New Coast Guard Cyber Rules Take Hold Across U.S. Maritime Industry

 

In July 2025, new U.S. Coast Guard cybersecurity regulations went into effect. These regulations follow high-profile incidents, such as a 2021 Russian ransomware attack that shut down a major U.S. pipeline for days, causing fuel shortages and disrupting critical supply chains. The Russian pipeline attack demonstrated the severe consequences of a cyber incident and the growing risks posed by foreign adversaries such as China, Russia, and Iran. In response, the Coast Guard has issued regulations that now require vessels and facilities to adopt cybersecurity measures to protect the maritime sector against evolving threats.

The new cybersecurity regulations require every covered vessel and facility to create a Coast Guard–approved cybersecurity plan. The cybersecurity plan must be submitted to the Coast Guard, kept up to date, and integrated into the vessel or facility’s existing security framework. Owners and operators must also appoint a designated Cybersecurity Officer to oversee the plan, ensure compliance, and remain accessible to the Coast Guard 24/7.

The plan will ensure that the vessel or facility limits access to critical systems, protects data, and monitors for intrusions. Cybersecurity plans must implement specific cybersecurity measures such as: automatic account lockouts, strong passwords, multifactor authentication, and encryption of data. (No more leaving passwords on a sticky note).

The regulations also require personnel training and drills. All personnel with access to computer systems must now receive cybersecurity training. This means that any seafarer with regular access to a computer must be trained to recognize cybersecurity threats, detect incidents, and report them to the Cybersecurity Officer. Every covered vessel and facility must run cybersecurity drills twice a year, and a full exercise at least once every 18 months to test overall readiness. The drills focus on detecting, responding to, and mitigating cyber incidents.

Vessel and facility operators also must conduct regular assessments and testing to identify vulnerabilities, fix problems, and prepare for cyber incidents. Every covered vessel and facility must maintain an incident response plan, report cyber incidents, and keep records of training, drills, and testing. They must also undergo “penetration testing” where cybersecurity professionals attempt to exploit vulnerabilities to identify weaknesses. This penetration testing must be completed at least once every five years as a part of each cybersecurity plan renewal.

The new regulations apply only to U.S.-flagged vessels, marine facilities, and Outer Continental Shelf (OCS) facilities, but do not apply to foreign-flagged vessels. Covered vessels include oceangoing cargo ships and tankers, offshore supply vessels that service rigs and platforms, and passenger vessels certificated to carry more than 150 passengers, such as ferries or coastal cruise ships. Towing vessels longer than eight meters that move tank barges or other covered barges are also included. There are also less-obvious cases which would be covered by the regulations, such as a U.S.-flagged passenger vessel carrying more than 12 passengers on an international voyage (for example, a small fishing or dive trip from Florida to the Bahamas).

By contrast, smaller inland vessels such as harbor tugs, crane barges, dredges, and other workboats are generally not included unless they fall within a defined category. Generally speaking, if a vessel does not have significant tonnage, carry a large number of passengers, handle hazardous cargo, or operate abroad, it falls outside the scope of these new regulations. 

The regulations also extend to shoreside facilities as well. Covered facilities include container terminals, petroleum and chemical transfer facilities, major cruise ship terminals, and barge fleeting areas that handle hazardous materials in bulk. Facilities that receive large passenger vessels or SOLAS-class ships are also included. Smaller marinas, yacht clubs, and local boatyards are generally not covered by these cybersecurity requirements unless they serve these larger, regulated vessels.

While the regulations went into effect on July 16, 2025, there is a multi-year phase-in period for these new cybersecurity requirements. The key dates are:

• Reporting: Effective July 16, 2025, all covered vessels and facilities must report all cyber incidents occurring on or after that date to the National Response Center.
• Training: Personnel training must be in place by January 12, 2026, with annual refresher training required after that
• Cybersecurity Plans: Every covered vessel, facility, and OCS facility must submit a Coast Guard–approved cybersecurity plan (or an amendment to an existing security plan) no later than July 16, 2027
• Assessments and Testing: A first cybersecurity assessment must be conducted no later than July 16, 2027, and then annually. Penetration testing is tied to the renewal of the cybersecurity plan (every five years).

In practical terms, operators are already required to report all cyber incidents to the National Response Center, and will need to have their training programs running by early 2026. They will have until mid-2027 to complete their first cybersecurity assessments and submit their plans for approval. From then forward, they will be on a cycle of annual audits, exercises, and five-year plan renewals.

The implementation of these cybersecurity regulations will have ripple effects across the maritime industry. The new regulations will raise operating costs for vessels and facilities by requiring compliance with mandates such as hiring and training cybersecurity officers, developing cybersecurity plans, adopting enhanced security measures, conducting regular drills, and performing ongoing assessments and reporting. In the near term, it is possible that insurance costs may rise initially as the threat of cyberattacks is still increasing, and the industry is still adjusting.

In the long run, these mandatory cybersecurity regulations may reduce the likelihood of severe cyber incidents, making losses less frequent and more predictable for insurers. This predictability may eventually stabilize or reduce premiums over time. The ultimate impact of these regulations on the broader maritime industry remains to be seen, but these new regulations have pushed cybersecurity to the forefront of maritime operations.

Kevin G. Gallagher is a litigation associate at Hamilton, Miller & Birthisel, and focuses his practice on admiralty and maritime claims, commercial litigation, insurance claims and products liability.