Under the guidelines, ship owners and operators are required to identify, manage and avoid cyber risks. The guidelines define cyber risk management as being “the process of identifying, analysing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating (that risk) to an acceptable level (after) considering the costs and benefits of actions taken to stakeholders”.
Cyber risk management should be considered a part of operational risks and evolve “as a natural extension of existing safety and security management practices”.
The maritime industry already has instruments which could be used to implement and develop proper cyber risk management.
The International Ship Management Code (the ISM Code) sets out maritime safety management standards for ship owners and operators, the objective of which is to ensure safety at sea and prevent the loss of life or damage to the environment by way of a safety management regime. The International Ship and Port Facility Security (ISPS) Code, a risk management system to enhance port and ship security, focuses on physical security and does not cover cyber risk management. It must be a matter of urgency for the IMO now to turn their attention to update the ISPS Code to deal with this risk.
With the advent of modern day cyber security risks, which can have a direct impact on ship navigation and cargo handling operations, there can be no doubt that the safety management systems envisaged by the ISM and ISPS Codes must incorporate proper cyber risk management.
The Baltic and International Maritime Council (BIMCO) has developed The Guidelines in Cyber Security on-board Ships (February 2016) which all ship owners and ship operators should consider.