The role of CMI in Marine Cyber Security and its implications on the insurance industry
13 May, 2025
40
By Alberto Batini, LLM, PhD (Partner with BTG LEGAL)
The regulation and development of cybersecurity within the maritime industry, often referred to as “cyber shipping,” has been progressing, especially with increasing digitalization and reliance on IT systems in shipping operations. Several key initiatives and regulations address the issue:
1. IMO Guidelines on Cybersecurity
The International Maritime Organization (IMO) has recognized the importance of cybersecurity in shipping. In 2017, the IMO issued MSC-FAL.1/Circ.3, which provides high-level guidelines on cybersecurity in the maritime industry. These guidelines aim to enhance awareness of cybersecurity risks and recommend actions for mitigating cyber risks across ships and maritime organizations.
In 2021, the IMO further tightened these regulations under MSC.428(98), which mandates that shipping companies integrate cybersecurity into their Safety Management Systems (SMS), emphasizing the need for continuous assessment and mitigation of cybersecurity risks. This regulation also requires cyber risk management to be included as part of a ship’s safety management practices, effective from January 2021.
2. Cyber Risk Management
The IMO’s cybersecurity guidelines recommend adopting risk-based approaches to identifying and managing cyber threats and vulnerabilities. Shipping companies are expected to implement policies for:
- Risk assessment
- Vulnerability identification
- Incident response and recovery
- Continuous monitoring and adaptation
This includes securing both operational technology (OT) on vessels (e.g., navigation systems, engine control) and information technology (IT) networks.
A growing number of organizations and standards have developed to guide maritime cybersecurity efforts:
- ISO/IEC 27001: This international standard for information security management systems (ISMS) is applied by shipping companies to protect sensitive data.
- ISO 28000: This standard focuses on security management for supply chains, including cybersecurity concerns.
- NIST Cybersecurity Framework: A framework commonly adopted by various sectors to improve cybersecurity, which is also relevant for maritime operations.
Several classification societies, such as DNV GL, Lloyd’s Register, and Bureau Veritas, have developed their own cybersecurity frameworks and guidelines to assist shipowners in ensuring their vessels meet the necessary cybersecurity standards. These guidelines often lead to certifications for ships that demonstrate cybersecurity resilience.
3. International Cooperation
The Comité Maritime International (CMI), a key international organization for maritime law, has also considered cybersecurity issues in its discussions on legal and regulatory matters affecting global shipping. However, specific legislation concerning cybersecurity in maritime law is still evolving, and the CMI continues to monitor developments and ensure that legal frameworks stay relevant to the emerging digital threats.
In particular, the CMI recently established a Sub-Committee on Cybersecurity in Marine Shipping to address the growing concerns over cyber threats in the maritime industry. This initiative seeks to evaluate the current state of cybersecurity within the industry, develop guidelines for better security practices, and possibly draft uniform international legislation or regulations to standardize cybersecurity measures across the global maritime sector.
The goal of the sub-committee is likely twofold:
- To gather comprehensive information from maritime stakeholders about the existing state of cybersecurity in the industry through a structured questionnaire.
- To study and propose potential regulatory frameworks or legislative measures to mitigate cyber risks and create a unified approach to addressing cybersecurity concerns globally.
Key Areas of Focus for the CMI Sub-Committee
The questionnaire the sub-committee has recently designed to be circulated to all national maritime law associations across the globe, focused on several critical areas of maritime cybersecurity:
1. Cybersecurity Risk Assessment
- What are the primary cybersecurity risks faced by shipping companies, ports, and maritime logistics?
- How do maritime stakeholders assess their vulnerability to cyberattacks?
2. Cybersecurity Policies and Procedures
- Are there established policies, procedures, and protocols for cybersecurity within maritime companies?
- How are these policies aligned with existing regulations like the IMO (International Maritime Organization) guidelines on cybersecurity (MSC-FAL.1/Circ.3)?
3. Regulatory Compliance and International Standards
- To what extent are shipping companies and maritime organizations complying with IMO’s cybersecurity regulations, and national regulations?
- Is there a need for more uniform international regulations or new global standards for cybersecurity in shipping?
- How are existing regulations being enforced and what gaps might exist in current frameworks?
4. Cybersecurity in Maritime Operations
- What specific areas of maritime operations (navigation systems, cargo tracking, communication systems, etc.) are most vulnerable to cyber threats?
- Are there standardized cybersecurity protocols in place for critical systems (e.g., vessel management systems, electronic charts, etc.)?
5. Training and Awareness
- What level of cybersecurity training is provided to personnel in the maritime industry?
- How often are drills or updates on cybersecurity conducted for crew members and shore-based personnel?
6. Incident Response and Recovery
- What is the current state of incident response plans in the maritime sector for addressing cybersecurity breaches?
- Have there been any notable cases of cyberattacks or incidents, and how were they handled?
- How does the industry collaborate with national and international bodies when a cyber incident occurs?
7. Cybersecurity Technologies
- What types of cybersecurity technologies and solutions are currently being adopted in the maritime sector (e.g., intrusion detection systems, encryption, firewalls, etc.)?
- Are there any emerging technologies that could help mitigate cybersecurity risks in marine shipping?
8. Cyber Risk Management and Insurance
- How do shipping companies manage cyber risks from an insurance and liability perspective?
- Is there a recognized need for cyber risk insurance specifically tailored to the maritime industry?
9. Cooperation and Information Sharing
- How do different maritime stakeholders (shipping companies, port authorities, vessel owners, etc.) collaborate to share information on cyber threats?
- Are there any existing platforms for global collaboration in maritime cybersecurity?
10. Global Legislation or Regulation
- Should there be a global standard for cybersecurity practices in shipping, or should each region (e.g., the European Union, United States, Asia) adopt separate regulations?
- What would be the advantages and challenges of implementing uniform international cybersecurity legislation in the maritime sector?
Objectives of the Sub-Committee’s Study
The sub-committee’s task is to analyse the information collected from these questionnaires and related research in order to:
- Assess the level of preparedness within the industry to combat cyber threats.
- Identify existing gaps in cybersecurity regulations and practices that need to be addressed.
- Recommend global frameworks or best practices for cybersecurity across the maritime industry.
- Propose uniform legislation or regulation to ensure that all maritime stakeholders implement effective cybersecurity measures.
The findings from the questionnaire will help the sub-committee provide recommendations for future legislation or regulation, creating a standardized approach to cybersecurity in marine shipping that is globally recognized and adopted. These efforts will help ensure the resilience and security of the maritime industry as it faces the increasing threat of cyberattacks.
Next Steps
Once the questionnaire is complete and data is gathered, the sub-committee will likely:
- Analyse responses and identify patterns in current cybersecurity practices, challenges, and regulatory gaps.
- Collaborate with international bodies (such as the IMO, IACS, and national maritime authorities) to create a comprehensive regulatory proposal.
- Engage stakeholders to ensure broad participation and feedback from the maritime sector.
- Finalize recommendations for cybersecurity legislation or regulation.
The work of the Comité Maritime International (CMI) Sub-Committee on Cybersecurity in Marine Shipping is highly relevant to the insurance industry, particularly in the context of cyber risk, liability, and coverage. As the maritime industry faces increasing cyber threats, the insurance industry must evolve to address the unique challenges posed by these risks. Below are the keyways in which CMI’s work on cybersecurity can impact the insurance sector:
1. Raising Awareness and Defining Cyber Risks
- Clarifying Cyber Risks: By gathering data on cybersecurity threats, vulnerabilities, and incidents within the maritime sector, the CMI can help clearly define cyber risks in marine shipping. This includes identifying potential threats to vessel operations, port systems, communication infrastructure, and supply chains.
- Insurance Policies and Underwriting: For underwriters, having a clearer understanding of the cybersecurity landscape will improve their ability to assess risks and price policies accurately. They will be able to determine which systems are most vulnerable and how to quantify the risk of cyberattacks that could impact a vessel, port, or shipping company.
Without standardized definitions and classifications of cyber risks, it is difficult for insurers to assess coverage needs effectively. The CMI’s work will help bring greater clarity and consistency in identifying cyber threats, allowing for more accurate underwriting of maritime cyber risk policies.
2. Influencing Policy Development
- Cybersecurity Standards and Regulations: The CMI sub-committee’s work on uniform legislation could significantly shape the regulatory environment for cybersecurity in the maritime industry. For the insurance sector, this would provide clearer guidelines on minimum cybersecurity practices that shipping companies must adhere to, directly influencing the design of insurance products.
- Mandatory Insurance Requirements: As the CMI works toward a more unified regulatory framework, some jurisdictions might require cyber risk insurance for maritime operators as part of their compliance with global cybersecurity standards. Insurance companies could be required to offer coverage tailored to these standards, ensuring that the industry is adequately protected.
3. Impact on Marine Cyber Risk Insurance Products
- Demand for Cyber Risk Insurance: With increasing recognition of the potential impacts of cyber threats on maritime operations, demand for marine cyber insurance is growing. CMI’s efforts could stimulate the development of new insurance products that address specific maritime cyber risks.
- Tailored Insurance Coverage: As CMI’s work leads to the development of common cybersecurity guidelines and best practices, insurers will be better positioned to create customized coverage that meets the specific needs of the maritime sector, including policies that cover the following:
- Cyberattacks on vessels (e.g., ransomware, data breaches).
- Loss of service (e.g., vessel downtime due to a cyberattack on operational technology).
- Business interruption (e.g., delays caused by compromised communication systems or cargo tracking).
- Third-party liability (e.g., impact on customers or suppliers from a cyber incident).
- Cyber Risk Modelling: Insurers will need better risk models to evaluate the probability and impact of cyber incidents. As the CMI develops a clearer understanding of maritime cybersecurity vulnerabilities, insurance companies will be able to refine these models to improve their pricing and risk assessment capabilities.
4. Managing Liability and Claims
- Cyber Liability: One of the biggest challenges in the maritime insurance sector is determining who is liable in the event of a cyberattack. If a ship’s operations or data are compromised due to inadequate cybersecurity, should the insurer hold the vessel owner, a third-party service provider, or another party liable?
- CMI’s Uniform Regulations: If the CMI’s efforts result in standardized cybersecurity regulations, the liability landscape in case of a cyber incident may become clearer. This would allow insurance companies to better allocate liability and ensure that the right parties are covered.
- Claims Handling: The introduction of more comprehensive cybersecurity regulations could also impact how cyber-related claims are handled. Insurers would need to develop expertise in assessing the severity of cyber incidents, understanding mitigation efforts, and verifying compliance with regulatory frameworks when processing claims.
5. Encouraging Proactive Risk Management
- Cybersecurity as a Risk Mitigation Strategy: Insurers are increasingly incentivizing businesses to adopt strong cybersecurity practices by offering discounts or lower premiums to companies that implement robust cybersecurity measures. As CMI’s sub-committee works on identifying best practices, insurers can incorporate these guidelines into their risk management strategies, encouraging proactive cybersecurity measures.
- Loss Prevention: Insurers will also benefit from a more secure maritime industry. A reduction in cyberattacks and incidents, due to improved standards and regulations, will lead to fewer claims. As cybersecurity improves, insurers will be able to maintain lower loss ratios and stabilize the cost of marine insurance products.
6. Reinsurance and Global Risk Pools
- Reinsurance Market: The growing concern over cyber threats in the maritime industry also impacts the reinsurance market. Reinsurers need to understand the systemic nature of cyber risks in global shipping operations, especially as cyber incidents can have widespread, cross-border implications. The CMI’s work on developing uniform cybersecurity standards can help reinsurers assess risk more effectively and create new reinsurance solutions for marine operators and primary insurers.
- Global Risk Pools: As maritime shipping operates on a global scale, the introduction of international cybersecurity standards may foster the creation of global risk pools or mutual insurance mechanisms to share the financial burden of cyber incidents across the industry.
7. Cybersecurity and Business Interruption Insurance
- Business Interruption Risk: One of the major areas affected by cyber risks in shipping is the potential for business interruption. For example, a cyberattack that disrupts operations at a port or affects a vessel’s navigational systems could result in significant delays and loss of revenue. The CMI’s work on defining cybersecurity risks and standards will help insurers understand these types of risks, enabling them to offer more comprehensive business interruption insurance policies tailored to maritime operations.
8. Developing a Unified Global Approach
- Cross-Border Insurance Coverage: The global nature of shipping means that insurance policies need to account for risks across various jurisdictions with different cybersecurity regulations. As the CMI works towards creating a more uniform global approach to cybersecurity, insurers will have a clearer framework to offer policies that are applicable in multiple regions. This will make it easier for multinational shipping companies to procure cyber insurance that covers their entire operations.
Conclusion
The CMI’s work on cybersecurity in marine shipping is highly impactful on the insurance industry by clarifying risks, defining standards, and encouraging the development of specialized products tailored to the growing threat of cyberattacks. By providing clearer regulations, best practices, and a more unified approach to cybersecurity, the CMI can help the insurance industry mitigate risk more effectively, reduce the frequency of cyber-related claims, and promote proactive cybersecurity measures within the maritime sector.
For insurers, this initiative will likely lead to the creation of new cyber insurance products, better risk models, and more consistent claims management practices. Additionally, the work can help to shape liability frameworks and potentially create global insurance pools to address the challenges posed by cyber risks in the interconnected world of maritime shipping.
Alberto Batini, LLM
