Matt Roberts

In 2021, the IMO’s cyber risk management requirements formally came into force. For many in yachting, that moment was framed as a turning point: cyber was finally “on the agenda”, a nudge for owners, captains and managers to take digital risk seriously.

Five years on, it is hard to argue that those expectations have been met. The problem is simple: we got the carrot, but not the stick. The IMO’s framework has largely been treated as guidance rather than as a standard actively enforced. There has been no visible, consistent consequence for failing to meet even basic expectations. As a result, behaviour has changed, but not necessarily for the better. Instead of driving sustained improvement, the regulations have triggered a compliance theatre around cybersecurity. For a sector built on confidentiality, discretion and protecting the interests of ultra-high-net-worth families, that gap is now impossible to justify.

The rise (and waste) of the “one‑and‑done” cyber assessment
The clearest example of this distorted behaviour is the boom in expensive cyber-risk assessments. On paper, these are aligned with the NIST Cybersecurity Framework that underpins the IMO language: identify, protect, detect, respond and recover. In practice, many programs treat an assessment as an expensive box-ticking exercise.

A typical pattern looks like this:

• An operator or owner’s office commissions a detailed assessment, often at high cost.
• The result is a long, highly technical report that few on board or ashore can interpret or connect to daily operations.
• The document is filed away; little or none of it is implemented.
• It reappears years later when a new consultant or auditor asks whether a cyber assessment has been done.

On board, the culture hasn’t shifted. Leadership still tends to regard cyber as a specialist add-on rather than as core to safety, privacy and operational continuity. The crew understand they are accountable for fuel, guests, tenders and toys, but not for the data, systems and connectivity that enable modern yachting. Given the stakes, this is an odd blind spot. Owners and family offices insist on rigorous confidentiality in all their affairs, yet their yachts, among the most visible, connected and complex assets they own, often do not receive equivalent protection in the digital domain.

A very different yacht from five years ago
This disconnect has been amplified by how quickly the technical landscape has shifted. In the past five years, superyachts have gained faster, lower-latency connectivity as standard. Starlink and other next-generation services have turned vessels into always-on, high-bandwidth environments. Owners expect their yacht to function like a rolling family office and home, with seamless cloud access, remote working, streaming and smart on-board systems.

More connectivity and more integrated systems mean more that can go wrong:

• More personal and financial data moving on and off the vessel
• More remote access points into OT and vessel management systems
• More third-party tools and apps in daily use by crew and guests
• More consumer-grade hardware and software deployed in a quasi-enterprise environment

Yet the regulatory framework that was late even in 2021 has not meaningfully evolved to reflect this shift. The result is a growing gap between how yachts actually operate and how they are expected to manage cyber risk on paper.

Many security functions can and should be supported remotely, and what happens on board must be framed as part of a coherent, programmatic approach, just as it is for safety, maintenance and compliance.

AI: the next gap, already open
Artificial intelligence is a prime example of that gap. AI tools are no longer experimental – crews, management teams and owners are already using them, often by pasting operational or personal information into public or semi-public services, or by spinning up private bots and agents on consumer hardware with little regard for configuration or security.

At the same time, there is still no specific, practical guidance on AI risk management from the main maritime bodies. IMO and BIMCO have acknowledged the topic and indicated that updated publications will be released, but no concrete, sector-wide guidance is available today for vessels or operators. This is not because the topic is unknowable. The International Association of Ports and Harbors (IAPH), for example, has already produced considered work on emerging technologies, including AI and quantum computing, and the associated cybersecurity implications. Their publications outline reasonable baseline controls and governance measures that are directly relevant to maritime operations.

The disappointment is that this work has not been actively leveraged or echoed by the organisations that yacht operators most often look to by default. After the delays in bringing the 2021 cyber requirements forward, we appear to be repeating the pattern: recognising the importance late, and offering guidance even later. In the meantime, the industry is quietly improvising with tools powerful enough to materially change its risk profile.

Yachts are small businesses, not households
A deeper issue is how yachts perceive cybersecurity. Most programs still protect their digital estate with roughly the same mindset and tooling as a well-off household: consumer-grade routers, ad-hoc account management, unstructured device policies and a heavy reliance on personal judgement.

But many superyachts, particularly at the larger end of the fleet, function more like small to medium-sized businesses:

• Dozens of staff with high turnover
• Complex vendor and contractor ecosystems
• Critical operational technology linked to IT networks
• Sensitive personal, financial and travel data
• High public visibility and clear financial motivation for attackers

Viewed through that lens, the logic of using only consumer-grade security (at best) quickly breaks down. The expectations on the bridge and in the engine room already reflect that reality; expectations around digital operations have not caught up. This is not about turning crew into security engineers, it is about acknowledging that many security functions can and should be supported remotely, and that what happens on board must be framed as part of a coherent, programmatic approach, just as it is for safety, maintenance and compliance.

Carrot or stick? The wrong question
All of this raises an uncomfortable question: does yachting actually need a regulatory stick to do what is plainly in owners’ best interests?

Cybersecurity in yachting is not optional and never has been. The industry has long accepted non-negotiable standards for physical safety, guest experience and discretion. It is inconsistent to treat digital security as something that only matters once a regulator threatens enforcement.

Waiting for the next resolution or guideline update is, in many ways, a way of avoiding ownership of the problem. Regulations can set a floor, but they cannot define what is “reasonable and adequate” for a specific yacht, owner profile and operating pattern. That judgement has to be made by family offices, ownership teams, captains and managers.

The role of IMO, BIMCO and other bodies should now be twofold: to accelerate practical, AI‑aware guidance by building on the best available work, and to actively campaign to raise awareness, not just quietly publish documents. But even if that happens tomorrow, it will not remove the need for vessels and ownership teams to think beyond mere compliance.

One question to ask today
If you have read this far and hold any responsibility for a yacht, on board or ashore, avoid the temptation to file “cyber” under “regulatory work in progress”. Instead, ask one focused question today: What is the single most important digital dependency of our operation and how do we know it is adequately protected?

If you cannot answer that clearly and with evidence, that is your first action. Whether or not the carrot is attractive or the stick ever arrives, the responsibility already sits with you. 

This article first appeared in The Superyacht Report: New Build Focus. With our open-source policy, it is available to all by following this link, so read and download the latest issue and any of our previous issues in our library.

Click here to become part of The Superyacht Group community, and join us in our mission to make this industry accessible to all, and prosperous for the long-term. We are offering access to the superyacht industry’s most comprehensive and longstanding archive of business-critical information, as well as a comprehensive, real-time superyacht fleet database, for just £10 per month, because we are One Industry with One Mission. Sign up here.