In its first issue of “Phish & Ships” newsletter for 2018, Be Cyber Aware at Sea campaign provides an insight of the issues which will likely be shaping the shipping industry’s response to maritime cyber security risks throughout the year, focusing specifically on UK developments on cyber risks and the arrival of new EU data protection legislation.
One of the most important developments for the shipping industry is a joint government and industry group reporting directly to the National Maritime Security Committee (Industry). This group has representation from all the major ports within the UK, the UK Major Ports Group and the British Ports Association, and the UK Harbour Masters Association.
The UK response hinges on the Vessels Code of Practice, designed to help businesses of all sizes to assess risks, devise the most appropriate reactive measures, and manage security in the event of an attack. The code explains why cyber security should be an integral part of maritime management through a ship’s lifecycle, and delivered cost effectively as part of mainstream business. It also highlights the national and international standards and regulations that should be followed.
In addition, 2018 sees the new OCIMF pre-fixture tanker vetting cyber requirement shaping the response of owners. While the IMO has given shipowners and managers until 2021 to incorporate cyber risk into ships’ SMS, tanker owners and operators that are subject to vetting under OCIMF’s SIRE Programme are now addressing cyber security risks in their policies and procedures.
Furthermore, two significant new pieces of EU legislation related to data protection and cybersecurity will impact most industry sectors – including shipping – beginning in May 2018: the EU General Data Protection Regulation (GDPR) and the Network Information Security (NIS) Directive.
The GDPR applies to organisations established in the EU and outside of the EU that provide goods and services to customers in the EU. The penalties for non-compliance are fierce and fines could be as much as €20 million or 4% global annual turnover.
The impact of the NIS Directive is still less clear, when compared to GDPR, as it is down to individual member states to transpose the Directive into their national law. In the UK, it will require these operators to take the necessary measures to protect their IT systems and will further require businesses to develop a strategy and polices to understand and manage their risks. In shipping this could include both land and sea operations. The strategies under development should include procedures for preventing incidents with awareness and training, detecting attacks and having the ability to respond, restore and recover.
Explore more by reading the official Be Cyber Aware at Sea newsletter herebelow: