Cyber: US moving towards compliance legislation

North P&I Club has informed Members that the US has moved from its initial position of encouraging voluntary compliance in cyber-risk towards a position where compliance is likely soon to be required by legislation. The US has proposed to the IMO that cyber risks are incorporated into vessel Safety Management Systems (SMS). In their submission to the IMO’s Maritime Safety Committee (MSC 98/5/2) the US assert that: “Cyber-related risks are operational risks that are appropriately assessed and managed in accordance with the safety management requirements of the International Safety Management Code”.

The submission goes on to outline the potential safety implications of cyber risks to shipping as the rationale for including cyber risks in a SMS. It also asserts that vessel operators can comply by following industry guidance already available, such as the IMO Guidelines on Cyber Risk Management.

Should the MSC agree to the submission, a draft resolution has been proposed which would require that cyber risks are appropriately incorporated in vessels SMS no later than the first annual verification of the company’s Document of Compliance after January 1st 2018.

North notes that, if such a resolution is agreed, “some companies would have just a year after the 1 January 2018 (should this be the date of their Document of Compliance renewal) to get their systems in place”. All others would follow over the next five years.

North concluded that “whether or not the US submission gets the necessary support at MSC remains to be seen. One thing that seems certain is that the authorities in the US and elsewhere remain concerned over cyber risks in shipping. Cyber risk regulation in shipping is getting closer.”