US Coast Guard – New cybersecurity rule

LOSS PREVENTION UPDATE: UNITED STATES COAST GUARD – NEW CYBERSECURITY RULE

Published: 3 February 2025

The United States Coast Guard (USCG) has published its final rule to introduce cybersecurity requirements for US-flagged vessels, along with port/terminal facilities and outer continental shelf facilities.

The rule takes effect from 16 July 2025 and will commence a 24-month period to achieve full compliance with the standards required in the rule.

Points to note:

This applies only to US-flagged vessels that must comply with 33 CFR Part 104, for example cargo ships greater than 100 gross tons
From 16 July 2025, it will become mandatory to submit a report to the National Response Center should a reportable cyber incident be identified
By 12 January 2026, personnel must have been trained in accordance with the requirements of the rule and additional training procedures identified as necessary
By 16 July 2026, a Cyber Security Officer (CySO) must be designated
Also, by 16 July 2026, a cyber security assessment must be completed, with a cyber security plan submitted to the USCG for approval
It will be necessary to conduct at least two cyber security drills annually and conduct at least one cyber security exercise per year.

This new regulation will represent a major change for US-flagged shipping, and we recommend that the new rule is fully read and understood. The USCG has also produced a helpful factsheet to assist. Please note there are concerns that the timeline is too short for the shipping industry to comply, as such the USCG is considering arguments for a longer implementation period for shipping, with the results of that consultation to be announced after 18 March 2025. We will provide a further update should there be any major changes announced.