Senior management has a crucial role to play in ensuring cyber security is taken seriously and properly implemented now guidelines on maritime cyber risk management have come into effect, recommends Hill Dickinson LLP partner Mark Weston
One of the biggest issues in cyber risk management is ensuring that management appreciates the importance of it and is willing to expend resources (read ’cash’) to put the necessary preventative measures in place. This can often be perceived as spending money to stand still, but in reality it is about mitigating risk so everyone can sleep at night.
The guidelines reflect this by making clear that “Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organisation and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.”
The new IMO guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. They are intended to be supplemented by requirements of specific member governments and flag administrations, as well as relevant international and industry standards and best practices.
They contain a non-exhaustive list of vulnerable systems and also make the important distinction between information technology systems (which focus on the use of data as information); operational technology systems (where that data is used to control or monitor physical processes); and interfaces which allow exchange of information within and between such systems.
The functional elements suggested by the guidelines are:
Despite the guidelines only being recommendations, from 1 January 2021 by Resolution MSC 428(98), the IMO has said that cyber security and risks related to it will now be tested in audits. Essentially, no later than the first annual verification of a Document of Compliance (DOC) after 1 January 2021, an organisation must demonstrate that cyber security is an integral part of the safety management systems being used.
In my view, any compliance plan should start with the creation of a snapshot as to where as organisation currently is, then identify where it needs to get to, and plug the gap with a costed, detailed remediation strategy. The plan should be RAG-coded so resources are spent on the ‘Red’ areas first moving to ‘Amber’ and then ‘Green’.
In short, it is important to identify objectives in the field of cyber security, undertake a mapping exercise of existing systems, software, policies, procedures and processes. This includes a gap analysis of the differential between where the current map shows you are and where you need to be in terms of your objectives. This gap analysis then needs to be turned in to a costed and step-by-step remedial plan.
This will probably include ensuring management buy-in and allocation of key roles and responsibilities for cyber security all the way to management level, and putting in place or upgrading cyber security policies and procedures. These need to be workable and used and not just a tick-box exercise or ’something you have to have’. Attention needs to be paid to upgrading networks, segregating and hardening them and training, training, training of everyone in the organisation, appropriate to their level.
This should be both general awareness training and more specific role-based training; and implementing hardened systems and network segregation.
Finally, it is vital to ensure that there is also a rolling programme of ongoing compliance and ongoing training so that cyber security is not just ’something we checked’ but becomes part of business as usual. Cyber threats are evolving – and so should you.
Riviera will provide free technical and operational webinars in 2021. Sign up to attend on our events page