Incorporation of Cyber Risk in the SMS (Tripartite item 18-02)

As stated in the Res.MSC.428(98), the incorporation of cyber risks should be verified during the first annual Document of Compliance verification. As a new risk, its effective implementation should also be verified during the first verification of the Safety Management Certificate (SMC) on board the Company's ship(s).

Cyber risks should be verified in the same way as any new upcoming risk (e.g. change of trade/cargo, new equipment etc.) which is incorporated in the Safety Management System (SMS). This will result in an amendment of the SMS, such as a new procedure or instruction regarding the mitigation of cyber risks, and ‘should be ensured to be properly addressed in the SMS’ during the audit (also reference is made to IACS PR 9 -paragraph 3.6.5: "The auditor shall take into account any changes made to the SMS since the last external audit carried out"). Depending on the RO procedures this may require approval of this specific section of the SMS. The only way to completely verify the implementation and effectiveness of the mitigating measures will be during the next SMC verification on board of one of the vessels. To verify the effective implementation of IMO Resolution MSC.428(98), the IMO guideline MSC-FAL.1/Circ.3 and the ‘Handreiking Cyber Risk Management voor schepen’ as made by TNO are recommended to be taken into account.