Legend / Explanation of abbreviations:

• EU: European Union
• IACS: International Association of Classification Societies
• IMO: International Maritime Organisation
• LSA: International Life-Saving Appliances Code
• NSI: Netherlands Shipping Inspectorate
• RO: Recognised Organisation
• SMC: Safety Management Certificate
• SMS: Safety Management System
• SOLAS: the International Convention for the Safety of ife at Sea, 1974, and its protocol of 1988: articles, annexes and certificates, as amended
• SSA: Ship Security Assessment
• SSP: Ship Security Plan

Incorporation of Cyber Risk in the SMS

As stated in the Res.MSC.428(98), the incorporation of cyber risks should be verified during the first annual Document of Compliance verification. As a new risk, its effective implementation should also be verified during the first verification of the SMC on board the Company's ship(s).

Cyber risks should be verified in the same way as any new upcoming risk (e.g. change of trade/cargo, new equipment etc.) which is incorporated in the SMS. This will result in an amendment of the SMS, such as a new procedure or instruction regarding the mitigation of cyber risks, and ‘should be ensured to be properly addressed in the SMS’ during the audit (also reference is made to IACS PR 9 -paragraph 3.6.5: "The auditor shall take into account any changes made to the SMS since the last external audit carried out"). Depending on the RO procedures this may require approval of this specific section of the SMS. The only way to completely verify the implementation and effectiveness of the mitigating measures will be during the next SMC verification on board of one of the vessels. To verify the effective implementation of IMO Resolution MSC.428(98), the IMO guideline MSC-FAL.1/Circ.3 and the ‘Handreiking Cyber Risk Management voor schepen’ as made by TNO are recommended to be taken into account.

Cross reference between SSP and SMS | cyber security procedures

Based on the following IMO- / SOLAS- / EU legislation, the SSA and the SSP shall contain at least a reference to the SMS’ cyber security procedures:

• SOLAS regulation XI-2/1.1.13,
• MSC-FAL.1/Circ.3, as revised,
• Resolution MSC.428(98)),
• IMO meetingdocument MSC 101/24,
• Regulation (EC) No 725/2004.

The NSI does acknowledge that the required reapproval of the SSA and SSP constitutes a potential administrative burden for shipowners and ROs. In view of this the NSI proposes that the Company Security Officer includes a cross reference to the SMS’s cyber security policy in the SSP and subsequently issues a declaration to this effect. Subject declaration should be available on board. During the next ISPS audit the cross reference in the SSP can then be verified by the Recognized Security Organization.