ISPS Code, part B, paragraph 8.3, states the SSA should address risks to radio and telecommunication systems, including computer systems and networks. The ISM Code also states, “The objective of the company’s Safety Management System (SMS) is to provide a safe working environment by establishing appropriate safe practices and procedures based on an assessment of all identified risks to the ship, onboard personnel and the environment.
In the context of ship operations, cyber incidents are anticipated to result in physical effects and potential safety and/or pollution incidents. This means that the company needs to assess risks arising from the use of IT and OT onboard ships and establish appropriate safeguards against cyber incidents. IMO Resolution MSC.428(98) encourages IMO member states to ensure cyber risks are addressed in safety management systems no later than the first annual verification of a company’s Document of Compliance after 1 January 2021.