Cyber risk is no longer just an IT problem.
On a modern superyacht, digital systems sit at the centre of daily operations. Navigation, communications, planned maintenance, AV, guest networks, access controls, remote support, supplier portals and operational documentation all rely on connected technology in one form or another.
That means cyber security is not something that can sit quietly in the ETO’s office, or in a policy document that only gets opened before an audit.
It has become part of operational safety.
The IMO has already made the direction clear. Cyber risk management should be taken into account within an approved Safety Management System, in line with the objectives and functional requirements of the ISM Code. For yachts and management companies, the question is no longer whether cyber risk appears somewhere in the SMS.
The real question is whether the crew understands it well enough to apply it.
The danger of treating cyber as a policy exercise
Many vessels now have some form of cyber risk wording in their SMS. There may be a section covering password hygiene, removable media, phishing, software updates, network access or remote support protocols.
On paper, that may be enough to demonstrate that cyber has been considered.
But cyber risk does not usually fail on paper. It fails in the moment.
A crew member plugs in an unknown USB stick. Someone clicks a convincing email while under time pressure. A supplier is given access without the right checks. A password is shared casually because it is easier than following the correct process. A suspicious message is ignored because it does not feel like a safety issue.
None of these examples require malicious intent. They are normal human behaviours in busy operational environments.
That is why the “human firewall” matters. Not because crew are the problem, but because crew are often the last line of defence between a small lapse and a serious operational disruption.
Cyber risk is now a cyber-physical risk
In yachting, cyber risk is not abstract.
A compromised system can affect communications. A spoofed email can influence operational decisions. Poor access control can expose sensitive owner, guest or vessel data. Weak digital habits can interrupt the systems that support navigation, engineering, maintenance and emergency response.
For ETOs, this creates a difficult challenge.
They may understand the risk, but they cannot be everywhere. They cannot personally supervise every email, every device, every login, every supplier interaction or every guest network request. Technical controls are essential, but they only go so far if the wider crew do not understand the behaviours that keep the vessel secure.
For management companies, the challenge is slightly different.
They need confidence that cyber risk is not just written into the SMS, but being reinforced across the fleet in a way that is consistent, measurable and practical. A policy is helpful. Evidence of understanding is better.
Why cyber awareness needs to become routine
The best safety cultures are not built around one-off briefings. They are built through repetition.
Crew know fire procedures because they are trained, drilled and reminded. They understand muster responsibilities because these processes are repeated. They improve emergency readiness because safety is kept visible and active, not hidden in a folder.
Cyber awareness should be treated in the same way.
That does not mean turning every crew member into a cyber security specialist. It means making the essential behaviours simple, memorable and repeatable.
For example:
- What does a suspicious email look like?
- When should a USB device be refused?
- Who can authorise remote access?
- What should a crew member do if they think they have clicked something unsafe?
- How should passwords and shared logins be handled?
- What is the correct process for connecting a new device?
These are not theoretical questions. They are daily safety questions.
Moving cyber safety out of the ETO’s office
On many yachts, cyber risk naturally sits with the ETO or technical team. That makes sense from a systems perspective, but not from a behavioural one.
Cyber resilience depends on the whole crew.
Interior, deck, engineering, bridge, pursers, rotating crew, temporary crew and shore-based teams all interact with digital systems in different ways. Some will handle guest requests. Some will deal with suppliers. Some will receive operational emails. Some will use shared systems during busy guest trips or refit periods.
If cyber awareness is only understood by the ETO, the vessel remains exposed.
The aim should be to move cyber safety into the same space as wider safety culture: part of the onboard conversation, part of familiarisation, part of drills, and part of regular crew learning.
Not a lecture. Not an annual presentation. Not another dense policy. A habit.
How Fathom can help make cyber awareness practical
Fathom is designed to turn safety knowledge into something crews actively engage with.
Rather than relying on the assumption that crew have read and absorbed dense manuals, Fathom breaks important safety information into bite-sized, testable knowledge. It supports regular crew engagement, tracks understanding over time and helps senior crew and management identify where knowledge gaps exist.
The same approach can be applied to cyber awareness.
Instead of cyber risk sitting in the SMS as a long policy, management companies and vessel teams can use Fathom to create short, practical cyber-safety modules that fit naturally alongside wider safety learning.
For example, monthly cyber-awareness questions could cover:
- Recognising phishing and suspicious links
- USB and removable media hygiene
- Safe use of guest and crew networks
- Remote access procedures
- Password and shared account behaviour
- Reporting suspected cyber incidents
- Supplier and contractor access protocols
- Handling sensitive owner, guest and vessel information
These modules do not need to be complex. In fact, they work better when they are simple, direct and relevant to the way crew actually work onboard.
The benefit is not just awareness. It is visibility.
Senior crew and management companies can see where understanding is strong, where it is weak, and where follow-up training may be needed. That turns cyber awareness from a policy statement into a measurable safety routine.
The audit question is changing
For years, the focus has often been: “Do we have the correct documentation?”
That still matters.
But a stronger question is now emerging:
“Can we prove the crew understand what the documentation says?”
This is especially important with cyber risk, because the most important controls often depend on behaviour. A cyber policy may state that suspicious emails should be reported, but do crew know what one looks like? A procedure may prohibit unknown USB devices, but is that front of mind during a busy refit? The SMS may include cyber risk, but is it part of onboard safety culture?
If the answer is unclear, the system is not as strong as it looks.
From compliance to confidence
For ETOs, this approach reduces the burden of being the only person responsible for cyber awareness onboard. It gives them a practical way to reinforce key behaviours across the wider crew.
For captains and senior crew, it helps make cyber part of normal safety leadership, rather than a specialist topic that sits outside daily operations.
For management companies, it provides a clearer way to demonstrate that cyber risk is not only documented, but actively managed and understood.
And for owners’ offices, it offers reassurance that the vessel is taking modern operational risk seriously.
Because cyber security is no longer separate from safety.
It is part of the same picture.
Modernise your SMS with cyber awareness modules
If your SMS includes cyber risk, that is a start.
But the next step is making sure the crew understand it, remember it and apply it.
Fathom helps move cyber safety from the policy folder into the daily rhythm of the vessel, using short, practical awareness modules that make knowledge measurable and repeatable.
Modernise your SMS. Add cyber awareness modules and make cyber safety part of the way your crew think, act and operate.
Leave a Reply