Identifying, understanding and managing risks are a necessary core competency for any organization. Companies are increasingly facing new exposures, and cyber risks are now a major threat to businesses. A cyber incident can have significant financial, operational, legal and reputational impacts.
Federal regulation and oversight of cybersecurity is expanding rapidly, and terminal companies are reexamining how they protect their most important assets, their critical intellectual property and sensitive customer information.
ILTA Cyber-Threat Resilience Assessment Program
To address the growing risk of cyber threats, ILTA created a Cyber-Threat Resilience Assessment Program to help member companies evaluate their cyber defenses and identify and address vulnerabilities. The program focuses on operating models and skills that help companies build cyber‐threat resilience into their organization. Companies receive a detailed report that identifies gaps and areas of improvements and practical suggestions. The process also provides an educational and awareness platform for all employees on the topic of cybersecurity.
Coast Guard Guidelines for Addressing Cyber Risks
During July 2017, the U.S. Coast Guard issued a draft Navigation and Vessel Inspection Circular (NVIC) 05-17: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities. Specifically, it directs MTSA-regulated facilities to assess cyber risks and address vulnerabilities in facility security plans, and provides guidance for developing a cyber risk management program based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication 800-82. In September 2017, ILTA provided comments to the Coast Guard stating that cybersecurity requirements should be focused on facility functions with a nexus to maritime transportation, the agency must clarify its expectations for implementation of cybersecurity controls, many of the requirements included in the guidelines are in fact regulatory and require notice and comment rulemaking, cybersecurity is often not managed at a facility but rather at a far distance and it must be clear how facility security plans should address that circumstance, and, finally, that the Coast Guard must provide adequate training and direction to its district personnel to ensure consistent application of the guidelines.