TL;DR — too long, didn’t read
The first IACS E26/E27 newbuilds are in service, and class surveyors are now checking whether the paperwork matches reality.
The Swedish Club bundled live threat intelligence into its marine cyber membership. Insurers are shifting from passive cover to active risk management.
The USCG released new implementation guidance on 16 June, putting risk assessments at the centre of Marine Transportation System cybersecurity compliance.
Class, insurance, and flag state are tightening the screws on the same ships at the same time.
Three things that matter this week
IACS E26/E27 meets the surveyor
IACS Unified Requirements E26 ("Cyber Resilience of Ships") and E27 ("Cyber Resilience of On-Board Systems and Equipment") became mandatory for new ships contracted on or after 1 July 2024. That was well covered at the contracting stage. What gets less attention is what happens after delivery.
The first E26/E27 newbuilds entered service across 2024 and 2025. By mid-2026 they are reaching their first cyber-relevant class surveys. CYTUR's 2026 maritime cyber threat white paper calls 2026 the "first year of practical verification" for E26/E27: surveyors are now checking whether newbuild cyber compliance holds up in practice, not just on paper.
Integration is where it gets hard. E27 applies to individual systems and equipment, so a modern vessel carries several E27-certified components from different vendors. Getting them to talk to each other securely, without breaking the encrypted handshakes each E27 profile requires, is a real problem for shipyards and system integrators.
Owners without internal cyber expertise are handing their Cyber Security Management System (CSMS) to specialist providers. Compliance-as-a-service is now its own market category.
Why this matters for maritime: a requirement on paper is not the same as one a surveyor can verify, and 2026 is the year that gap closes. Ships contracted under E26/E27 now face real scrutiny, not a theoretical checklist.
What to do: if your vessel was contracted after 1 July 2024, confirm with your class society when the first cyber-focused survey is due and what documentation it will want. If you are running a CSMS without dedicated internal cyber resource, map the gap now rather than at the survey. For shipyards with live newbuild programmes, test E27 interoperability during integration, not at delivery.
Your insurer starts sending threat intelligence
Earlier this month, on 2 June, the Swedish Club announced a cooperation with the maritime cyber monitoring firm CyberOwl and with DNV Cyber to give members structured, ongoing threat intelligence.
It sits alongside the Club's existing marine cyber insurance rather than replacing it. Members get quarterly updates on emerging cyber threats and trends affecting shipping, vulnerabilities and attack methods relevant to maritime operations, lessons learned from incidents and market developments, and practical guidance to support cyber resilience and preparedness.
Trade press put the reach at roughly 1,000 insured vessels. That figure comes from the coverage, not from the Swedish Club's own release.
The number matters less than the direction. P&I clubs have always priced cyber risk. What is new is the expectation that the insurer also helps prevent the incident, and gets a clearer view of what it is covering in the process.
Why this matters for maritime: when your P&I club starts sending you threat intelligence, the message is that passive cover is no longer enough. That changes what membership asks of the operator, not only the underwriter.
What to do: if your vessel or fleet carries a marine cyber policy, ask your club or insurer what threat intelligence or advisory services come with it. If the answer is none, treat that as a gap in your risk programme. For shore-side teams, a quarterly third-party threat briefing is a practical supplement to in-house monitoring, especially for smaller operators with no dedicated maritime cyber staff.
USCG guidance puts risk assessments at the centre of MTS compliance
On 16 June, the U.S. Coast Guard released additional policy and implementation guidance to help regulated maritime entities meet its cybersecurity rules.
The guidance supports the baseline cybersecurity requirements for U.S.-flagged vessels, facilities, and Outer Continental Shelf facilities under the Marine Transportation System cyber rule. It is meant to help industry and Coast Guard personnel apply the rule consistently on the way to full compliance, with risk assessments at the centre.
The timeline is what to plan around. The MTS cyber final rule took effect in 2025. A personnel cybersecurity training deadline fell in January 2026. The next milestone asks covered operators to designate a Cybersecurity Officer, complete cybersecurity assessments, and submit plans, by 16 July 2027.
That is thirteen months out. For anyone who has not started the assessment, the quiet window to do it is closing.
Why this matters for maritime: 16 July 2027 is not a distant horizon. Appointing a qualified Cybersecurity Officer, running a credible risk assessment, and producing a compliant plan all take time. Leaving it to the back half of 2027 is a resourcing risk.
What to do: U.S.-flagged vessel operators and covered facility managers should confirm whether they are in scope for the MTS cyber rule and, if so, map the remaining milestones against their operational calendar. If no Cybersecurity Officer has been named, that appointment is the critical-path item. The new USCG guidance is worth reading as implementation context, not just legal formality.
In case you missed it
Ancona post-mortem now public (follow-up to issue #11): Resecurity published a detailed post-mortem on 11 June of the Anubis ransomware attack on the Adriatic Port Authority, which operates the Port of Ancona, the incident we covered in issue #11. The new detail: a reported $10 million Bitcoin demand, a spear-phishing email as the entry point, roughly 2% of data lost (backups held the rest), and a sector warning about more ransomware and supply-chain intrusions against port authorities. This is not a new breach. It is the after-action account of the one we already covered.
AIS 'trolling' in the Strait of Hormuz (follow-up to issue #15): alongside the jamming (see Number of the week), fake vessel names such as "Jersey Devil 404", "Opium Cargo" and "Dead Wallet Crew" are showing up in AIS feeds as apparent disinformation of unknown origin. Analysts reckon AIS-visible traffic may undercount the real number of vessels by up to about 50%.
CYTUR unveils a full-lifecycle maritime cyber system: the Korean firm CYTUR launched an integrated maritime cybersecurity offering spanning a vessel's whole lifecycle, pitched as a response to tighter international regulation and the spread of autonomous navigation.
Coming up
Monaco Energy Boat Challenge — Yacht Club de Monaco — Monaco, 8–11 July 2026. Andrzej Gab speaks on the cyber panel.
DEF CON Maritime Village — 6–9 August 2026.
Number of the week
972 — The average number of ships per day that had their GPS jammed in the Arabian Gulf and Strait of Hormuz between 15 and 18 June, according to Windward.
It peaked above 1150 vessels on a single day that week and dropped to 693 on the quietest. On 18 June at least 120 tankers over 10000 DWT were affected, including 27 very large crude carriers (VLCCs) and 24 containerships. Strait of Hormuz transits fell roughly 20% week on week: 118 on 16 June against 147 the week before, and 114 on 17 June.
At that scale, jamming stops being an incident you log and move on from. It is a standing condition that voyage planning, bridge procedures and contingency drills have to treat as a baseline for the region, not an exception.
Resource of the week
Dryad Global — "Maritime Cyber Risk in 2026"
(Metis Insights; Channel 16 / Dryad Global, June 2026)
It argues that maritime cyber risk has moved off shore-based IT and into OT and vessel systems, with consequences now reaching navigation, cargo handling and port operations, not just data loss. It maps GPS interference and AIS spoofing across the Red Sea, Baltic, South China Sea, Caribbean and Middle East. Good framing for voyage-planning and operational-risk conversations with non-technical stakeholders.
Want more depth?
Maritime Cyber Intelligence Brief covers what the weekly cannot: full incident timelines, regulatory analysis, GNSS threat data, and OT advisory breakdowns.
Read of the week
"Maritime Cybersecurity: A Guide for Leaders and Managers" by Gary C. Kessler and Steven D. Shepard
The foundational leadership-level text on maritime cyber. Hand it to executives, DPAs, and anyone who owns the risk but does not sit at the keyboard. It connects regulatory obligation to operational reality without assuming a technical background.
