Your Vessel Is IMO Compliant. But Is It Actually Secure?

There is a question that does not get asked often enough in the superyacht sector, and it is this: when was the last time anyone actually tested whether the cyber security controls described in your vessel's documentation are genuinely in place and functioning as intended?

For most vessels, the honest answer is never.

Since IMO Resolution MSC.428(98) came into force in 2021, the maritime industry has made considerable progress in producing cyber security documentation. Vessels have cyber security management plans. There are policies covering crew device use, network access, and incident response. Boxes get ticked during port state control inspections and flag state audits. On paper, the sector looks increasingly mature.

The reality onboard is often quite different.

The documentation is not the defence

Compliance frameworks exist for good reason. IMO MSC-FAL.1/Circ.3 provides a structured approach to maritime cyber risk management, and the BIMCO guidelines offer practical implementation guidance that, when followed properly, genuinely improves a vessel's security posture. The problem is not the frameworks themselves. The problem is what passes for compliance with them.

A cyber security management plan is a document describing what your security controls should look like. It is not evidence that those controls exist, that they are correctly configured, or that the people responsible for maintaining them understand what they are doing. A firewall policy is not a firewall. An incident response procedure is not an incident response capability. The map is not the territory.

In our experience working across vessels of varying size and management structure, we have found that properly conducted cyber risk assessments, ones that go beyond document review to actually test what is in place, are carried out by only a very small number of operators. The documentation exists. The underlying verification rarely does.

Why inspections miss the gap

Part of the problem lies in how compliance is assessed. Port state control inspections and flag state audits are conducted by surveyors whose expertise is primarily operational and nautical. Cyber security is a relatively recent addition to their checklist, and the depth of technical knowledge required to assess whether a vessel's network is properly segmented, whether its ECDIS is running patched software, or whether its WAN configurations introduces exploitable vulnerabilities is considerable. It is not a criticism of individual inspectors to observe that this is a specialised field, and that the current inspection regime was not designed to assess it at a technical level.

The result is that a vessel can satisfy an inspector by producing well-formatted documentation while having controls that do not function as described, crew who have never been trained beyond a one-hour awareness session, and an owner who has been given a genuine but misplaced sense of assurance.

The risk assessment gap

Of all the shortcomings we observe in vessel cyber security programmes, the most consequential is the absence of meaningful risk assessment. IMO MSC-FAL.1/Circ.3 is explicit that cyber risk management should be based on an understanding of the vessel's specific threat environment, its critical systems, and the realistic consequences of compromise. A risk assessment is the mechanism through which that understanding is developed and documented.

Without it, everything else is guesswork. Policies written without a risk assessment are generic documents that may bear little relationship to the actual vulnerabilities present on that vessel. Controls implemented without a risk assessment may address risks that are theoretical while leaving genuine exposures unmanaged and when something does go wrong, the absence of a prior risk assessment makes it significantly harder to respond effectively, or to demonstrate to underwriters and flag states that reasonable care was taken.

What genuine compliance looks like

Genuine maritime cyber security compliance is not a folder of documents. It is a living programme built on an honest understanding of where a vessel actually stands.

It starts with a risk assessment that identifies the vessel's critical systems, maps realistic threat scenarios against them, and produces a prioritised view of what needs to be addressed. It is followed by controls that are implemented, tested, and verified rather than described and assumed. It includes crew training that goes beyond awareness to build genuine competence in recognising and responding to the threats they will actually encounter. It must involve periodic review, because the threat landscape changes frequently and a risk assessment conducted three years ago may not reflect current exposure.

This is not a particularly complicated proposition. It is, however, a more demanding one than producing documentation that satisfies a checklist. The distinction matters because the consequences of getting it wrong are not abstract. A vessel whose operational technology systems that are compromised, where owner's communications are intercepted, or whose financial operations are disrupted by ransomware or fraud, has not been made safer by the existence of a cyber security management plan that no one tested or verified.

The question worth asking is not whether your vessel has the right documents. It is whether anyone has verified that what those documents describe actually exists.

If the answer is no, that is where the conversation should start.