My BIMCO Register
  • Cyber Risk Management

Cyber Risk Management

This position statement is approved by the Board of Directors

Background

Information Technology (IT) and Operating Technology (OT) systems onboard ships are used for a multitude of purposes, such as controlling engines and associated systems, cargo management, navigational systems, administration, etc.  The increased integration of systems and the greater use of digital ship-to-shore communication and data links now substantially increase ships’ exposure to cyber security threats.

As cyber security threats are dynamic in nature, regulations alone are not enough to offer protection against such incidents. Regulations tend to be static, and the long regulatory process reduces their effectiveness as a weapon against the fast-changing world of cyber crime.

BIMCO, ICS, INTERCARGO, DCSA, SYBAss, InterManager, INTERTANKO, IUMI, OCIMF and WSC regularly review and update the Guidelines on Cyber Security onboard Ships (commonly referred to as the Industry Guidelines).  Shipowners and operators can use the guidance to assess their operations and develop the necessary procedures and actions to improve resilience and maintain integrity of cyber systems onboard their ships.

As per the IMO's decision, a ship's cyber risks should be managed in the company's safety management systems. This ensures a risk-based approach centred on safety risks to seafarers, the environment, the ship and cargo.

Software maintenance has a cyber security aspect. By initiative of BIMCO, IACS and CIRM,  the IMO has included the "Development of guidelines for software maintenance of shipboard navigation and communication equipment and systems" on its agenda. An industry working group will develop content that can be used for this work. 

Have a question about this statement?

BIMCO’s Position Statement

  • To manage cyber security risks, the implementation of the continuously updated Guidelines on Cyber Security onboard Ships is recommended.

  • New ships should be built with cyber secure systems and components in accordance with relevant IACS unified requirements.

  • BIMCO believes regulatory efforts should align with the IMO’s risk-based approach focussing on safety and environmental threats, and strategic threats to society resilience. Regulations should not cover business resilience as all such commercial security matters are the individual company’s responsibility.

  • BIMCO strongly recommends the use of BIMCO’s Cyber Security Clause requiring parties to commercial shipping contracts to implement cyber security procedures and systems to help reduce the business-to-business risk of incidents and respond efficiently if such incidents should occur.

  • Training is a key risk mitigating measure and BIMCO will work to raise awareness in the industry. If training requirements are formalised, pragmatic solutions should be included to take into account the rapidly changing cyber threat.