IMO holds off on mandatory cyber rules

MSC 97 discussed maritime cyber risk but guidelines remain voluntary. Credit: IMO
MSC 97 discussed maritime cyber risk but guidelines remain voluntary. Credit: IMO

Avoiding another layer of costs for shipowners was part of the rationale for postponing mandatory requirements on cyber risk management at the IMO.

The agency’s Maritime Security Committee (MSC) earlier this year approved “Interim Guidelines on Maritime Cyber Risk Management”, considered a new benchmark for maritime cyber-security standards.

At its 97th meeting (MSC 97) held on 21–25 November, the Iranian delegation proposed developing those guidelines into “a mandatory instrument to ensure consistent application of cyber-security measures and procedures on board ships and on shore-based systems interfacing with ships”.

However, “while all delegations that spoke recognised the importance of implementing the high-level recommendations on maritime cyber-risk management” approved by the IMO, “a careful assessment should be conducted before developing any mandatory provisions on maritime cyber-risk management to avoid additional administrative burdens”, the IMO stated in a summary published this week.

The IMO also pointed out that, as stated in the interim guidelines, maritime cyber-risk management should be addressed through existing management practices set out in the International Ship and Port Facility Security (ISPS) Code and the International Safety Management (ISM) Code.

The MSC also agreed to wait until the next meeting of the IMO’s Convention on Facilitation of International Maritime Traffic (FAL) in April to “complete the work on facilitation aspects” of maritime cyber security before further considering possible mandatory cyber-management requirements.

Despite the IMO delaying for now the prospect of mandatory requirements, Kate Belmont, a cyber-security expert at the law firm Blank Rome in New York, noted that the attention paid to cyber risk at MSC 97 signals the likelihood that cyber security will eventually be taken to another level.

“It appears the IMO is committed to creating a mandatory instrument to ensure consistent application of cyber-security measures and procedures on board ships and on shore-based systems interfacing with ships, but the IMO is taking a cautious approach,” Belmont told IHS IHS Markit.

“Although maritime cyber-risk management continues to be voluntary, its critical importance should not be underestimated. Requirements are on the horizon and it is advisable that all players in the maritime industry invest in effective cyber-risk management.”

As the maritime sector looks to limit potentially costly cyber regulations through self-imposed guidelines – such as those issued jointly earlier this year by several shipowner groups – the damage that can be done by cyber hackers is becoming increasingly evident.

A survey conducted by IHS IHS Markit in association with BIMCO revealed that one in five respondents acknowledged they had been a victim of a cyber attack, with 40% of those respondents confirming that preventative measures had been in place before the attack.

The cost imposed by marine insurers to protect assets against such an attack are likely to increase as well. One consultant told delegates at a recent seminar that vessel owners and operators may soon have to buy separate cyber-risk cover in the long run, while the marine insurance sector has been slow to tackle the problem in the short term.

On January 24, 2017, IHS Maritime and Trade will be hosting an Insurance and Risk Forum at the Marriott Grosvenor Hotel in London. You can learn more here: https://bit.ly/2fX4wjH Use code: FPCOMP for a complimentary admission to this event.