Another minimum standard?
Have the IMO's cyber security requirements had the desired impact on the superyacht community?
In recent years the level of connectivity onboard superyachts has grown exponentially and, as a result, the cyber threat to superyachts has grown in tandem. In order to counter this growing cyber threat to superyachts and the wider maritime community, since 1 January 2021 every Safety Management System (SMS), for both private and commercial superyachts, has been required to include cyber risk management. However, has the imposition of cyber risk management on board had the desired effect?
“As a general statement, I would say that the adoption of the IMO requirements has largely bent towards minimum standards, but there are also a number of superyachts that we have worked with that have advanced and creative ways of dealing with cyber threats. But as a whole, the industry has not viewed cyber security as a categorical imperative,” comments Ben Dynkin, co-founder & CEO of Atlas Cybersecurity. “However, what has made me incredibly hopeful is that we have had really productive conversations with clients as we have helped them develop and implement their security programmes, it is clear that stakeholders’ eyes are being opened. The minimum standards are just base level that the industry’s growth is coalescing around.”
“Personally, I have concerns that the IMO hasn’t necessarily addressed how they need to implement the requirements, part of the problem being that ETOs aren’t always experienced in IT functions, they have the basic knowledge to manage the environment, but cybersecurity is actually a specialist skill. Even in the event that ETOs are experienced and they are doing some things well, it doesn’t mean that they are not vulnerable if a crucial element has been overlooked or compromised," adds Kurt Schrauwen, director of Riela Cyber.
Part of the issue centres around the type of requirements that the IMO have imposed. The requirements themselves are not draconian in the sense of them forcing superyachts to adopt certain types of technologies, rather they are required to adopt a series of cyber processes that are suitable for their operational environment. On the one hand, this is more difficult than merely adopting certain technologies because vessels will be required to show auditors how their processes have been designed to counter a number of potential cyber threats. However, on the other hand, there remains a great deal of leeway to do the bare minimum as a means of ticking the box and keeping the powers at be satisfied.
“Fortunately, superyachts can’t just put a box on the boat and call it a day. Rather, they are being asked to do a far harder job of understanding the threats and how to address them systematically,” says Dynkin. “It is based on a problem that is found within industries the world over, people want to find a magic box solution rather than doing the hard work to develop the necessary processes, implement the relevant technologies and train the right people continuously. This is the landscape of the new requirements and it represents a starting point for the industry rather than the finish line, but this is dependent on each individual vessel taking the guidance and customising any programme to suit its needs.”
Dynkin is quick to point out that while general adherence to the IMO requirements has leant toward minimum standards, the base level of knowledge and understanding on the part of the superyacht industry is increasing as a result of the requirements, a view that is supported by the team from Riela.
“There is certainly no black and white answer, you’ll always see certain vessels go above and beyond and take a great deal of professional pride in their cyber process, equally you will find those that just see them as another tick box exercise,” comment Schrauwen. “Thankfully, by and large, the boats we deal with are trying to aim far above minimum standards. The yachting community is beginning to appreciate the sheer amount of resource required to effectively protect a vessel from cybercrime, especially in light of how stretched the crew are already with their work.”
That superyachts have a level of choice in how they adopt cyber security processes is fair. The difference in operational profile between a 30m private yacht and a 70m commercially operated vessel is night and day and, therefore, one would expect them to apply differing levels of cyber security on board. That being said, it is those vessels that continue to believe that the cyber threat is minimal and, therefore, meet the requirements in their basest form, who are most vulnerable. The cyber threat according to experts is growing daily and with the Ukraine war drawing the public's attention to the superyacht community, it stands to reason that superyachts will be increasingly targetted by bad actors, especially once they realise the relatively poor levels of cyber security that pervade the superyacht industry.
For a fuller exploration of the IMO requirements and how the market has responded, click here to join The Superyacht Group Community and look out for the publication of The Superyacht Operations Report in May 2022.
Click here to become part of The Superyacht Group community, and join us in our mission to make this industry accessible to all, and prosperous for the long-term. We are offering access to the superyacht industry’s most comprehensive and longstanding archive of business-critical information, as well as a comprehensive, real-time superyacht fleet database, for just £10 per month, because we are One Industry with One Mission. Sign up here.
Why should you be using only one recruitment agency for crewing your yacht?
We hear what captains have to say following a series of articles highlighting sexual abuse in the yachting industry
Palma Superyacht Village will form an integral part of the rebranded Palma International Boat Show
The Balearic Superyacht Forum