RECOGNIZING the urgent need to raise awareness on cyber risk threats and
vulnerabilities to support safe and secure shipping, which is operationally resilient to
cyber risks,
RECOGNIZING ALSO that Administrations, classification societies, shipowners
and ship operators, ship agents, equipment manufacturers, service providers, ports and
port facilities, and all other maritime industry stakeholders should expedite work
towards safeguarding shipping from current and emerging cyber threats and
vulnerabilities,
BEARING IN MIND MSC-FAL.1/Circ.3 on Guidelines on maritime cyber risk
management approved by the Facilitation Committee, at its forty-first session (4
to 7 April 2017), and by the Maritime Safety Committee, at its ninety-eighth session (7
to 16 June 2017), which provides high-level recommendations for maritime cyber risk
management that can be incorporated into existing risk management processes and are
complementary to the safety and security management practices established by this
Organization,
RECALLING resolution A.741(18) by which the Assembly adopted the
International Management Code for the Safe Operation of Ships and for Pollution
Prevention (International Safety Management (ISM) Code) and recognized, inter alia, the
need for appropriate organization of management to enable it to respond to the need of
those on board ships to achieve and maintain high standards of safety and environmental
protection,
NOTING the objectives of the ISM Code which include, inter alia, the
provision of safe practices in ship operation and a safe working environment, the
assessment of all identified risks to ships, personnel and the environment, the
establishment of appropriate safeguards, and the continuous improvement of safety
management skills of personnel ashore and aboard ships,
1 AFFIRMS that an approved safety management system should take into account
cyber risk management in accordance with the objectives and functional requirements of
the ISM Code;
2 ENCOURAGES Administrations to ensure that cyber risks are appropriately
addressed in safety management systems no later than the first annual verification of
the company's Document of Compliance after 1 January 2021;
3 ACKNOWLEDGES the necessary precautions that could be needed to preserve the
confidentiality of certain aspects of cyber risk management;
4 REQUESTS Member States to bring this resolution to the attention of all
stakeholders.