The superyacht industry is a funny old world. For decades now, superyachts have represented the pinnacle of wealth, pushing the boundaries of functional beauty and elegant luxury.
But as yachts have got bigger, and their interiors ever more opulent, it is surprising how many advances from the technological world have been left behind over the years.
Take artificial intelligence, for example. Earlier this year I took part in a Quaynote discussion which examined the use of AI across the marine and aviation worlds, and it was striking just how far behind aviation superyachts have been.
And the same is true of cybersecurity. While many superyacht owners go to significant lengths to protect their personal and professional lives, until recently, once they step on board their yacht they may as well have been entering a watery wild west.
The picture is changing, but it’s curious that while the businesses and portfolios that create the wealth behind many superyachts have readily embraced AI, superyachts themselves have remained far behind the curve. Equally, with so many yacht owners having achieved their wealth in the technology sector where cybersecurity is fundamental to everyday life, why don’t their yachts have the same level of cybersecurity in place?
It’s obvious why superyachts, with their extensive AV/IT, navigational and security systems, are prime targets for cyber-attacks. Whether you are looking for celebrity gossip, material for blackmail, financial reward or location monitoring for more sinister deeds, superyachts have the potential for gifting you a full house.
My personal view is that yachts have always been something of an escape from the real world for all who board them. For many who enjoy sailing as a hobby there is an addictive sense of adventure and escapism which keeps us all going back and it is possibly that feeling which leaves us all a little exposed.
But the threat is real. We have handled a number of matters relating to cybersecurity on our clients’ yachts in recent times. While some attacks are highly sophisticated, we have also seen relatively simple attacks involving invoice interception which can catch even the most tech-savvy yacht managers and crew off-guard.
So why has the superyacht industry been so slow to respond?
One man who knows a thing or two about cyber-crime and how to combat it is Rob Tobin of Riela Yachts. Rob has been looking after UHNWIs, their businesses and their superyachts, for nearly two decades and he built cybersecurity into his own businesses from day one.
“I made a conscious decision to drop the legacy systems and outdated thinking the moment I founded The Riela Group and this has proven fortuitous.” says Rob. “When you are trusted by people to look after their information, assets and reputation, cyber security needs to be a top-level priority throughout the whole business, and yet a great many businesses (and their clients) are suffering embarrassment and cost due to complacency and ignorance. If any supplier or partner cannot demonstrably, and quickly, evidence their security posture, you have to ask yourself if you’re working with dinosaurs?”
Clearly service providers, such as Riela, have played a major part in developing and deploying the technological answers to combatting cyber-crime and will continue to do so, but as is the case for many of us in our daily lives, it is as much a problem of awareness of the issues as having the tools to combat them.
To date, while most advances in superyacht cybersecurity have been industry led, with people like Rob driving the change and raising awareness of the exposure many superyachts face, 2021 saw the introduction of regulatory intervention with the arrival of International Maritime Organization (IMO) Resolution MSC.428(98) (the ‘2021 Resolution’) which calls on vessels to undertake adequate cyber-risk assessments no later than the first annual verification of the vessel’s Document of Compliance after 1 January 2021.
“Many superyachts, by their very nature, operate independently and keeping up with best practise in an industry with such a siloed nature, requires considerable effort. Complacency with intangible and invisible threats is a well-documented human condition and IMO promulgating the requirement to undertake cyber-risk assessments is but the first step to creating meaningful protection. Undergoing a comprehensive cyber-risk assessment and then not acting on the results is for the dinosaurs!” says Rob.
And it is not just the responsibility of superyachts to protect themselves; there are a great many stakeholders in the industry and all of them represent potential targets.
“Brokers, lawyers, managers, and corporate service providers active in our industry are clearly a target for cyber-crime as we are a single and obvious attack vector to multiple clients.”
“This means we MUST lead from the front and get our own house in order and not rely on the superyachts, in their ‘splendid isolation’ to field off all threats whether directed by IMO or not. I suspect most successful cyber-crime in our industry finds access to victims through shore-based institutions rather than via the yacht, its crew or infrastructure. Hack one yacht and you have data about one yacht, hack the CSPs and you have them all!” Rob warns.
Of course, with new regulations we will see new players entering the cybersecurity compliance market. Owners and their representatives will need to take care to ensure that they are selecting service providers capable of delivering effective means of cyber-protection and training for all crew members. With the potential risks associated with a cyber breach, all owners should ensure that the terms under which they contract with the chosen cybersecurity service provider offer adequate protection should the worst-case scenario arise.
While the 2021 Resolution brings with it a significant administrative burden, for many yacht managers it is simply one more thing to add to the long list of jobs to keep the yacht afloat and ready for their owners and charterers to enjoy. But ultimately, it is in all of our interests to be more cyber-aware and to implement robust cybersecurity measures; as Rob says: “Don’t be a dinosaur!”.
Dom is a Director in Bargate Murray`s superyacht group based in London and advises owners and their representatives on all aspects of superyacht ownership and management.