New cyber security regulations are of particular interest to management boards of companies designated (or potentially designated in the future) as Operators of Critical National Infrastructure (CNI), Operators of Essential Services (OES) or similar. The measures required under the updated regulations will need to be considered well in advance of compliance deadlines if companies are to avoid disruption to their trade due to inadequate cyber security certification leading to service suspension and/or fines.
In January this year the 2022 EU Network and Information Systems (NIS) 2.0 Directive came into effect requiring EU Member States to implement new cyber-security laws by October 2024, which will include significant new enforcement measures.
In March this year the UK Government published updated guidance for board members to govern cyber risk more effectively and announced that the UK’s 2018 Network and Information Systems Regulations (NIS Regulations) will be updated and strengthened. This will include creating a new power to designate critical suppliers or services and will also provide a discretionary power to take appropriate and proportionate measures to secure such critical dependencies.
This year is also expected to see the US Securities and Exchange Commission (SEC) publish its new cyber security risk management regulation. The new SEC Regulation will require Covered Entities, including public maritime organisations, to implement, oversee, assure, attest and report their cyber security risk management governance, strategy, frameworks and programs. Their board members will also be required to declare their personal cyber knowledge and experience, and report cyber incidents.
In summary, across the global transport industry, there are a host of new obligations soon to fall upon companies and those at the corporate helm which need to be grappled with in the very near future.
Global dependence on the maritime transport industry is profound. We rely upon a network of ships, ports and inland distribution centres for the movement of cargo ranging from commodities to personal packages. We rely on oil and gas, and increasingly on wind and waves to provide our energy needs via their associated infrastructure and the marine based communication systems must also not be overlooked. It is well known that around 90% of globally traded goods are carried by sea, a secure marine sector is critical for global trade and the maritime sector is justifiably classified by governments as critical to national security and Critical National Infrastructure (CNI).
It is not difficult, therefore, to appreciate the degree of global disruption that can be caused through disabling international cargo and logistics distribution systems or attacking data networks critical to communications and security. Cyber-attacks have already impacted the maritime sector; the 2017 Maersk cyber-attack demonstrated the effect of a cyberattack on the container industry, costing the firm up to $300 million; CMA CGM was hit by a cyber-attack targeting customer information in 2020 and 2021; the IMO suffered a cyber-attack in 2020; Tokyo MoU reported it was affected by a cyber-attack in July 2022; DNV’s ShipManager software, used by vessel operators for fleet management was targeted in a ransomware attack in January 2023; and the recent attack in April on the US Navy’s Marinete Marine Shipyard which halted production are all good reminders of how vulnerable, even highly protected, systems can be.
In March this year, the EU Agency for cyber security (ENISA) published its first cyber threat landscape report dedicated to the transport sector. The report highlights that Ransomware attacks on the transport sector doubled in 2022, more than half of the incidents were linked to cybercriminals seeking to steal money and almost a quarter of attacks were from hacktivists.
The threat of cyber-attacks to CNI is clearly increasing and is driving Governments to enhance cyber security regulations which will require CNI providers to enhance their cyber security management.
On a positive note, shipping (specifically ship operations), with such a high level of multi-national dependency, has already been pro-active in establishing enforcement measures to counter cyber-attacks on vessels and their related services. This having been achieved through recommendations flowing from the IMO and subsequent adoption by flag State Administrations to ensure cyber security measures are incorporated into Safety Management Systems (SMS). However, of importance to shipping companies’ management boards, updates to UK, EU and US regulations to safeguard the services on which nations depend are in motion. These updates will see a move away from nations relying on guidance and persuasion, to the implementation of wider enforcement powers and penalties for infringements.
This article is to highlight the main regulations that are applicable to the maritime sector in the lead up to the revised regulations.
Details of who and how you can contact us for advice are at the side/end of this article.
Chronological overview of maritime cyber security regulations and guidelines
On 1 June 2016 the IMO issued MSC.1/Circ.1526 Interim Guidelines on Maritime Cyber Risk Management which highlighted the urgent need to raise awareness on cyber risk threats and vulnerabilities.
On 6 July 2016, EU Directive 2016/1148 Network and information Systems Directive (“NIS Directive”) came into effect, requiring public and private operators of services in certain sectors to take appropriate security measures and report incidents that significantly impact the continuity of the services they provide. The sectors include energy, transport, banking, financial markets, potable water, healthcare and digital service providers.
On 16 June 2017, the IMO published MSC 428(98) Maritime Cyber Risk Management in Safety Management Systems (SMS) which encouraged Administrations to ensure that cyber risks are appropriately addressed in SMS. This was to be achieved no later than the first annual verification of the Company’s Document of Compliance after 1 January 2021.
On 5 July 2017, IMO MSC-FAL.1/Circ.3 issued its first version of Guidelines on Maritime Cyber Risk Management which is for all organizations in the shipping industry and set out that users should refer to specific Member Governments’ and Flag Administrations’ requirements, as well as relevant international and industry standards and best practices.
On 10 May 2018, the UK published SI 2018 No. 506 The Network and Information Systems Regulations 2018 which defines organisations and companies that are Operators of Essential Services (“OES”) under which the water transport subsector is designated. OES must take appropriate and proportionate technical and organisational measures to manage risks and take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems. In doing so, they must have regard to any relevant guidance issued by the relevant competent authority when carrying out their duties.
As of 1 Jan 2021, vessels whose flag State had adopted MSC 428(98) must have addressed, and have in place, cyber security measures integrated into their SMS by their Company’s first ISM DOC audit after 1 Jan 2021. In support of this requirement, several articles and guides have been published by industry bodies on how to implement cyber security into a company and vessel’s SMS. Given that it is now well into 2023, such systems should be well established to counter new threats.
On 9 March 2022, the US Securities and Exchange Commission released a proposal for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934, which includes UK and EU based foreign issuers. The proposal sets out the requirements of Covered Entities to provide numerous management reports to the SEC that will provide the SEC, investors and other market participants with information on the current management of cyber security risks.
On 7 June 2022, MSC-FAL.1/Circ.3/Rev.2 updated the IMO’s Guidelines on Maritime Cyber Risk Management. Amongst other updates, it highlights the risk associated with companies and organisations operating on interconnecting networks. With the recommendation that cyber risk management should start at the senior management level the paper also provides a selection of industry guidance.
On 17 Jan 2023, EU Directive 2022/2555 NIS 2.0 Directive came into effect requiring Member States to prepare and legislate by 17 October 2024. The revised directive widens and strengthens Member States’ powers to enforce compliance and seeks to harmonise the cyber security measures between Member States with the help of ENISA. The NIS 2.0 directive forms part of a suite of cyber regulations being developed by the EU to strengthen the resilience of EU Member States CNI. These include NIS 2.0, The Resilience of Critical Entities Directive (EU 2022/2557) for CNI and the proposed Cyber Resilience Act 2022/0272 (COD) for the security of hardware products and services.
Below are some highlights from EU NIS 2.0 relating to the maritime sector:
Within Annex 1, the maritime sector OES that are specifically listed as highly critical are inland, sea and coastal passenger and freight water transport companies; managing bodies of ports; and operators of vessel traffic services (VTS). Annex 1 also brings into scope services providing electricity generation, distribution and transmission (encompassing wind and wave power generation); and oil and gas production, storage, distribution and transmission (encompasses upstream processes including drilling, extraction and storage). Annex II concerns other Critical Services and identifies the manufacture of transport equipment, which includes the building of passenger and cargo vessels, tankers, tugs, warships, drilling platforms and floating structures.
Of particular importance to those service operators is Article 20 which, among other things, directs that Member States shall ensure that the management bodies approve the cyber security risk-management measures (see Article 21); oversee its implementation, which includes training at all levels; and can be held liable for infringements. Note also that preamble paragraph (7) opens the door for Member States to identify not just entities that are medium sized and above but also small enterprises and micro-enterprises which fulfil specific criteria that fall within the scope of the directive. Consideration of the critical supply chains identified in Article 22 is also likely to be important here.
The risk-management measures expected of an OES under Article 21 are far reaching and should be based on an all-hazards approach. For example, an OES is to consider: state-of-the-art and relevant European and international standards and the degree of the entity’s exposure to risks; the entity’s size; likelihood of occurrence; and their severity in relation to their societal and economic impact. It is ,therefore, easy to foresee that it will be challenging for an OES to first identify and then subsequently establish suitable measures that will satisfy these wide-ranging considerations.
Lastly, it is important for company management boards to appreciate that Member States’ enforcement powers will be stepped up considerably. Measures include establishing a competent authority to have the power to conduct random audits, issue infringement warnings, stipulate remedial actions, suspend services and impose fines.
EU Member States now have about 15 months (until October 2024) to implement national laws to satisfy EU NIS 2.0 (as well as the Digital Operational Resilience Act (‘DORA’) and it is also expected that the EU will release a proposed Cyber Resilience Act (CRA) later this year.
The release date of the US SEC cyber security risk management proposal is not yet known but there are expectations that it will likely be released mid-2023. With the SEC having released since March 2022, a further 3 cyber security risk management proposals effecting different aspects of financial markets, it is highly likely that the capital proposal will become final. This will require boards of Covered Entities to demonstrate their organisation’s compliance with cyber security risk management. With the proposal effecting foreign issuers with listings covered by the Securities and Exchange Act 1934, it is important for such firms in the maritime industry to be well prepared.
In relation to the prospect of updated UK NIS Regulations, as the industry consultations have now been conducted it is expected that the government will soon implement revised regulations which will broadly be in-line with EU and US standards. In the meantime, by way of UK guidance, on 30 March this year the National Cyber Security Centre updated its Cyber Security Toolkit for Boards. This guide is useful, particularly the section on directors’ duties in the UK for keeping up to date with the UK Government’s expectations on those responsible for cyber security within a company.
Generally, the more robust a shipping company’s cyber security measures are now, any additional management measures required under NIS 2, US SEC or UK NIS Regulation amendments, the easier they will be to implement. Such measures can be pre-empted to a certain degree by management boards being familiar with the underlying requirements of the directives and proposals, augmented by the IMO and flag State cyber security requirements for vessels as well as any other maritime sector codes and industry papers. This in turn, should result in management boards being far less at risk of suffering the consequences of infringing national laws when they come into effect and of course, less likely to be the victim of a major cyber-attack.
A selection of maritime industry cyber security standards:
- Code of Practice Cyber Security for Ships produced by the Institution of Engineering and Technology (IET), supported by the Department for Transport (DfT) and the Defence Science and Technology Laboratory (Dstl).
- The Guidelines on Cyber Security Onboard Ships produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
- Consolidated IACS Recommendation on cyber resilience (Rec 166 rev.2).
- IAPH Cyber Security Guidelines for Ports and Port Facilities.
For further information, please contact:
Peter Thornton MBE, Hill Dickinson