Applicability:  shipowners, ship operators, ship managers and ship masters.

Customers are reminded that IMO Resolution MSC.428(98) encourages Administrations to ensure that cyber risks are appropriately addressed in safety management systems (SMS) no later than the first annual verification of the customer’s Document of Compliance (DOC) after 1 January 2021.

Many Administrations have already issued their own requirements in this regard. 

ISM-audited compliance

Customers should note that compliance with MSC.428(98) will be verified by International Safety Management (ISM) auditors at ship and shore-based ISM audits from 1 January 2021 onwards.

If cyber risks and management have not been addressed within the SMS, this will be recorded in the audit report. The grading of any finding will be dependent on whether or not the first annual verification of the customer’s DOC after 1 January 2021 has taken place.

Port State Control verification

Customers should also be aware that Port State Control officers may seek to verify effective implementation of cyber risk management controls.  

As an example, the US Coast Guard has issued Vessel Cyber Risk Management Work Instruction (CVC-WI-027(1)), which is applicable to US flagged vessels and all foreign vessels visiting US ports. This states that, if cyber risk management has not been incorporated into the vessel’s SMS by the customer’s first annual verification of the DOC after 1 January 2021, the vessel will be detained. Lack of implementation of the SMS cyber risk controls may also result in deficiencies to be rectified before departure or detention.

What you should do now

Customers, shipowners and managers need to ensure they have properly assessed the cyber risks to their operations and have implemented necessary procedures to manage such risks before 1 January 2021.

For further information and resources

Contact your local Lloyd’s Register group office or contact Nettitude.

Nettitude blog: how to approach the IMO cyber security requirements.

Technical Matters blog: should compliance or strategy drive security policy in marine and offshore?