“1.1 Subject only to clause 1.2 below, in no case shall this insurance over loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system.

1.2 Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system or computer software programme or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile.”

Be very careful to check that Clause 380 or similar ‘cyber’ exclusions are not present in a dedicated cyber liability insurance policy wording.

To be more specific, operators will be required to have:

procedures on software management

guidance on how to identify and mitigate cyber threats

availability of latest guidelines on cyber security from industry and classification society

password management procedures

and a cyber security plan which can be shared with staff to promote cyber awareness on board.

Further details regarding the TMSA 3 can be found on the Oil Companies International Marine Forum website.

The Cyber Operator Course (Op) concentrated more on learning and understanding the terminology behind cyber.  The Aim now through the Management Modules (Ma) is to create one.

In accordance with chapter 8 of the ISPS Code, the ship is obliged to conduct a security assessment, which includes identification and evaluation of key shipboard operations and the associated potential threats.

As recommended by Part B, paragraph 8.3.5 of the ISPS Code, the assessment should address radio and telecommunication systems, including computer systems and networks. Therefore, the ship’s security plan may need to include appropriate measures for protecting both the equipment and the connection.

IMO Resolution MSC.428(98) identifies cyber risks as specific threats, which companies should try to address as far as possible in the same way as any other risk that may affect the safe operation of a ship and protection of the environment. Cyber risk management should be an inherent part of the safety and security culture conducive to the safe and efficient operation of the ship and be considered at various levels of the company, including senior management ashore and onboard personnel.

This means that the company needs to assess risks arising from the use of IT and OT onboard ships and establish appropriate safeguards against cyber incidents. Company plans and procedures for cyber risk management should be incorporated into existing security and safety risk management requirements contained in the ISM Code and ISPS Code.