The U.S. Coast Guard has rolled out a major cybersecurity regulation that’s set to change how maritime companies think about digital risk, requiring them to report cyber incidents and build cybersecurity governance frameworks. This isn’t just another compliance box to check — it’s a strategic shift for the entire industry.
Maritime sector under threat
Cybersecurity represents a growing risk for ships and their owners and operators. Technology provider Marlink, which monitored cyber threats against 1,800 vessels during the first six months of 2024, reported 23,400 malware detections and 178 ransomware attacks (opens a new window) during that period. Increasingly sophisticated cyberattackers — often linked to organized cybercrime or geopolitical tensions — can jeopardize crew safety, disrupt cargo operations, trigger environmental hazards, and cause operational shutdowns, which can delay voyages and threaten both shipping companies’ bottom lines and global supply chains.
Common cyber threat to vessels and shipping companies include:
Ransomware attacks, which can lock down navigation, cargo, and communication systems, effectively halting vessel operations. Attackers often demand millions of dollars in ransoms to unlock these systems.
GPS spoofing and jamming, which can mislead ships into unsafe waters or cause them to lose situational awareness. This increases collision risks, threatening the safety of crewmembers and cargo.
Malware infections introduced via USB devices, crew devices, and software updates, potentially corrupting propulsion, ballast, and cargo systems.
Phishing attacks, through which attackers can obtain crew or shore staff credentials, allowing them to gain access to myriad sensitive systems.
Supply chain infiltrations via third-party vendors, through which attackers can gain access to shipboard or port networks.
The Coast Guard’s new rule
The Coast Guard’s cybersecurity rule (opens a new window) puts cyber risk management front and center in the Marine Transportation System (MTS), treating cyber threats as a real and present danger to national security and maritime operations. The rule applies to U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and any facility covered under the Maritime Transportation Security Act (MTSA).
The rollout of the rule includes three phases:
Phase 1 (starting July 16, 2025): Any reportable cyber incident must be reported to the National Response Center (NRC). Reportable incidents include those that:
Disrupt or could disrupt the normal operations of a vessel, facility, or system within the MTS.
Compromise the confidentiality, integrity, or availability of critical cyber systems or operational technology.
Impact safety, security, or environmental protection.
Trigger the activation of shipping companies’ cybersecurity or incident response plans.
Phase 2 (by January 12, 2026): All personnel working on U.S.-flagged vessels, at OCS installations, and at any other facilities covered under the MTSA — along with contractors and third-party staff with access to critical systems — must complete cybersecurity training, including about how to recognize and detect threats and how and when to report incidents. Additional specialized training is required for individuals working with operational technology.
Phase 3: (by July 16, 2027) Companies must enact cybersecurity governance and planning frameworks. This includes:
Appointing cybersecurity officers.
Conducting formal cybersecurity assessments.
Submitting cybersecurity plans for approval by the Coast Guard.
Providing additional training once plans are approved.
Risk and insurance considerations
With the new rule in effect, cybersecurity is now on par with physical safety and environmental protection for maritime companies. For insurance and risk professionals, this is a wake-up call to review and optimize key insurance policies and to take steps to mitigate risk.
For example, organizations subject to the new rule should ensure their cyber insurance policies cover regulatory fines and penalties, breach response and forensic investigations, and business interruption resulting from operational technology system failures. Organizations should also work with their brokers to investigate marine-specific cyber endorsements or specialty marine cyber products tailored to vessel operations.
Organizations should also review their directors and officers liability (D&O) and errors and omissions (E&O) insurance. Naming a cybersecurity officer creates new executive liability risks for organizations. It’s vital that risk professionals ensure their D&O and E&O policies reflect this change.
Beyond insurance, organizations should:
Ensure compliance with requirements regarding training and risk assessments, for which insurers may start asking for proof. Organizations should keep detailed records and consider third-party audits to stay ahead.
Ensure their readiness to respond to incidents. A well-documented and tested response plan can reduce losses and improve claims outcomes. Some insurers may also offer premium credits for companies with strong response capabilities.
Prepare for regulatory scrutiny. Organizations can expect more Port State Control inspections focused on cybersecurity. Noncompliance could mean vessel detention, denial of entry, or other enforcement actions.
Vessel operators should not wait until 2027 to begin creating their new cybersecurity governance frameworks. Instead, should begin conducting risk assessments and appoint cybersecurity officers now. It’s also important to engage insurance brokers quickly to ensure your insurance coverage aligns with the new rule.
Lastly, companies should explore other means of mitigating risk. If your operations are unique, consider applying for a Coast Guard-approved Alternative Security Program. Such a program could offer more flexibility or streamlined compliance requirements but would require that a vessel operator directly engage with the Coast Guard to develop an acceptable plan.
Cyber resilience
The Coast Guard’s new cybersecurity rule isn’t just about checking boxes — it’s about building resilience in a high-risk, high-value industry. By weaving cybersecurity into your broader risk and insurance strategy, you can both ensure compliance and safeguard your crew, your cargo, and your company’s future.
