Anglo-Eastern: Cyber security is no longer just an IT issue

Anglo-Eastern explains that as the shipping becomes increasingly connected and data-driven, cyber security in 2026 is no longer just an IT issue, but a core business, safety, and regulatory concern.

According to Xerxes Kiok Kan, Head of Information Security, Governance, Risk & Compliance at Anglo-Eastern, regulators, shipowners, and auditors now demand tangible proof of effective controls. For operators, the competitive edge lies in demonstrable, consistent cyber resilience across fleets.

In addition, the maritime sector is experiencing three structural changes that are intensifying cyber risks:

• Accelerating connectivity: Satellite networks such as Starlink, alongside hybrid communications, are removing vessels’ historical isolation, exposing shipboard systems to threats typically faced at corporate headquarters.
• Greater OT integration: Operational Technology (OT) is delivering efficiency gains, but risks increase when segmentation and access controls fail.
• Tightening regulation: Cyber security is now governed by both maritime and shoreside legislation, with stricter accountability and heavier penalties.

Cyber threats themselves are familiar, but their operational impact is intensifying: ransomware and extortion disrupting vessel operations; business email compromise; supply chain vulnerabilities; weak OT segmentation; and human-factor risks such as phishing or procedural workarounds. The challenge for operators is ensuring that cyber controls are consistently implemented and verifiable across both fleets and shore operations.

Regulation: catching up at sea and ashore

Furthermore, cyber security lapses now carry clear financial, regulatory, and reputational consequences.

• Maritime expectations: IMO’s MSC.428(98) cyber risk management guidelines remain the baseline but are under increasing scrutiny. The IMO’s 2025 Guidelines reference IACS UR E26/E27, ISO/IEC 27001, and the NIST Cybersecurity Framework, signalling a shift toward operational enforcement.
• Shoreside laws: Maritime transport is now classified under national critical infrastructure regimes, including Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance (effective Jan 1, 2026) and the EU NIS2 Directive, which designates maritime as a high-criticality sector.

Penalties for non-compliance include:

• NIS2: up to €10 million or 2% of global turnover
• Hong Kong: up to HK$5 million plus daily fines

Industry experts caution that compliance alone no longer guarantees safety. True resilience requires OT cyber discipline, comprehensive asset visibility, segmentation, controlled remote access, clear roles, escalation paths, and measurable, auditable controls across shore and vessel environments.

One risk, one model: shore and vessel

In addition, modern vessels must meet corporate cyber security standards. This includes baseline system hardening, identity and access governance, remote access monitoring, and crew training focused on practical, behavior-driven security. Cyber security is no longer a back-office function. It is an operating model embedded in day-to-day operations.

As IT and OT integration accelerates through telemetry, remote support, automation of fleet workflows, and early autonomous operations, the need for trusted, governed systems grows.

Emerging risks: AI and data privacy

Artificial intelligence is entering maritime operations rapidly. Key governance questions include accountability for AI decisions, compliance with ISO/IEC 42001, data isolation, access control, logging, supply chain risk management, and prevention of cross-customer data exposure.

Finally, crew data privacy is another critical concern. AI workflows often process sensitive information, creating potential GDPR-style liabilities and joint controllership exposures for operators.

source : safety4sea