Digital Threat Digest Insights Careers Let's talk

IMO’s 2021 Cyber Security Regulations are dead ahead


Malicious cyber activity targeting or affecting the maritime sector has soared in 2020 and, with the end of the year fast approaching, so too is the impending deadline for compliance with the International Maritime Organisation’s (IMO) cyber security regulations. Marine and offshore organisations are now required to implement the necessary cyber security measures set out by the IMO in time for their next annual International Safety Management (ISM) Document of Compliance (DOC) verification, after 1st January 2021.

What are the IMO Cyber Security Regulations?

In 2017, due to the risks inherent in the rapidly increasing adoption of digitalisation across the maritime sector, the IMO issued MSC-FAL.1/Circ.3 ‘Guidelines on Maritime Cyber Risk Management. These guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The guidelines also include functional elements that support effective cyber risk management which can be incorporated into existing risk management processes to complement the safety and security management practices already established by IMO.

These guidelines were then adopted by the Maritime Safety Committee through Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. This resolution encourages administrations to ensure that cyber risks are appropriately addressed within existing safety management systems (as defined in the ISM Code) in time for the first verification of the company’s DOC, after 1 January 2021.

What does this mean for my organisation?

Organisations will need to demonstrate that they have taken proactive steps towards identifying and addressing the cyber security risks to their operational systems. The IMO guidelines support a top-down risk-based approach to the management of risk where senior executives and management should support a cyber aware culture throughout all levels of an organisation.

A key focus of this will be to ensure that organisations have prepared a risk register or risk management plan that takes cyber security risks into consideration and, importantly, documents how your organisation plans to treat and manage these risks so that you can validate your actions ahead of your next DOC Audit in 2021.

While the maritime industry presents its own unique risk management challenges, there are certainly some important aspects and considerations that can be learnt from other key sectors and risk management frameworks, including parts of the National Institute of Standards and Technology (NIST) and ISO/IEC 27001 – the international standard that sets out the specification for an information security management system (ISMS).

Where can I get more assistance?

As the deadline looms, there is a raft of useful cyber risk management information available to maritime organisations from industry bodies such as BIMCO, as well as Member Governments and Flag Administrations. In the UK, the Department for Transport previously commissioned the Institution of Engineering and Technology to produce a code of practice for ships (published in 2017) as well as a cyber security code of practice for ports and port systems which was updated in January 2020. In collaboration with experts at the Maritime Coastguard Agency, Maritime Accident and Investigation Branch, and the National Cyber Security Centre, these guidance documents complement the work being done by the International Maritime Organisation (IMO) to raise awareness of cyber threats and vulnerabilities.

PGI can help

In addition to the above resources, PGI has a long history of supporting maritime organisations, including on how to address cyber security risks at sea. The most straightforward and effective way to clearly demonstrate the mandated activity to “identify and understand the cyber security risk” is the completion of cyber security maturity assessments. Our Cyber Security Maturity Model analyses and quantitatively measures the existing levels of your organisation’s cyber security measures and activities. It then clearly aligns them with, not only the IMO standards, but also your cyber insurance requirements, other regulatory requirements (e.g. data privacy laws) and your own organisational risk appetite. This model clearly lays out where additional investment is needed and, just as importantly, where it is already sufficient (and therefore not required), to meet all your cyber risk management requirements. It also provides the necessary evidence to the IMO (and others) that “documents how your organisation plans to treat and manage these risks” thus demonstrating your proportionate risk-based approach to managing your cyber security risk.

We believe that cyber security shouldn’t be complicated or expensive and we want to help your organisation strengthen its defenses. If you would like support to meet the requirements of the IMO’s Cyber Security Regulations, please contact us to discuss how we can help.