Part of the RESPOND Playbook ← Return to Hub

Regulatory & Shore-Side Reporting

Response Objective: To fulfill legal and company obligations by providing timely, accurate incident data to the Company Security Officer (CSO) and external authorities.

When the vessel is under cyber-attack, the shore-side office acts as your “Extended Technical Team.” However, they can only help if the information you provide is structured and timely. A delayed report can lead to fines from Port State Control or a denial of entry into port.

The Reporting Timeline

In accordance with BIMCO and IACS standards, follow this tiered reporting window based on the severity identified in the Incident Severity Matrix.

IMMEDIATE (0-2 Hours)

Recipient: Company Security Officer (CSO).

Initial verbal SITREP. Confirmation of Level 3 (Critical) status and immediate safety of the crew/navigation.

DETAILED (12-24 Hours)

Recipient: Flag State, Port State, Class Surveyor.

Comprehensive written report including technical details and current containment/recovery status.

The Incident Data Package

Prepare a “Digital Evidence Bag” for the SOC or CSO. Send this via a Clean Connection (e.g., Master’s independent sat-phone or a 4G/5G hotspot).

Mandatory Evidence Checklist REQUIRED FOR SOC
Timestamp (UTC) Exact date and time the anomaly was first detected.
Affected Systems List of Category II (Important) and III (Critical) systems currently offline.
Technical IDs (IP/MAC) Addresses of infected machines and any “Rogue” IPs identified on the network.
Log Samples The last 50 lines of the Firewall or Syslog showing the malicious activity.
Visual Evidence Photos of Ransomware notes, BSODs, or erratic hardware console behavior.

External Parties to Notify

The Master (supported by the ETO) is responsible for notifying the following parties if safety is impacted:

  • Port State Control (PSC): If the incident affects safe navigation or maneuvering within port limits.
  • The Flag State: Required if the incident resulted in a partial or total loss of “Essential Services.”
  • Equipment Vendors: (e.g., Kongsberg, Wärtsilä) To receive emergency patches or remote diagnostic support.

Legal Protection Note:

Under UR E26 §4.4.2, the ETO must not attempt to “wipe” a system until shore-side teams confirm they have enough forensic data. Prematurely wiping a system is considered a failure in regulatory compliance and may void insurance claims.

Next Section

Respond Phase: Summary & Audit Readiness

Respond Phase: Summary & Audit Readiness Phase Objective The Respond Phase is about Effective Containment. We ensure...

Scroll to Top