New American shipping rules to impact Bermuda vessels
Bermudian-flagged vessels calling on American ports are now expected to comply with new cyberincident reporting mandates.
As of July 16, the US Coast Guard requires reporting of cyberincidents and annual cybersecurity training as well as submission of a cybersecurity plan by 2027.
Foreign-flagged vessels can expect heightened Port State Control scrutiny related to cybersecurity under the International Safety Management Code.
Nir Ayalon, chief executive and founder of Cydome, a cybersecurity firm, said: “At the same time, the European Union’s Network and Information Systems Directive 2 is also now active, placing similar expectations on vessels managed by or calling within the EU.”
He said that meant Bermudian-based fleets, ports and operators are increasingly affected by overlapping regulations.
“A global positioning system glitch, very-small-aperture terminal dropout, or unauthorised device connection can now trigger mandatory reporting obligations under more than one framework,” Mr Ayalon said.
His Israel-based firm has created a free tool specifically to help operators handle this complexity without any cost or promotional intent.
“It is a practical response to a regulatory shift that is already shaping how international fleets operate,” Mr Ayalon said.
Cydome’s data shows that roughly every three days, a shipping company faces a cyberthreat, yet many still struggle to operationalise existing guidance.
“The new United States regulation, applying to vessels, facilities, terminals and outer continental shelf facilities, mandates not only incident reporting but also cybersecurity staffing, procedures and governance,” Mr Ayalon said. “Incident reporting is just one pillar of the revamped federal law.”
Cydome said many of the incidents now deemed reportable are everyday glitches.
These events could include GPS spoofing or jamming, short VSAT dropouts, partial software updates that require a system restart, or an unauthorised universal serial bus stick being plugged into a bridge computer; a sustained loss or degradation of communications or a series of mistyped passwords that lock an account.
“Taken together, these otherwise routine events can generate dozens of mandatory reports during a single voyage,” Mr Ayalon said.
Noncompliant vessels could receive substantial civil fines, have their shipping certification suspended or be detained in port.
The Coast Guard could also issue Captain of the Port orders that require anchorage, tug escort or a full halt to cargo operations until the vulnerability is remedied.
Mr Ayalon said Cydome’s digital platform provides a step-by-step incident workflow, complete with built-in US Coast Guard templates that are pre-filled and auto-routed for seamless submission.
“While the US Coast Guard has been tasked to begin enforcing the new cyber-reporting legislation, Cydome turns the cyberincident ensuring process into a few clicks,” the firm stated.
Gary Kessler, former cyber official at the US Coast Guard, said: “Policy alone won’t keep ships safe; crews need a clear, repeatable way to act.”
Dr Kessler said by translating every Coast Guard requirement into a straightforward process, Cydome delivered that clarity.