IMO Resolution incorporates maritime cyber risk management into the ISM Code making it mandatory for the shipping industry

Maritime Cyber Risk Management is incorporated into the ISM Code.

In June 2017, the IMO’s Maritime Safety Committee (MSC) took a significant step forward in combatting the threats posed by cyber risks to the safety and security of personnel ashore and on ships.

In June 2016, the MSC had introduced “high level recommendations for maritime cyber risk management” in the form of interim guidelines. These were designed to provide overarching direction for the shipping industry, and all its stakeholders, in the management of the risks posed by both unintentional and malicious acts against the cyber infrastructure of an organisation.

This year the MSC agreed to adopt a resolution incorporating Maritime Cyber Risk Management into the ISM Code, thereby raising the profile and importance of protecting ships, crews and cargos from the threats of accidental cyber-related incidents and premediated cyber-attacks.

The MSC are encouraging all members to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance (DOC) after 1st January 2021. Consequently, the requirement to ensure that cyber risk management is taken into account in accordance with the objectives and functional requirements of the ISM Code, will be mandatory in just over 3 years.

There was some debate within the MSC, about whether maritime cyber risk management was more appropriately included in the International Ships & Port Facilities (ISPS) code. However, as the ISPS code is a “review of measures and procedures to prevent acts of terrorism which threaten the security of passengers and crew and the safety of ships”, the MSC considered that the ISPS code was too limiting and restricting for this ubiquitous and pervasive threat.

The International Association of Classification Societies (IACS) also announced that they have established a joint cyber risk management working group. The working group has based its goals on the interim guidelines introduced last year, and is also utilising the shipping industry Guidelines on Cyber Security, ISO/IEC 27001 and the US National Institute of Standards and Technology’s Framework for Improving Critical National Infrastructure Security (the NIST Framework).

We also understand that the International Organisation for Standards (ISO) is establishing a working group of specialists to draft a maritime cyber risk management standard that should add to the development of a more robust and broad based maritime cyber risk management strategy.

As many pointed out at the MSC, the adoption of effective cyber risk management can’t come soon enough, especially with the exponential growth in digitization, system integration, automation and network based systems.

This point has been rammed home with the recent large scale, high-profile, global cyber-attacks against large government institutions and large private companies including the Danish conglomerate Maersk.

For too long the management boards of shipping companies have looked upon maritime cyber risk management as a task for the IT department. It is therefore timely to restate and remember a paragraph from the preamble of the ISM Code:

“The cornerstone of good safety management [and now cyber risk management] is commitment from the top.” And “it is the commitment, competence, attitudes and motivation of individuals at all levels that determines the end result.”

All threats can be overcome by informed and effective planning, well-managed implementation and conscientious monitoring. A cyber risk management ethos must be engendered across the industry and a cyber risk-aware culture adopted by all.

The adoption of this new IMO resolution and its flow-on effects signals the beginning of a necessary and inevitable change in the culture of the maritime industry of the future.