The ISM Code, supported by the IMO Resolution MSC.428(98), requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system. This resolution calls companies to report any cyber risk in their ISM Code no later than January 1, 2021.
Cyber security issues against maritime companies have made headlines in the last years, with an attack against French giant CMA CGM being the latest, in September.
Given the recent cyber-attacks in the maritime sector, the RMI Maritime Administrator recommends that yachts which maintain a mini-ISM under the RMI Yacht Code (MI-103) also address cyber risks.
The IMO guidelines set out the following principles in support of an effective cyber risk management strategy:
- Identify: Define the roles responsible for cyber risk management and identify the systems, assets, data and capabilities that, if disrupted, pose risks to ship operations.
- Protect: Implement risk control processes and measures, together with contingency planning to protect against a cyber incident and to ensure continuity of shipping operations.
- Detect: Develop and implement processes and defenses necessary to detect a cyber incident in a timely manner.
- Respond: Develop and implement activities and plans to provide resilience and to restore the systems necessary for shipping operations or services which have been halted due to a cyber incident.
- Recover: Identify how to back-up and restore the cyber systems necessary for shipping operations which have been affected by a cyber incident.
Guidance on how to include cyber risks in the SMS is available in RMI Marine Guideline 2-11-16, Maritime Cyber Risk Management and in The Guidelines on Cyber Security Onboard Ships, Annex 2.