Regulations and compliance are increasingly important
The comparative lack of cyber-regulation focussed on the maritime industry until recently has created a false sense of security among owners and operators. Adoption until now has largely been driven by owners who understand the risk and want to be proactive.
What regulation has been enacted to date has been very light touch but there are divergent trends between industry rules and government guidance. The cyber-regulatory regime is becoming more and more important across the maritime industry and driving awareness of the compliance requirement.
Current instruments include the IMO regulations which have been in force for a couple of years and requires organisations to demonstrate that they have taken steps to harden their assets and have plans in place to respond to an attack.
New Unified Requirements (URs) introduced by the International Association of Classification Societies (IACS) apply to newbuildings but the existing fleet is still vulnerable to systems that are not operated with recent cyber threats in mind.
The next piece of regulation on the radar for maritime is the upcoming NIS2 Directive, EU-wide legislation which is set to come into force in October 2024. Designed to enhance cyber security measures in the European Union, it will have implications for maritime companies larger than 50 employees or those generating an annual revenue exceeding €10 million, broadening its scope to include both medium and large-size companies within the sector.
Much more comprehensive in scope than industry programmes, NIS2 aims to address emerging cyber threats, strengthening critical infrastructure and including large fines for non-compliance.
Case Study: Breaches may result from compliance lapses
Cybercriminals use any number of tools, from deceptive emails, messages, or phone calls to trick personnel into revealing sensitive information, providing access to IT systems, or making fraudulent transactions. Social engineering tactics exploit human vulnerabilities rather than technical weaknesses and may be aimed at crew in remote locations.
In any safety-related industry, experts will contrast the cost of prevention compared to the cost of an accident and this remains true in cyber security. The cost outlays for a programme of awareness, compliance and response pale into insignificance compared to the costs - both operational and reputational - that can flow from a successful cyber-attack.
Sign up to stay secureInsights
Read about our latest insights and explore the forefront of digital protection through our curated selection of news, articles, and expert blogs.
