IMO Resolution MSC.428(98) visualises the need to raise the consciousness on cyber risks and vulnerabilities in the maritime industry. It is set out that cyber risks shall be addressed in company safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. This implies that companies must address cyber risks in the same way as any other risk on board (paragraph 1.2.2 of the ISM Code).
The companies need to assess risks arising from the use of IT and OT on board ships and establish appropriate safeguards against cyber incidents. Company plans and procedures for cyber risk management should be incorporated into existing company safety management systems.
As from 2021, company plans and procedures for cyber risk management will be subject to supervision by the Norwegian Maritime Authority in connection with ISM audits of the company office and on board ships.
The IMO has published guidelines on maritime cyber risk management. The guidelines provide recommendations that may be incorporated in the existing company safety management systems. In these guidelines, reference is made to industry guidelines that shipping companies are advised to follow.
MSC-FAL.1-Circ.3 - Guidelines On Maritime Cyber Risk Management (Secretariat).pdf