While the IMO has given shipowners and managers until 2021 to incorporate cyber risk into ships’ safety management systems, tanker owners and operators that are subject to vetting under OCIMF’s SIRE Programme will be expected to address cyber security risks in their policies and procedures as of 1 January 2018.
Following the EXXON VALDEZ incident in 1989, the OCIMF started a pre-fixture tanker vetting program in 1993 with the introduction of the the Ship Inspection Report Program (SIRE). In 2004 OCIMF introduced the Tanker Management and Self Assessment (TMSA) program for the vetting of tanker owners’ office and/or management. The TMSA includes certain Key Performance Indicators and in 2008, OCIMF introduced TMSA Version 2 which has 12 performance elements.
In April 2017, the OCIMF issued TMSA Version 3. In addition to the inclusion of ballast water management, fuel management and other items, Version 3 also contains a new Chapter 13 entitled “Maritime Security” with extensive on board and in the office cyber security vetting requirements. For the pre-fixture vetting review, Chapter 13 is dedicated to on board and office marine cyber security with OCIMF recommendations. Chapter 13 requires that the company must have a written plan identifying security threats. The cyber plan must include procedures to identify, mitigate and respond to security threats, i.e., drills/training/briefing and security patrols/searches. The cyber-plan elements may be included as amendments to existing SMS and ISPS plans.
Chapter 13 also attempts to promote on board cyber security awareness, i.e. it encourages people to lock unattended workstations, safeguard passwords, responsible use of social media and prevent the misuse of memory sticks/flash drives by ships’ personnel. Furthermore, OCIMF recommends:
Until 31 December 2017, owners have the option to continue with TMSA Version 2. After 1 January 2018, only Version 3 will be available on the OCIMF vetting website for oil major/minor companies pre-fixture vessel vetting reviews. For owners with tankers on current time charters to the oil majors/minors, and merchant traders whose contracts have industry generic vetting approval/acceptance rider clauses, failure to comply with new OCIMF Chapter 13 vetting cyber compliance requirements could result in off hires and/or cancellations.
In July 2017, BIMCO released “The Guidelines on Cyber Security Onboard Ships, Version 2”. These Guidelines were a joint effort by various shipping organizations, including Intercargo, International Chamber of Shipping, Cruise Lines International Association, OCIMF and Intertanko. For pre-fixture vetting reviews, it is anticipated that the oil majors/minors will refer to BIMCO Guidelines Version 2 when assessing owner’s TMSA 3 responses. Reference is also made to the IMO’s Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3) of 5 July 2017.
As a pre-fixture vetting review is very subjective and varies between charterers, time will tell how each oil major/minor company implements the new Chapter 13. However, by 1 January 2018, owners should make best efforts to comply, especially to ensure that cyber risks are appropriately addressed in vessels’ safety management systems and ship security plans.
We are grateful to Jim Textor, partner at Eversheds Sutherland (US) LLP in New York for his contribution to this Insight.