MPA has released maritime cyber risk management for shipowners, ship managers, operators, and masters of Singapore-registered ships subjected to the ISM Code, and MPA’s ROs.
This circular provides information on the requirement to incorporate maritime cyber risk management in the safety management systems (SMS) of companies operating Singapore-registered ships.
Cyber risk management refers to the process of identifying, analysing, assessing, and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders.
Maritime cyber risk refers to a measure of the extent to which a technology asset is threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised. The goal of maritime cyber risk management is to support safe and secure shipping, which is operationally resilient to cyber risks.
As affirmed in Resolution MSC. 428(98)1 (Annex A), an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code2, MPA will require cyber risks to be appropriately addressed in the company’s SMS no later than the first annual verification of the ISM company’s Document of Compliance after 1 January 2021.
In line with the guidance presented in MSC-FAL.1/Circ.3 (Annex B), to consider cyber risks as being appropriately addressed in SMS, the ISM company is required to demonstrate that they have appropriately incorporated the five functional elements to address maritime cyber risks, namely:
Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations;
Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations;
Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event;
Recover: Identify measures to back-up and restore cyber systems necessaryfor shipping operations impacted by a cyber-event.
ISM companies of Singapore-registered ships are reminded to review the identified risks to its ships, personnel and the environment and to establish appropriate safeguards to ensure that maritime cyber risks are appropriately addressed in the SMS, and that the five functional elements stated in para 5have been incorporated into their risk management framework.7.
MPA has co-funded several maritime cyber security courses under Maritime Cluster Fund and Training@MaritimeSingapore. MPA is also aware that Recognised Organisations (ROs)have developed maritime cyber security training courses and relevant consultancy services to assist ISM Companies in developing and preparing their cyber risk management strategyand procedures.