Cyber-related risks are operational risks that are appropriately assessed and managed in accordance with the safety management requirements of the International Safety Management Code, the United States support in their submission paper to IMO and call for action.
In a paper to the IMO’s Maritime Safety Committee (MSC 98/5/2), the US analyze the direct link that cyber risk management and the ISM Code have, based on the following arguments:
- Section 126.96.36.199 of the ISM Code requires companies to “assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards. Cyber-related risks in shipping have been broadly identified and are commonly understood. As such, they need to be assessed and appropriately mitigated in accordance with the objectives and functional requirements of the ISM Code
- Given the widespread use of cyber systems across the industry, it is reasonable to expect that any present-day ship is vulnerable to cyber risks; therefore, it is reasonable to expect their Safety Management Systems will incorporate appropriate instructions, procedures, training requirements and lines of authority. Evidence of this will be clear upon the review of the Safety Management System. This also satisfies the functional requirements in section 1.4 of the ISM Code.
- The ISM Code encourages companies to take into account any guidelines or standards recommended by the Organization itself, flag Administrations, classification societies or maritime industry organizations. In this regard, companies may find the interim, non-mandatory guidelines contained in MSC.1/Circ.1526 provide useful guidance when assessing risk and implementing risk mitigation measures.
The paper highlights that “the necessary risk assessment and incorporation of mitigation measures into an existing Safety Management System is a significant task that requires both time and resources to complete effectively. Shipowners and operators will need to assemble subject matter experts, identify relevant standards and guidance, conduct necessary assessments, design appropriate mitigation strategies and incorporate the required doctrine into the Safety Management System.’
Therefore, the US propose the management of cyber risks aboard vessels to be accounted for in the same manner as other operational risks, namely through a Safety Management System that meets the requirements of the ISM Code. US also invite the Committee to agree that shipowners and operators will be expected to incorporate cyber risk management into their Safety Management System no later than the first annual verification of the company’s Document of Compliance following the next renewal of the same after 1 January 2018.