Failure to ensure cyber risk management is appropriately addressed in SMS by the company’s first annual verification of the Document of Compliance after January 1, 2021, may result in detention of a ship in US port, BIMCO warned.
At the 98th session of its Maritime Safety Committee (MSC), IMO adopted resolution MSC 428 (98), encouraging national administrations to ensure that cyber risks are appropriately addressed in SMS no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. In October, USCG issued its cyber risk management guidance for Marine Inspectors and PSC Officers.
If objective evidence is found that the ship failed to implement its SMS with respect to cyber risk management, the following actions may be taken by the PSCO, BIMCO’s Ashok Srinivasan advised:
- If cyber risk management has not been incorporated into the ship’s SMS by the company’s first annual verification of the DOC after January 1, 2021, a deficiency may be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
- When objective evidence indicates that the ship failed to implement its SMS with respect to cyber risk management, a deficiency for both the operational deficiency and an ISM deficiency may be issued with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port after sailing foreign.
- When objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), the PSCO may issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a US port after sailing foreign.
What to check
- MSC-FAL.1/Circ.3, contains guidelines that provide high-level recommendations on maritime cyber risk management.
- Industry partners have produced Guidelines on cyber security onboard ships which is now in its version 3. A new version will soon be out.
- BIMCO has also published Cyber Security Workbook for On Board Ship Use which is a practical workbook on identifying cyber risks and how to respond in case of a cyber-attack.