The United States Coast Guard has issued a Working Instruction (WI) instructing their Marine Inspectors (MI) and Port State Control Officers (PSCO) on how to evaluate the International Maritime Organisation’s (IMO) guidance on maritime cyber risk management component of safety management systems and what actions to take in the event of a non-compliance, including the powers to detain vessels. This instruction will impact superyachts of greater than 500GT, with a commercial function of any Flag State.
The industry has been awaiting any indication on how Flagging States will interpret the IMO’s guidance and whether it will be enforced or advised. Now one month out, the United States Coast Guard and Port State Control has revealed its hand regarding how enforcement will take place, and their approach is robust.
Mike Wills Co-Founder & Chief Data Officer of maritime cybersecurity company CSS Platinum, stated:
“The Superyacht Industry has been waiting for clear direction on how Flag States will interpret and implement the IMO’s ISM Code guidance on maritime cyber risk management. This announcement by the US Coast Guard reveals the first of many hands and makes it very clear that the United States of America will take active measures to protect their cyber integrity. What is significant is that this announcement affects any superyacht, regardless of Flag, subject to an SMS and seeking to access any US port. Failure to meet the advised safety management system may result in the vessel being detained. It will be interesting to see how this announcement may or may not affect the approach that other Flag States may have and the impact it has on US marinas and ports.”
Background:
On the 16 Jun 2017 the International Maritime Organisation (IMO) adopted Resolution MSC.428(98) as a response to the ever-increasing threats from the cyber domain and cybertechnologies. The IMO recognised the urgent need to raise awareness on cyber risk threats and vulnerabilities to support safe and secure shipping, which is operationally resilient to cyber risks. Where applicable, superyachts of greater than 500GT and with a commercial function (charter) are expected to implement maritime cyber risk management into their yacht’s safety management system by no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
US Coast Guard Announcement – Key Takeaways:
b. U.S. flagged vessels subject to the ISM Code are required[1] to evaluate cyber risk and establish procedures to respond to a cyber-attack as per U.S. Flag Interpretations on the ISM Code.
a. The United States Coast Guard Office of Commercial Vessel Compliance (CG-CVC) issued Work Instruction (WI) 027 on 27 October 20 detailing firm guidance to its Marine Inspectors and Port State Control Officers (PSCO) on how to evaluate a maritime cyber risk management component of a safety management system and the executive powers to detain vessels that fail to comply.
c. Starting January 1, 2021, all U..S flagged vessels subject to a Safety Management System (SMS) should address Maritime Cyber Security Risk with respect to the International Safety Management (ISM) Code and Title 33 Code of Federal Regulations (CFR) Part 96[2].
d. The January 2021 implementation requirement also applies to vessels that voluntarily comply with Title 33 Code of Federal Regulations (CFR) Part 96.
e. For Foreign vessels seeking to visit U.S ports:
· If cyber risk management has not been incorporated into the vessel’s SMS by the company’s first annual verification of the DOC after January 1, 2021, a deficiency should be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
· When objective evidence indicates that the vessel failed to implement its SMS with respect to cyber risk management, then the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port after sailing foreign.
· When objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), after gaining concurrence from the Officer in Charge of Marine Inspections, the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
f. A Marine Inspector aboard a U.S. vessel may review internal audits and corrective action reports while conducting a more detailed inspection.
Charlotte Riley, Co-Founder and Chief Technical Officer of CSS Platinum stated:
“This announcement will have real impact, particularly on the charter industry, and there is much work to be done to prepare safety management systems. Vessels have until their first annual verification after 1 Jan 2021 to implement maritime cyber risk management. Yacht owners and management companies must note that compliant implementation will take time for audit and the necessary remediation to occur around the movement schedule of the yachts. Owners and management companies are advised that they should seek to address maritime cyber risk management as soon as possible.”
CSS Platinum has developed an IMO Cyber Compliance package to meet the maritime cyber risk management requirements of the IMO’s ISM Code. Having advised and informed a number of the Flag Registries they hold a deep knowledge of the standards required to achieve compliance. For further information on their full IMO Cyber Compliance solution, please visit https://cssplatinum.com/imo-cyber-compliance-package/ and/or email [email protected].
About CSS Platinum
CSS Platinum are the Superyacht industry’s cyber security and privacy experts. We have advised a number of the Red Ensign Group Flag Registries on implementation of the ISM Code’s maritime cyber risk management and are a member of the Marshall Islands Maritime Cyber Risk Management implementation working group. They are also a contributor to the soon to be released v4 of the BIMCO guidelines on cyber security onboard ships.
Source References:
United States Coast Guard Office of Commercial Vessel Compliance (CG-CVC) Work Instruction (WI) 27:
https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/CG-CVC/CVC_MMS/CVC-WI-027(series).pdf
U.S. Flag Interpretations on the ISM Code:
https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/CG-CVC/CVC_MMS/CVC-WI-004(series).pdf
Title 33 Code of Federal Regulations (CFR) Part 96.
https://ecfr.federalregister.gov/current/title-33/chapter-I/subchapter-F/part-96
International Maritime Organisation’s MSC Res. 428(98)
https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf
United States Coast Guard Cyber Strategy:
https://www.uscg.mil/Portals/0/Strategy/Cyber%20Strategy.pdf
Further information:
Contact the Press and Media Team at [email protected]
Michael Wills is Co-Founder & Chief Data Officer at CSS Platinum [email protected]