Development at IMO
The Guidelines on maritime cyber risk management (MSC-FAL.1/Circ.3)) are complementary to the safety and security management practices established under the ISM and ISPS Codes. The Guidelines include functional elements that support effective cyber risk management and provide references to further detailed guidance, including the industry guidelines on cyber security on board ships.
The IMO resolution MSC.428(98) on Maritime cyber risk management in Safety Management Systems encourages flag States to ensure that cyber risks are appropriately addressed in existing Safety Management Systems (SMS), as defined in the ISM Code, no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.
IMO noted the concern that some national and regional requirements on cyber risk management focused primarily on the security objectives of the ISPS Code. It was agreed at MSC 101 in Jun 2019 that:
.1) aspects of cyber risk management, including physical security aspects of cyber security, should be addressed in Ship Security Plans under the ISPS Code; however, this should not be considered as requiring a company to establish a separate cyber security management system operating in parallel with the company SMS;
.2) resolution MSC.428(98) on Maritime cyber risk management in Safety Management Systems set out IMO’s requirements for flag States to ensure that cyber risks are appropriately addressed in existing SMS (as defined in the ISM Code), verified by an endorsed Document of Compliance and Safety Management Certificate, and that in the Ship Security Plan, reference should be made to cyber risk management procedures found in SMS.