I was surprised that the Coast Guard’s Final Rule on Cybersecurity went into effect on July 16. After many months of public comments and waiting, I was lulled into believing that the Coast Guard might delay implementation of the rule or even, at best, decide that small passenger vessels do not pose a material cybersecurity risk to the maritime transportation system at large.
It was easy for me to arrive at this hopeful assumption. In the proposed rule, the Coast Guard cited the Colonial Pipeline cyberattack, which shut down the fuel supply to the East Coast in 2021, as one of the prime risks the maritime industry needed protection from. While this may be true for large, technologically complicated companies and facilities, it is hard for me to imagine that small marine businesses such as mine, with low-tech vessels and small facilities, could ever pose a cyber risk to the U.S. maritime system.
Interestingly, some marine insurers have commented that cyber risks are low for small passenger vessel companies. They contend that cyber criminals are looking for large companies offering high financial returns. Passenger vessels just don’t fit into that category.
In fact, my small company has never experienced a cyberattack, and in the unlikely event that we encounter one, I feel adequately prepared with a good plan. This is not a hollow claim, as I already have a cybersecurity safety net in place through my Coast Guard-approved Passenger Vessel Association (PVA) Alternative Security Program (ASP). The ASP requires that I conduct vessel and facility risk assessments that, among other stringent security reviews, include a thorough examination of potential cyber exposures. As a result of this planning, I have contingencies in place to cope with the unexpected cyber probe.
Additional government regulation, such as this cyber rule, means more costs and increasing administrative burdens for small businesses like mine. I agree with the PVA, which has advocated that ASP participants should not be required to submit updated cyber guidance until the next update of five-year security plan renewals. This will help ensure that the cyber final rule can be smoothly and effectively implemented and will help avoid inefficient regulatory overreach.
