Daniel Torres, founder of Nauta Maritime, examines the private superyacht sector’s unresolved obligation …
When IMO Resolution MSC.428(98) came into force in January 2021, it established that cyber risk management must be incorporated into safety management systems (SMS). The language was unambiguous: cyber risk should be addressed with the same rigour applied to other operational risks documented in the SMS – fire, flooding, man overboard, structural failure.
Commercial shipping moved. Large operators updated their SMS documentation, engaged qualified assessors and began aligning their cyber risk frameworks with flag state expectations. Classification societies developed guidance, P&I clubs issued advisories, and the infrastructure of compliance – imperfect as it is – began to take shape.
However, private superyacht management, with some exceptions, did not follow.
This is not a criticism of individual captains or yacht managers. The regulatory picture for private yachts under MSC.428(98) is genuinely ambiguous at the enforcement level – flag state interpretation varies, ISM Code applicability differs depending on how a vessel is…
