IMO Regulation
A legal recommendation as of 2021
The IMO highlights that cybersecurity is not just IT security. Human factor, training, processes are essential and should be integrated in the cyber risk management onboard and in a cybersecurity assessment
For IMO : “Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organization and ensure a holistic* and flexible cyber risk management regime that is in continuous operation
and constantly evaluated through effective feedback mechanisms.” (source IMO Guidelines / MSC-FAL.1/Circ.3, 5 July 2017, § 3.3)
“Cyber risk management should ensure an appropriate level of awareness of cyber risks at all levels of an organization. The level of awareness and preparedness should be appropriate to roles and responsibilities”. (source IMO Guidelines / MSC-FAL.1/Circ.3, 5 July 2017, § 3.7)
The MSC are encouraging all members to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance (DOC) after 1st January 2021
*holistic cybersecurity: not just limited to IT security, but covering the whole scope of cybersecurity. 3 pillars of cybersecurity are: Human + Organization + Technology.