This guide provides a structured debrief process following a cyber incident — capturing lessons learned, identifying control gaps, and producing the documented evidence required for Class records, insurance, and the SCSRP update. Under ISM Code §9, non-conformities and near-misses must be reported, investigated, and corrective actions implemented. The Post-Incident Review (PIR) is the mechanism that satisfies this requirement for cyber events.
The incident is not truly over until the Post-Incident Review is complete and the findings are documented. This meeting — often called a “Hot Wash” — should happen within 72 hours of the vessel returning to normal operations while the timeline, decisions, and observations are still fresh. A PIR conducted a week later produces a much weaker report and a much weaker Class evidence package.
The debriefing team — who must attend
The PIR must include all parties who had a role in the incident response. Shore-side attendance via Iridium or video call is acceptable for DPA and CSO if vessel is at sea.
ETOTechnical timeline · root cause · system state evidence · leads the debrief
Chief EngineerMachinery and PMS behaviour · local manual control execution · ECR perspective
DPA / CSO (shore)Company-wide risk · regulatory notifications made · insurance and legal implications
Debrief agenda — structured 90-minute session
Run the debrief in this order. The ETO facilitates and takes notes — the Master chairs the meeting. Do not allow the session to become a blame exercise — focus on the system, not the person.
0–10 min
Timeline reconstruction — ETO presents the chronological incident timeline from first detection to recovery complete. Each participant confirms or corrects the timeline from their perspective. The agreed timeline becomes the official record.
10–25 min
Root cause analysis — How did the threat enter the vessel? Work backwards from Patient Zero. Was it a USB device, a phishing email, an OEM remote session, or a network misconfiguration? The root cause drives all corrective actions — if the root cause is wrong, the corrections will miss the mark.
25–40 min
Detection effectiveness review — Did the IDS or syslog detect the threat early? If detection was late, why — signature gap, alert fatigue, log retention too short, or monitoring not active on the affected zone? This section directly feeds the DETECT phase update.
40–55 min
Response and recovery review — Was the Severity Matrix applied correctly? Was network isolation timely? Did RTO targets hold? Were manual fallback procedures executed correctly? Were the right people notified at the right time? Note every gap — these become corrective actions.
55–75 min
Corrective actions agreement — For each gap identified, agree a specific corrective action, a responsible person, and a completion deadline. Actions without an owner and a deadline do not get completed. ETO records each action in the PIR report with status “Open.”
75–90 min
Plan update and sign-off — Agree which SCSRP sections require updating and who is responsible. Master and ETO sign the PIR report. Confirm DPA will submit CSDD amendment to Class where required. Set follow-up date to verify corrective actions are closed.
The five key questions
To avoid a blame culture, guide the discussion using these objective questions. Every answer must be documented in the PIR report — not just discussed and forgotten.
What was Patient Zero? How did the threat enter the vessel — USB device, phishing email, OEM remote session, compromised VSAT link, or supply chain? The entry vector determines every subsequent corrective action.
Did the DETECT phase work? Did IDS, syslog, or monitoring detect the threat before it caused damage? If not — was the sensor absent, misconfigured, or was the alert dismissed? How much earlier could detection have happened with current infrastructure?
Was the RESPOND phase effective? Was the severity correctly classified? Was isolation fast enough to prevent lateral movement? Were manual fallbacks activated before attempting digital recovery? Were the SITREP communications clear and timely?
Were backups current and recoverable? Did the Golden Image restore successfully? Was there any data loss beyond the RPO target? How old was the last verified backup? Was the backup media itself affected by the incident?
What is the one thing we change today? Every debrief must end with at least one concrete immediate action — not a review or a committee. Something that changes today. A disabled USB port, a rotated password, a new firewall rule, a revised drill schedule. This action is the most important output of the debrief.
PIR report — required sections
The PIR report is a formal document for the Safety Management System. It must be completed within 5 working days of the debrief. The ETO drafts it — the Master and DPA sign it. It becomes part of the permanent vessel record and will be requested by Class at the next survey.
Section
Required content
Executive summary
Three sentences: what happened, when it happened, and what the operational impact was. Written for company management and Class surveyor — no technical jargon.
Incident timeline
Chronological log from first detection to recovery complete — with UTC timestamps, action taken, and who took it. This is the agreed timeline from the debrief session.
Root cause analysis
Technical description of how the threat entered, how it propagated, and what CBS were affected with their criticality category. Include Patient Zero device details.
Detection gap analysis
Why was detection early, late, or absent? What monitoring change would have detected the threat sooner? Reference specific syslog entries or IDS alert gaps.
Response effectiveness
Assessment of each Respond phase action — what worked, what was delayed, what was skipped, and why. Include actual vs target time for network isolation and manual fallback activation.
Recovery performance
Actual recovery time vs documented RTO for each affected CBS. Data loss vs RPO target. Golden Image restore success or failure. Any recovery complications encountered.
Corrective actions register
Table of every corrective action agreed at debrief — action description, responsible person, deadline, and current status (Open / In Progress / Closed). Updated at each follow-up until all actions are closed.
Plan update requirements
Which SCSRP sections require updating, who is responsible, and the target completion date. Reference the CSDD amendment MoC number if a Class submission is required.
Signatures and approval
ETO (author) · Master (vessel authorisation) · DPA (company sign-off). All three signatures required before the report is filed in the SMS and submitted to Class.
Closing the loop
The PIR report feeds directly into the Updating the Cyber Plan process. Every corrective action becomes either an SCSRP update, a CSDD amendment, or a crew training requirement. The risk scores in the IDENTIFY phase must be revised if a system that was classified as low risk was the incident entry point.
Class surveyors at the next annual survey will ask to see the PIR report for any incident that occurred since the previous survey. A missing PIR is a Class finding — not because the incident occurred, but because the investigation and corrective action process was not followed. The PIR demonstrates a functioning cyber management system.
The specific regulatory requirements this playbook satisfies. Use these references when preparing for Class survey or responding to a surveyor's checklist.
E26 §4.5
Recover functional element — Appropriate measures must be developed to restore computer-based systems and networks affected by cyber incidents to an operational state.
E27 §3.1.8
Information supporting incident response and recovery — Procedures or instructions enabling the crew to carry out: local independent control, network isolation, forensic audit record review, deterministic output, backup, restore, and controlled shutdown and rollback.
