Editor’s note: Joe Hollier, a cyber risk insurance specialist, is the author of this article, which examines who ultimately is responsible for cyber security when it comes to superyachts. The short answer as to who is responsible: everyone. As Hollier explains, however, this answer isn’t good enough. For more on the subject, listen to our Megayacht News Radio podcast with Hollier.
Hackers are really good at finding the weakest links, and in most circumstances the weakest links are humans. Humans by nature are prone to make mistakes. That likelihood increases significantly when there is not a cohesive cyber strategy in place.
When it comes to cyber security and the imminent threats of a hacker attack, who assumes ultimate responsibility of protecting the vessel and crew from hackers can be, in a word, divisive. Obvious indications point to the top, whether that be the owner or related management. This holds true, yet it is merely where the responsibility begins. The top’s primary responsibility should at a minimum include implementing and delegating a cyber risk strategy (plan) for the superyacht. A plan brings clarity, assigns responsibility, and moves the conversation forward from awareness to action.
Cybersecurity conversations are common amongst owners, captains, and IT. However, few have a clearly defined understanding of the threats and responsibilities, especially the staff. As the top tier of management begins to develop a cyber-risk plan, initial efforts should sharply focus on the assessment of threats the superyacht currently faces daily. Whether it includes internal threats or external or third-party vendors, understanding the information withheld and transferred in the operations of the vessel, and to whom, is the foundation to identifying and addressing the risks specifically to you.
Decisions Equal Action
As hacker risks are identified, responsibility remains within the top tier to make decisions on how to confront the risks. Decisions that include how the risk will be avoided, handled, made less severe, or accepted. Decisions that will naturally bring clarity and transparency to the superyachts procedures and expectations for cyber resilience.
A cyber-resilience plan will have its low-hanging fruit, as in the risk-creating actions and elements that can simply be removed procedurally. For instance, certain activities, habits, or nuisances can simply be removed. But at the heart of the decision-making process is determining the manner in which the risks will be handled: either by policy, procedure, IT, or insurance. Categorizing which risk responsibilities will be delegated to staff versus others that will be outsourced or transferred demonstrates a tactical, comprehensive plan that includes everyone.
Crafting a well-run cyber-resilience plan aboard a superyacht is not a one-time event. The long-term effectiveness and strength of the plan is galvanized with continuous monitoring and education. Included within the management decision-making context, it becomes necessity to choose a clearly identified leader to maintain full compliance of the cyber plan. In many organizations, this would fall under the guidance of a CISO. Otherwise, this role can be filled by another management team member who possesses the ability and diligence to enforce onboard cyber security as an operating culture, not a one-time fix.
The responsibilities of mitigating hacker risks then branches out to captain and crew. Delegating responsibilities on policy and procedure protocol can be part of a comprehensive team strategy. Additionally, establishing leaders for a response plan and obtaining insurance creates a well-rounded resilient team.