IMO Resolution MSC.428 (98) Cyber-Risk Compliance

IMO’s latest requirements for integrating cyber risk into onboard safety management systems came into force on January 1, 2021.

The resolution details the following:

• An approved management system in accordance with requirements of the International Safety Management (ISM) Code.

• Maritime industry stakeholders to implement cyber risk management to ensure they are protecting vessels & people.

Here’s what ship owners need to know.

IMO Resolution MSC.428 (98), states that a ship’s safety management system (SMS) should account for cyber risk management in compliance with the ISM code. For vessel owners, this means integrating cyber risk into their SMS by developing and implementing onboard procedures and mitigation measures – on January 1, 2021.

Who is liable?

Owners/Directors of the commercial entity, those who have responsibility for the vessel can be held personally liable where maritime cyber risk management has not been appropriately addressed.

A failure to demonstrate that cyber risks have been appropriately managed could result in refusal of the issue of a Document of Compliance after 1st January 2021 and may prevent a vessel from operating commercially.

What can happen if NO ACTION IS TAKEN?

• Risk of privacy exposure for the vessel owning entity, crew members and passengers

• Refusal of issue of the Document of Compliance (for vessels of 500GT and over)

• Operational failings; endangering life at sea

• Regulatory action

• The potential for Increased insurance premiums or denial of coverage

• PR Brand & reputational damage

• Court cases – cost, damages and loss of earning

Steps required – How we help

First, ship owners must define the high-level structure of their cyber security policy by developing a complete inventory of at-risk systems. This should include onboard and offshore systems, Operation Technology (OT) and Information Technology (IT) and equipment. This allows owners to gain a comprehensive understanding of all systems, in order to assess their risk criticality. Ships should then undergo a cyber risk analysis that assesses threats and vulnerability, as well as the impact of exploitation of IT and OT systems on cyber security. Experts can then determine relevant risk, evaluate equipment surface of attack and consider mitigation measures that have been or should be applied onboard. Once this is done, owners can develop a set of policies and procedures for cyber risk management that is tailored to their vessel and its equipment. This policy should address onboard cyber safety management rules, define the roles and responsibilities of personnel, include crew training activities and provide crisis management strategies.

THE NIST FRAMEWORK

To help owners achieve compliance, IMO has provided guidelines based on the NIST framework. NIST is the National Institute of Standards and Technology in the USA and in the area of Cyber-Security Compliance have become the global standard.

The framework offers a basic blueprint for developing a cyber risk management program, based around five steps: identifying risk, detecting risk, protecting assets, responding to risk and recovering from attacks. IMO Cyber Compliance

Via our partner CSS Platinum we deliver an IMO Cyber Compliance package to address the requirements of the IMO ISM Code: Cyber Risk Management which has recently come into effect.

CSS Platinum have worked with the Flag Registries to help them design the assessment criteria for the implementation of Maritime Cyber Risk Management programs. Our team of cyber-security professionals have unparalleled experience delivering Cyber Security and Risk Management services to the maritime and superyacht industries.

Cost effective and fast to implement - let's discuss.