As ships, ports, and shoreside offices become more connected, cyber risk is now firmly a safety and business continuity issue — not just an IT problem. The IMO has made cyber risk management mandatory as part of the Safety Management System (SMS), and classification societies and industry bodies have followed with detailed requirements and practical guidelines.
The IMO Mandate: What It Actually Requires
IMO Resolution MSC-FAL.1/Circ.3 requires that cyber risk management be appropriately addressed in Safety Management Systems no later than the first annual verification of the Document of Compliance after 1 January 2021. This means that for every company and vessel operating under the ISM Code, cyber risk must now be treated as part of the same management framework that governs navigational safety, pollution prevention, and crew welfare.
Key point: ISM Code compliance alone is not sufficient for true cyber resilience. It is the starting line, not the finish line.
IACS UR E26 and E27: The New Build Reality
For vessels with keel-laying from 1 January 2024, the International Association of Classification Societies (IACS) Unified Requirements E26 and E27 impose mandatory cybersecurity requirements. E26 covers the cyber resilience of new ships, while E27 covers cyber resilience of onboard systems and equipment. These are not guidance — they are enforceable class requirements, and class societies are now actively verifying compliance.
Building Genuine Resilience: The NIST Framework
The NIST Cybersecurity Framework's six functions — Govern, Identify, Protect, Detect, Respond, and Recover — provide the most practical structured approach to building maritime cyber resilience beyond basic compliance. SGMA uses this framework as the backbone of all our cybersecurity assessments.
The Human Factor: Your Biggest Risk
Technical controls and policies mean nothing if crew members click phishing emails, connect personal devices to OT networks, or fail to follow incident response procedures. Our crew training programs are designed specifically for maritime personnel — practical, scenario-based, and updated for the current threat landscape.
How Singapore Marine Agency Delivers Cyber Resilience
- IACS E26/E27 gap assessments for new builds and existing vessels seeking class notation
- IMO cyber risk integration into existing SMS documentation and procedures
- NIST CSF assessments covering both IT and OT systems onboard and ashore
- Cyber hygiene training for officers, engineers, and shore-based staff
- Incident response planning and tabletop exercise facilitation
Contact our cybersecurity team to discuss a tailored assessment for your vessels and shore-based operations.