How Should the Superyacht Industry React and Plan for Cyber Risk Management?

The 21^st century, has pushed the maritime world, just like all other industries, further and further online.  Safety management systems are now online; internal and external communication is now 24/7 via smart technology; the sextant has been replaced with GPS and online charts.  We continue to benefit from rapidly improving and innovative technology.

Yet the cyber security Industry, often opaquely and with varying levels of drama and hyperbole appears to be warning of huge “cyber” risks against maritime assets, as they try to sell their services and products.

But what should Cyber Risk Management genuinely look like in the wider maritime Industry, but specifically in the superyacht Industry?

The IMO published MSC 428 in July 2017 regarding cyber risk management. Following this, BIMCO published the second version of their guidelines regarding cyber risk management for the commercial shipping market. The ISM Code 2018 Edition includes “Guidelines for Cyber Risk Management”.

Insurance companies, the route to underpinning most risk management issues, laments the lack of transparency and figures the actuaries can use to quantify the cyber risk, whilst the insurance cover will include CL 380 which excludes cyber risk from the policy. Furthermore, flag states look at the IMO wording; see the word “encourage” and try to work out how those ships flying their flag can be regulated and to what extent.  Classification societies head in divergent directions driven by a feeling that “something” should be done about cyber security to ensure “seaworthiness”.  And against all this noisy, drama-filled backdrop, yacht managers, captains, chief engineers and ETOs are left trying to simply find the best, safest most efficient solution for their yachts in a 21^st century environment.

The treacle thickens considering that the solution must work for yachts sailing now, and for those yachts still not built, but which will be sailing after the 2021 ISM compliance deadline. The only sure thing is that the cyber risk environment in 2021 will be very different to the way it looks today.

We, as the superyacht Industry, understand that there is a clear requirement to manage cyber risk. But the tech-security fog created by an avaricious IT and cyber security Industry, create fear over what are very disparate threats and vulnerabilities and perpetuate our fear of making the wrong choice.  Therefore, it seems almost impossible for anyone to make a decision or produce a sensible long-term plan. It seems far easier to wait and hope that a solution will present itself.

So, within this maelstrom of opinion, assistance, threat, risk and fear, CAN we find a sensible solution to the issue of cyber risk management? Without an agreed single industry voice and an agreed industry outcome – is this possible?

The answer is “Yes” – but – unfortunately there is not a single technical magic bullet to solve all problems in a stroke. The solution is appropriately balanced, proportionate, considered and, when approached properly, pretty easy.

Managing cyber risk is no different to managing other risks faced by any company or yacht around the world. It adopts a set of sound principles tailored to the yacht or yacht management company and also enshrines the supply chain management process. It identifies the threats and vulnerabilities, balances the identified risks and puts in place proportionate solutions in line with the risk appetite.  So, a threat to a yacht is measured against a different balance of risk criteria to, say a cargo vessel. And the comparable threats to one yacht maybe the same in some respects and different in another.  Not necessarily because the technologies are different, but because the intent of those who wish to cause damage is different.

Understand the Threat. (From Whom and Why?)
Generic: In some cases, primarily for bulk, widespread criminal operations, or more malicious actors’ research and development purposes, attempted attacks do not have one particular target – but are more en masse and opportunistic.  The weaker the defences to this generic approach the greater the likelihood of penetration and subsequent damage.  This bulk approach invariably exploits “human factors” or simple technical configuration errors. If we could remove untrained crew and supply chain (yachting’s “human factor”) – we would reduce the risk from malicious cyber activity by 80% at a stroke.

Specific:  However, there are other more idiosyncratic threats that are peculiar to the owner, the yacht management company and/or the specific geography relating to the yacht and its owner.  These are targeted and are governed by more thought-out criminal, or individually malicious or in some cases geo-political factors.

Some adoptive protective measures are common across the two categories (reflected in the ISM Code), others need to be as tailored as the threat they face.  Understanding them and measuring them is straightforward, but without doing so solutions are poorly focused, ineffective and often unnecessarily expensive.

Click here to read the full article by our very own Murray Bishop.

For more information regarding our industry leading services click here.