risk management, the following actions may be taken by the PSCO, BIMCO's Ashok Srinivasan advised:

  1. If cyber risk management has not been incorporated into the ship's SMS by the company's first annual verification of the DOC after January 1, 2021, a deficiency may be issued with action code 30 - Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
  2. When objective evidence indicates that the ship failed to implement its SMS with respect to cyber risk management, a deficiency for both the operational deficiency and an ISM deficiency may be issued with an action code 17 - Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port after sailing foreign.
  3. When objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), the PSCO may issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a US port after sailing foreign.

What to check