When IMO Resolution MSC.428(98) came into force in January 2021, it established that cyber risk management must be incorporated into safety management systems (SMS). The language was unambiguous: cyber risk should be addressed with the same rigour applied to other operational risks documented in the SMS – fire, flooding, man overboard, structural failure.

Commercial shipping moved. Large operators updated their SMS documentation, engaged qualified assessors and began aligning their cyber risk frameworks with flag state expectations. Classification societies developed guidance, P&I clubs issued advisories, and the infrastructure of compliance – imperfect as it is – began to take shape.

However, private superyacht management, with some exceptions, did not follow.

This is not a criticism of individual captains or yacht managers. The regulatory picture for private yachts under MSC.428(98) is genuinely ambiguous at the enforcement level – flag state interpretation varies, ISM Code applicability differs depending on how a vessel is operated and the practical guidance produced for commercial operators does not translate cleanly to the structure of a private yacht programme. The result is that many captains and management companies understand that cyber risk is directionally a compliance issue, but cannot point to a clear, proportionate framework for addressing it within their existing operational structure.

The consequence is that cyber risk continues to sit in the gap between IT vendors selling connectivity solutions and compliance departments that have not yet determined how it fits into the SMS.

That gap matters for several reasons.

Marine cyber underwriters are increasingly requesting evidence of cyber risk management
at the point of policy renewal.

The liability question
The SMS framework places a duty of care on the Designated Person Ashore and, operationally, on the master. If cyber risk is a documented component of the SMS and an incident occurs that can be traced to a known, unmitigated vulnerability, such as a satellite terminal running default credentials, an unaudited remote access system or an IT network without basic segmentation, the question of whether adequate risk management was in place becomes directly relevant to the claims process.

This is not a hypothetical scenario. Marine cyber underwriters are increasingly requesting evidence of cyber risk management at the point of policy renewal. The LMA5402 and LMA5403 exclusion clauses, now standard in many hull policies, mean that the boundary between covered and excluded loss can turn precisely on whether the operator had a reasonable cyber risk posture in place.

For yacht managers acting as the DPA under an ISM-aligned management arrangement, this creates a professional exposure that deserves more structured attention than it is currently receiving.

The absence of [an] independent layer means that most private superyachts have connectivity infrastructure that has never been assessed for security posture by a party without a direct
interest in the outcome.

The market gap
The private superyacht sector is served by a mature market of IT and connectivity providers: companies delivering VSAT, network infrastructure, vessel management systems, remote monitoring and technical support. That market has grown considerably over the past decade and provides genuine operational value.

It does not, however, provide independent cyber risk assessment. The distinction matters – a connectivity provider has a commercial interest in selling services and maintaining systems, while an independent advisory function brings a different perspective: not which systems to install, but how the existing digital infrastructure of the vessel should be understood in terms of risk, and what the proportionate response looks like within the context of the specific yacht’s SMS.

The absence of that independent layer means that most private superyachts have connectivity infrastructure that has never been assessed for security posture by a party without a direct interest in the outcome.

What proportionate looks like
A cyber risk assessment calibrated for a private superyacht is not a commercial maritime compliance exercise. It does not require the documentation burden of a large shipping operator nor does it need to mirror the technical depth of an OT security audit conducted on an offshore platform.

What it does require is a clear-eyed review of three interrelated domains: the vessel’s operational technology environment (navigation, engineering systems, VSAT terminal configuration), the on-board network infrastructure (crew and guest connectivity, vessel management software, access controls) and the owner's personal data environment as it intersects with the vessel's systems – an area that has no equivalent in commercial maritime risk management but is directly relevant to the actual risk profile of a private yacht operation.

The output should serve the SMS. It should identify actual exposure in terms a master and DPA can work with, prioritise mitigation by operational risk rather than technical severity and produce documentation that is proportionate, maintainable and directly integrated into the vessel's existing safety management structure.

That is, ultimately, what MSC.428(98) was designed to produce: not a compliance artefact, but a working risk management posture.

The conversations that need to happen between management companies, captains and independent advisors are the same conversations that happen around refit scopes, class surveys and insurance renewals. Cyber risk management belongs in that same planning cycle.

The seasonal window
The Western Mediterranean presents a specific operational context worth noting. With a significant concentration of the global superyacht fleet concentrated in a relatively compressed cruising season, and with vessels spending extended periods in port or in relatively accessible anchorages, the window for conducting a thorough cyber risk review is precisely the lay-up and pre-season period. Yards in Palma, La Ciotat, Genoa and the Spanish coast are the natural environment for this work, not because the risk is greater in port than at sea, but because the operational space to conduct a structured assessment without disrupting an active programme is greatest during that period.

The conversations that need to happen between management companies, captains and independent advisors are the same conversations that happen around refit scopes, class surveys and insurance renewals. Cyber risk management belongs in that same planning cycle.

The regulatory direction is clear and the insurance market is already moving. The question for private superyacht management is not whether cyber risk needs to be addressed within the SMS, but how to build a proportionate, practical approach that serves the actual operational needs of the vessel rather than treating the requirement as either a commercial IT decision or a compliance problem too complex to resolve.

As an open-source platform we offer an industry-wide invitation to anyone and everyone in our sector to share their knowledge, experience and opinions. So if you have an interesting and valuable contribution to make, and would like to join our growing community of guest columnists, share your ideas with us at newsdesk@thesuperyachtgroup.com

Click here to become part of The Superyacht Group community, and join us in our mission to make this industry accessible to all, and prosperous for the long-term. We are offering access to the superyacht industry’s most comprehensive and longstanding archive of business-critical information, as well as a comprehensive, real-time superyacht fleet database, for just £10 per month, because we are One Industry with One Mission. Sign up here.