IMX Panel To Tackle New Coast Guard Cybersecurity Regulations

The Coast Guard’s final rule on cybersecurity in the marine transportation system will be the topic of discussion for panelists at the upcoming Inland Marine Expo (IMX) May 28 to 30 in Nashville, Tenn.

The session, titled “Mastering Maritime Cybersecurity: A Discussion of the New USCG Regulation,” will be moderated by Andy Lee, a partner at Jones Walker LLP who founded and co-leads the firm’s privacy, data strategy and artificial intelligence team. T. Gwyddon “Data” Owen, director of cyber and technology at Universal Strategy Group Inc. (USGI) and co-founder of Coruscant Productions, a cybersecurity research and training company, is a confirmed panelist.

The session will focus primarily on understanding the new rule’s requirements, the timeline for compliance and the practical steps that affected entities need to take, Lee said.

“The rule aims to minimize cybersecurity-related transportation security incidents (TSIs) within the MTS by establishing requirements to enhance detection, response and recovery from cybersecurity risks,” he said. “It establishes mandatory cybersecurity requirements for the maritime sector.”

The rule adopts a performance-based approach, focusing on achieving security outcomes rather than mandating specific technologies. Non-compliance could lead to penalties, legal action and financial losses, Lee said. It is intended to address growing cybersecurity threats in the maritime space due to increased reliance on interconnected systems and to align with national cybersecurity strategies and legislation.

Panelists will flesh out the topic by offering different perspectives on cybersecurity and the Coast Guard regulation, Lee said.

“Our panelists will clarify the rule’s intent, explain the enforcement approach and address questions about compliance criteria and the potential implementation delays for U.S.-flagged vessels,” he said.

Additionally, panelists will also share insights from the original Notice of Proposed Rulemaking and the public feedback received.

“Industry representatives (vessel owners, facility operators) can discuss the practical challenges of implementing the rule, the potential costs and burdens, and share best practices or concerns from their sectors, particularly highlighting the impact on smaller stakeholders,” Lee said.

He also anticipates that panelists will elaborate on the need for a cybersecurity plan, cyber incident response plan and the designation of a cybersecurity officer (CySO).

“Cybersecurity experts can provide technical insights into the required security measures (account, device and data security), discuss how to conduct cybersecurity assessments and penetration testing and offer guidance on training personnel and developing incident response plans,” he said.

They may also touch upon the performance-based approach of the rule and how it allows for flexibility.

“I am most looking forward to discussing the practical implications of the rule for different types and sizes of maritime organizations, particularly how smaller stakeholders with potentially limited resources will achieve compliance,” Lee said. “Understanding the role of the CySO in these organizations and how they can effectively fulfill their responsibilities, even with other job duties or outsourced IT, will also be a key point of interest. Furthermore, exploring the balance between the mandatory requirements and the performance-based approach, and what that means for real-world implementation, would be valuable.”

The Coast Guard’s final rule was published January 17 and has an effective date of July 16, with cybersecurity training required for all of those who use information technology (IT) and operational technology (OT) systems required beginning July 17. Cybersecurity plans must be submitted to the Coast Guard for review and approval within 24 months of the rule’s effective date.

The rule applies to owners and operators of U.S.-flagged vessels, Outer Continental Shelf facilities and facilities subject to the Maritime Transportation Security Act of 2002 that are required to have a security plan under 33 CFR parts 104, 105 and 106. This includes cargo vessels, passenger vessels, OSVs, MODUs, towing vessels, cruise ships, container terminals, chemical facilities, petroleum terminals, LNG/LPG terminals, offshore oil and gas platforms, offshore drilling rigs and more.