Who is responsible for navigating cyber security risks at sea?

With technological breakthroughs like LEO VSAT and Starlink, introducing faster internet speeds, the potential for onboard entertainment and services has expanded dramatically. However, the threat of cyber disruption is ever-present. The critical question is, who should be responsible?

Traditionally, many assumed that AVIT/ETO officers were the natural leaders in managing the cyber challenges. Especially when the IMO 2021 cyber guidelines came into effect, the default response for many was, “That’s the job of the ETO/AVIT officer.” But is it really?

AVIT/ETO officers are in charge of all electronic systems onboard and are the go-to trouble-shooters. Superyachts require a sophisticated network of systems working in harmony and managing these systems, client and guest expectations across a large vessel is a large task.

Cybersecurity, however, requires the ability to predict digital vulnerabilities and navigate around them. It demands a distinct set of skills, knowledge, and a different perspective. Expecting AVIT/ETO officers to be cybersecurity experts and manage these responsibilities in addition to their current tasks can present challenges within the role.

Relying solely on the AVIT/ETO officer is also a vulnerability. What happens if they depart or become indisposed? This lack of oversight and dependence on a single individual could leave the yacht exposed to significant risks.

The solution lies in a collaborative approach, encompassing several high-level recommendations:

• Recognising the critical importance of cybersecurity is essential. While it’s not more important than other tasks, it’s unanimously crucial. Captains should lead the way by expressing their commitment to safeguarding the vessel from online threats. Empowering heads of departments, and the entire crew enhances the vessel’s first line of defence.

• Cybersecurity-specific training is vital. Historically, cybersecurity was not a part of the AVIT/ETO job description. Job vacancies for these roles often stick to their titles without mentioning cybersecurity. Should owners provide cybersecurity training to a broader group of crew members beyond just the AVIT/ETO?

• Share the responsibility rather than solely relying on the AVIT/ETO for cybersecurity. Determine specific tasks that crew members can take ownership of, such as establishing robust procedures for onboarding new devices, whether they belong to the yacht or the crew. Not all cybersecurity tasks need to be led or managed by the AVIT/ETO.

• Consider the return on investment. AVIT/ETOs are often well-compensated, and their department can be expensive. They are paid to be onboard to address immediate problems and plan for future projects. In the absence of a dedicated Cyber Security Officer, could hiring a specialized cybersecurity team to monitor the digital environment onboard be a feasible solution? This would allow the crew to focus on maintaining the yacht and ensuring it operates at its best for upcoming trips.

Cybersecurity has transitioned from a distant concern to an immediate one. Every yacht is unique, and managing its specific systems and preferences requires time and expertise. Entrusting a single person with the multifaceted responsibilities of cybersecurity can lead to risky and unsustainable key person dependency. In the end, cybersecurity should be a shared responsibility, with every crew member onboard sharing the responsibility.

To speak to one of our experts, or to learn more about our dedicated cyber security services, contact us at enquiries@priavosecurity.com or call +44 (0) 20 7315 4221.