Superyacht cybersecurity introduction

Two weeks before I speak at the Monaco MEBC superyacht panel, a yacht retailer is still dealing with the fallout from a breach that exposed 123 494 people's identity documents and financial records. The Rhysida ransomware group published 225 GB of MarineMax data in March 2024. The company filed an 8-K. The state notifications went out. And the superyacht industry — the part that sells, charters, manages, and insures the world's most expensive floating private residences — mostly looked away and continued the conversation about stabilisers, satcom bandwidth, and AV integration.

I understand why. The yachting world is not structured for uncomfortable conversations about security. The ownership layer prizes privacy above almost anything else. The crew layer is rotational, BYOD-heavy, and trained in seamanship, not phishing awareness. Management is lean and often outsourced, answering to principals who do not want to hear that their 60-metre floating home runs the same industrial vulnerabilities as a mid-market freight ferry. And the service ecosystem — the marinas, the bunkering agents, the satcom resellers, the AV integrators — operates on relationships and discretion, not security audits.

This edition breaks the conversation open. Six findings cover everything from the documented IT breaches already in the public record, to the AV and IoT vulnerabilities that shipped on superyachts in 2025 and 2026, to the GNSS jamming and spoofing crisis that now touches every ocean a superyacht is likely to visit. The regional map runs from the Eastern Mediterranean — 65 to 70 percent of global charter weeks and one of the worst civilian GNSS theatres on the planet — down through the Canaries and across to the Caribbean. And the Fortinet question: what it means that the most common superyacht firewall brand is also the subject of a 73 000-device credential-stuffing campaign. I will be putting all of this on the table at Monaco in July. Consider this the pre-read.

Key Figures

Metric

Figure

Source

People affected, MarineMax breach

123 494

Company 8-K
+ state notifications

Data published by the Rhysida group

225 GB

SecurityAffairs,
The Record

Maritime cyber incidents, 2025 vs 2024

+103%

Industrial Cyber / CYTUR

GNSS events in channels we monitor (2026 corpus)

978 000

Our monitoring

AIS position jump (Q4 2024 → Q1 2025, Windward)

~600 km
→ ~6300 km

Windward / rntfnd.org

Superyachts >30 m globally

6174

Monaco Yacht Show Market Report 2025

Ransomware incident cost, superyacht (Tristate Marine)

$2 million

Finding 1: The breach already happened — and it happened on land

The superyacht industry's data-security problem is not hypothetical, not a future threat to model, and not confined to the vessels themselves. It is documented and recent, and it starts with the commercial ecosystem that surrounds the boats.

MarineMax is the largest yacht and superyacht retailer in the United States — a publicly traded company running dealerships, marinas, and brokerage at the top of the market. In March 2024, an unauthorised third party accessed its systems, exfiltrated data, and the Rhysida group published a 225 GB archive when the ransom went unpaid. The confirmed victim count is 123 494 people. What was in the archive: identity documents and financial records — exactly what you would expect from a company that processes the purchasing paperwork for high-net-worth individuals buying expensive vessels. This is a named company, a public 8-K, verified state notifications, and one of the more significant data breaches in the recreational marine sector's history.

The breaches on the vessels themselves are documented too, though typically under confidentiality that prevents naming the boats. The pattern is consistent: entry via phishing, followed by compromise of email and file servers, followed by exfiltration of commercially sensitive data. A case published in the Monaco Yacht Show knowledge magazine in August 2025 describes exactly this sequence — phishing gains a foothold, email and the file server are compromised, invoices and operational documents are stolen. The weaknesses identified: password reuse, no multi-factor authentication, poor email security. Recovery required deploying EDR and rebuilding email security from scratch. The vessel is unnamed in the source.

The same pattern appears in a 2025 account from Riela, who describes a superyacht file-server takeover that resulted in 80 to 90 GB of data exfiltration — years of emails, invoices, and accounts — subsequently used to conduct targeted vendor fraud against the management company. And one further documented case involves a fake email and a payment-instruction intercept that redirected charter funds, leading to the vessel being arrested and the charter cancelled. Business email compromise, straight to the quay.

The thread across all of these: the breach surface in every confirmed superyacht incident to date is IT — email, file servers, payment flows. There is no publicly confirmed case of an attacker gaining access to a superyacht's navigation or propulsion systems through a cyber intrusion. The OT risk is real and is addressed in Finding 3, but the documented threat is in the office layer, not the engine room. That framing matters: it determines where the fastest risk reduction lies.

Why this matters: Every yacht management company, every captain handling operational correspondence, and every owner whose financial details pass through a brokerage or charter agent is inside this attack surface. MarineMax proves it at scale; the Monaco and Riela cases prove it at the vessel level. These are not warnings about what might happen — they are descriptions of what has happened.

One thing to do: Audit the email and file-server security of every entity that handles your vessel's financial correspondence. If any of them is running without phishing-resistant MFA and an email security gateway that scans for impersonation, assume the risk exists today and fix it first.

Finding 2: Why a superyacht is uniquely exposed

A superyacht is not a cargo ship with a luxury fit-out. It is a floating smart home with maritime systems underneath. The combination creates an attack surface that neither the residential AV security world nor the traditional maritime OT security world has fully mapped.

Maritime cyber incidents grew by 103 percent in 2025 compared to 2024, with DDoS, ransomware, and malware accounting for the dominant categories, according to Industrial Cyber and CYTUR. The superyacht segment sits at the intersection of the most exposed technologies in both the consumer electronics world and the maritime OT world, and it adds ownership dynamics that make remediation harder.

The AV and IoT layer deserves specific attention because it is where the most recent and severe vulnerabilities have emerged. Four CVEs verified against the US National Vulnerability Database as of 22 June 2026, with one historical anchor below:

CVE-2025-47419 (CVSS 10.0, Crestron Automate VX): cleartext passwords transmitted over the network. Automate VX is the video conferencing and recording system that ships in owner's cabins and saloons on high-specification yachts. CVSS 10.0 — the highest possible score.

CVE-2026-7865 (CVSS 7.4, Crestron TSS/TSW-x70 touch panels, 2026): a hidden console command passes attacker-supplied input to popen(), letting someone with authenticated access to the device's SSH console run OS-level commands. Lower severity than the AVTech and Crestron flaws above because it requires authenticated access first, but it turns a foothold into full device control. Disclosed in 2026 by researcher Eugene Lim.

CVE-2025-34054 (CVSS 10.0, AVTech DVR/NVR systems): unauthenticated command injection via the Search.cgi endpoint, actively exploited in the wild as confirmed by Shadowserver in January 2025. AVTech budget CCTV systems appear in crew quarters and service areas on yachts where the owner's spaces carry premium brands — an attacker who exploits this sees every camera on board.

CVE-2025-24132 (CVSS 6.5, AirPlay SDK / Crestron DM-NAX distributed audio, the "AirBorne" cluster): zero-click wormable remote code execution via local Wi-Fi. A guest device connecting to the yacht's Wi-Fi network can trigger RCE on the audio distribution system with no crew interaction required.

For historical context: CVE-2022-2185 in Crestron AM-100/101 allowed unauthenticated command injection leading to root access, and is on CISA's Known Exploited Vulnerabilities list. It is the ancestor of the 2025 and 2026 variants.

Beyond the technical layer, the human dynamics compound the exposure. The owner-crew power imbalance makes it culturally difficult for a captain to enforce a device policy that the principal finds inconvenient. Crew rotation is high — a superyacht with an annual turnaround of deckhands has a permanent BYOD problem that no policy survives intact. And the privacy paradox of HNWI ownership creates its own contradiction: the people who most need strong security are the most resistant to the monitoring that would provide it.

Why this matters: The AV and automation systems that define the superyacht experience are running verified CVSS 10.0 vulnerabilities and at least one CVE actively exploited in the wild as of early 2025. These are not edge cases — they are the mainstream equipment of a sector that prioritises connectivity and integration.

One thing to do: Pull the equipment list for any vessel under your responsibility — AV receivers, video conferencing systems, NVRs, touch panels, audio distribution — and run each against the NVD and CISA KEV list. Start with Crestron and AVTech. If the firmware is not current, treat it as compromised until patched.

Finding 3: Your GPS is lying to you

In August 2013, a research team from the University of Texas at Austin, led by Professor Todd Humphreys, took an $80 million superyacht off its intended course using a GPS spoofing device. The yacht's navigation system accepted the false signal, the autopilot followed the false course, and the crew had no indication anything was wrong. That experiment proved — twelve years ago, on an actual superyacht in open water — that GNSS spoofing of a yacht's navigation was not a theoretical concern. It was a documented, replicable capability.

Since 2013, the scale of GNSS interference has grown to levels that would have seemed implausible when Humphreys published his results. In channels we monitor, our 2026 corpus recorded 978 000 GPS jamming events, with approximately 98 percent concentrated in the Middle East and Persian Gulf. That figure gives the global scale — the bulk of events are happening in a theatre most superyachts do not visit. The problem is what is happening in the theatres they do visit.

Windward's data shows the average AIS position displacement from jamming grew from approximately 600 km in Q4 2024 to approximately 6300 km in Q1 2025 — a tenfold increase in the severity of position errors in a single quarter. More than 13 000 vessels globally were affected in Q2 2025. EUROCONTROL's EVAIR 2024 report recorded 3115 GNSS events in European airspace alone, including 550 spoofing cases — roughly 10 GNSS disturbances and 2 confirmed spoofing events per day. The three hotspots: Eastern Mediterranean, Black Sea, Baltic. EASA and IATA report that GPS signal loss increased by 220 percent between 2021 and 2024, with more than 580 000 instances recorded across approximately 18,4 million flights in that period; 2024 disruptions were up 175 percent year on year, and spoofing events up 500 percent versus 2023.

The scale of a single event on 4 April 2024 makes the point concretely. Lloyd's List reported that 117 cargo vessels simultaneously showed their AIS position as being at Beirut's Rafic Hariri International Airport. Another 45 showed positions at Cairo International Airport the same day. NATO and Sperry Marine analysis identified 227 position spoofing events in the Black Sea and 117 in the Mediterranean that day. Lloyd's List recorded 655 GNSS interference incidents in the year to March 2024, with 35 vessels per day affected in the Eastern Mediterranean in March alone.

The systems that fail when GNSS is attacked are not just the chartplotter. A Royal Institute of Navigation survey of 271 maritime professionals found that 85 percent reported GNSS receiver impact, 75 percent AIS, 70 percent ECDIS, and 51 percent radar. Dynamic positioning systems, gyrocompasses, autopilots, Doppler logs, VDRs, SSAS, and INS were all documented as affected. UK P&I noted in 2026 that a corrupted PNT stream propagates through "virtually the entire integrated bridge" — and that spoofing is more dangerous than jamming precisely because it provides a credible but false picture, potentially undetected by crew. Sperry Marine describes "fine spoofing" techniques capable of steering a vessel toward pirates or hostile forces without obvious indications at the helm.

The consequences of navigating on false positions extend to loss of life. On 10 May 2025, the container vessel MSC Antonia grounded in the Red Sea with GNSS spoofing identified as a contributing factor in the Marshall Islands Marine Safety Advisory YSA-2025-05. MSC Antonia is a container ship, not a yacht — but the UT Austin 2013 experiment is the yacht-specific proof of concept, and the commercial-vessel casualty record shows what that proof of concept leads to at scale.

One further development compounds the risk specifically for superyachts: in May 2026, SpaceX moved to disable the local Starlink position service — effective 20 May 2026 — that many maritime users had relied on as an independent, spoofing-resistant cross-check against GPS. Superyachts have migrated to Starlink Maritime in large numbers. The convergence of communications and positioning in a single Starlink terminal means that whatever affects the link affects both systems simultaneously.

Why this matters: The Eastern Mediterranean is where the majority of global superyacht charter takes place in summer, and it is one of the most active GNSS interference theatres in the world. A captain who does not have an independent means of verifying position — optical, inertial, or celestial — is navigating on data that may be false.

One thing to do: Fit at least one GNSS-independent position reference — a fibre-optic gyrocompass with inertial navigation, a dedicated AIS receiver cross-checked against observed vessel behaviour, or the discipline to take regular celestial or visual fixes. Train your crew to recognise the symptoms of spoofing: a position jump, an apparent course deviation that autopilot "corrects" toward an unexpected heading, AIS targets that appear in implausible locations.

Finding 4: The regional map — Mediterranean, Canaries, Caribbean

Eastern Mediterranean

The Marshall Islands Marine Safety Advisory YSA-2025-05 classifies the Eastern Mediterranean as a "Substantial" threat level for GNSS interference, identifying specific areas near Cyprus, Syria, Turkey, Israel, and Lebanon, with incidents extending to Port Said, Suez, and Jeddah, and jamming reaching toward the Sudanese coast. In mid-2024, Cyprus's minister of transport publicly attributed island-wide GPS interference — affecting vehicles, mobile phones, and drones — to the conflict in Gaza. Grindrod's May 2025 circular documented "numerous instances" of GPS interference near Israel and Cyprus across the period 2022 to 2025.

This is the water where most of the world's superyachts spend their summers. There are currently 6174 superyachts longer than 30 metres in the global fleet, with more than 200 completions a year. The Mediterranean accounts for 65 to 70 percent of global summer charter weeks; Greece alone takes approximately 30 to 31 percent of Mediterranean charter bookings. The charter fleet of yachts over 24 metres stands at approximately 3830 vessels, growing at 7,4 percent per year. At the Med Yacht Show in Nafplio in 2024, 102 superyachts were anchored simultaneously in the Gulf of Argolida over five days. Lloyd's List's March 2024 data recorded 35 vessels per day affected by GNSS interference in the Eastern Mediterranean in that single month alone.

Canary Islands

Las Palmas is the last significant marina before the Atlantic crossing. Marina Las Palmas holds 1363 berths with capacity up to 50 metres LOA. It is where yachts stage for weeks before the Atlantic Rally for Cruisers departure — approximately 150 to 200 yachts per year since 1986, all of them required to be equipped to send and receive email, none of them subject to any cyber hygiene requirement in the ARC documentation. The Canaries are also where satcom and IT systems get fitted and upgraded for the passage.

The cyber incident on record here is not a vessel breach. Petrologis Canarias, a fuel storage and bunkering operation at the Port of Las Palmas, was hit by LockBit 2.0, with the threat group claiming to hold more than 11 GB of data after the ransom went unpaid. A ransomware compromise at a bunkering provider sits close to the vessel: it affects port schedules, fuel certifications, and the commercial relationships that superyachts rely on for their service stops.

To be clear: the Canary Islands are not a documented GNSS jamming hotspot. The exposure here is not about local signal interference — it is about target concentration and the bunkering and agent ecosystem. Yachts at Las Palmas are in a narrow window of vulnerability, fitting out, connected to marina Wi-Fi, with crew turnover happening before a long passage.

Caribbean

From 29 October 2025, yachts in the southern Caribbean began reporting sudden GPS losses, incorrect positions, and chartplotter freezes near the waters off Venezuela and Trinidad. Monitoring groups confirmed GNSS interference, attributed to probable military operations in the area. The Caribbean is now among the six global zones of active GNSS interference documented by ShippingTelegraph as of 2026.

The cyber ecosystem in the Caribbean is not strong. The US Virgin Islands Port Authority was hit by PYSA ransomware in approximately January 2021, disrupting port operations and taking systems offline. Digicel's BVI reporting records ransomware up approximately 35 percent, phishing up approximately 25 percent, and breaches up approximately 30 percent across the region. The US Coast Guard ran tabletop exercises in St Croix and St Thomas in 2024 covering insider cyber threats and ransomware against regulated facilities — USCG is clearly aware of the gap.

The USCG's new final rule, signed 17 January 2025 and effective 16 July 2025, introduces mandatory cybersecurity plans, designated cybersecurity officers, detection and response capability, and National Response Center reporting for vessels and facilities under its jurisdiction. The Caribbean charter season was, until this rule, operating entirely without that baseline.

Why this matters: Superyachts follow a predictable seasonal migration — Med in summer, Canaries in autumn, Caribbean in winter and spring. That circuit now runs through three distinct cyber-threat environments, each with documented incidents. The fleet moves; the threats move with it.

One thing to do: Map your vessel's seasonal itinerary against the GNSS hotspot data and the cyber-incident record for each region. Brief the captain before each leg transition — not as a crisis notice, but as a routine intelligence update equivalent to the weather forecast.

Finding 5: The network edge — convergence and the Fortinet question

A decade ago, the dominant firewall on superyachts was a Kerio appliance. Kerio held approximately 90 percent of the market on vessels over 40 metres. Today that share has dropped below 50 percent, replaced by FortiGate as the new next-generation firewall standard for the segment. Lambda Marine, a well-known superyacht IT integrator, publicly describes deploying a FortiGate FG-300D on a superyacht with VSAT, 4G, and 3G inputs and VLANs segmented between owner, guest, and crew networks. NexusOcean has a documented Fortinet case study covering Secure SD-WAN deployment on vessels.

FortiGate's dominance in the segment makes a credential-theft campaign against FortiGate SSL VPN interfaces directly relevant to superyachts. That campaign — known as FortiBleed — is not a zero-day vulnerability. It is credential stuffing: brute force and recycled leaked passwords used against exposed FortiGate management and VPN interfaces where MFA is absent and password hygiene is poor. Fortinet and CISA have both attributed the problem to exactly those factors, not to a software flaw. The documented scope is approximately 73 000 to 75 000 unique FortiGate SSL VPN addresses across 194 countries, with tens of thousands estimated to carry working credentials.

The link between those 73 000 to 75 000 FortiGate addresses and superyachts specifically is an inference from market penetration, not a verified victim list. There is no public, confirmed catalogue of compromised superyacht FortiGates with vessel names or owner identities. That distinction matters. What I can say from internal reconnaissance — and will say without naming vessels or a specific satcom provider — is that a leading yacht satcom provider's infrastructure shows FortiGate deployments at scale, with device serial numbers visible in SSL certificates. That is not a confirmed compromise; it is an exposed attack surface.

What full admin access to a superyacht's network edge would mean: MITM visibility into every session on owner, guest, and crew VLANs — banking, Microsoft 365, property management, correspondence. Credential harvesting for Active Directory, shoreside management systems, and any ECDIS backend that shares authentication. IMO and classification societies mandate IT/OT separation, and in theory that separation limits how far a compromised network edge can reach toward navigation systems. In practice, the degree of that separation varies between vessels and between refit generations — and that variation is where theoretical OT risk lives. No publicly confirmed case exists of an attacker pivoting from a compromised superyacht firewall to OT systems; the documented incidents remain in the IT and payment layer described in Finding 1.

The Starlink convergence doubles the exposure at the GNSS layer. Superyachts that have migrated to Starlink Maritime — the majority of new installations — rely on the same terminal for both communications and, through integration with bridge systems, positioning data. The May 2026 Starlink change — disabling the dish's local position service — removes one layer of protection from a system that is increasingly acting as both the satcom link and the GNSS reference.

Cost anchor: a ransomware incident on a superyacht has been publicly costed at $2 million in the Tristate Marine case study. That figure should frame any conversation about security investment.

Why this matters: The network edge is where the IT vulnerabilities documented in Finding 1 and the OT risks described in Finding 3 converge. A compromised FortiGate is not a problem contained to the IT VLAN — it is full visibility into everything crossing the link, and a potential bridge to deeper access depending on the vessel's network architecture.

One thing to do: Audit your FortiGate's management interface: confirm it is not exposed to the internet, that MFA is enforced on both the management GUI and the SSL VPN, and run the management IP against the Hudson Rock FortiBleed checker or equivalent. If you are not certain who last changed the admin password, change it now and rotate it on a schedule.

Finding 6: What "good" looks like

The regulatory baseline for cyber on commercial vessels is IMO Resolution MSC.428(98), which requires cyber risk to be integrated into the Safety Management System — making cyber part of the ISM Code and therefore a flag-state and port-state control matter. Commercially operated superyachts over 500 GT on international voyages fall within SOLAS and the ISM Code, and therefore within MSC.428(98). Private pleasure yachts not engaged in trade fall outside the ISM Code regardless of tonnage — for them, and for vessels below the 500 GT threshold, the obligation depends on flag state and any applicable yacht code.

IACS Unified Requirements E26 and E27 set more specific standards: E26 for vessels, E27 for onboard systems. They apply to newbuilds contracted from July 2024 onward. Yachts contracted before that date are not automatically bound by E26/E27, though classification societies increasingly apply equivalent standards to vessels seeking classification renewals.

The USCG's final rule signed 17 January 2025 — effective 16 July 2025 — is the most operationally specific recent development for vessels in US waters. It mandates a written Cybersecurity Plan, a designated Cybersecurity Officer, documented detection and response capability, and reporting of cyber incidents to the National Response Center. For context: Executive Order 21 February 2024 (33 CFR Part 6) defined what constitutes a cyber incident under USCG jurisdiction; NVIC 02-24 and NVIC 01-20 provide implementation guidance.

There is a legal dimension to GNSS manipulation that is rarely raised in yacht contexts. UNCLOS Article 19 covers innocent passage — the right of vessels to transit territorial waters without their navigation being deliberately interfered with. Article 87 covers freedom of navigation in international waters. Both are tested by deliberate spoofing that forces a vessel off its track, but the attribution problem is severe: demonstrating that a specific government or actor caused a specific spoofing event to a standard that supports a legal claim remains extremely difficult. The submarine cable blind spot in UNCLOS — the absence of a dedicated attack attribution and liability framework — has a parallel in GNSS interference.

Luca Carrà, Automation and Cyber Security Project Manager at RINA and my co-panellist at the Monaco MEBC on 9 and 10 July, frames this correctly: cyber resilience is an asset, not a cost. A vessel that can demonstrate its network architecture, its crew training record, and its incident-response capability is a more insurable asset — more charterable, and easier to sell. The insurers are beginning to price this in. The early movers on superyacht cyber are not the ones that waited for an incident to motivate them.

Practical steps that move the needle immediately: deploy phishing-resistant MFA across all accounts used for operational correspondence and financial management; segment owner, guest, and crew VLANs and enforce that segmentation at the network layer, not just in policy; restrict the FortiGate management GUI to a dedicated management VLAN with no internet exposure; run a log audit quarterly and look specifically for authentication anomalies on the VPN; run any public-facing FortiGate IP through the Hudson Rock FortiBleed credential-check tool or an equivalent service.

Why this matters: The regulatory framework exists. The classification society standards exist. The practical controls are not exotic — they are IT fundamentals applied to a context that has historically treated IT as a guest service rather than an operational risk. The gap between the regulatory baseline and the average superyacht's actual security posture is where incidents happen.

One thing to do: If your vessel has never had a structured cyber assessment — not a vendor pitch, but an independent audit of network architecture, authentication controls, and crew awareness — book one before the next season. The USCG rule, MSC.428(98) compliance, and IACS E26/E27 all provide frameworks; any competent maritime cyber specialist can map your actual posture against them and give you a gap list.

Six takeaways

1. The yacht cyber breach is documented, not hypothetical. MarineMax (123 494 people, 225 GB, the Rhysida group) is the scale case; the Monaco Yacht Show phishing case and the Riela file-server takeover are the vessel-level cases. The attack surface is IT and email, and it is active now.

2. The AV layer is running CVSS 10.0 vulnerabilities. CVE-2025-47419 and CVE-2025-34054 both carry perfect CVSS 10.0 scores. CVE-2025-34054 is actively exploited in the wild. These are not future risks — they are present on vessels fitted with Crestron and AVTech equipment that have not been patched.

3. GNSS is no longer a reliable single-source truth. The UT Austin 2013 superyacht spoofing experiment proved the capability. The Eastern Mediterranean in summer 2025 proved the scale — 35 vessels per day affected in March 2024, a tenfold increase in average position displacement between Q4 2024 and Q1 2025. Every yacht on the Med this summer is operating in a confirmed GNSS interference theatre.

4. The superyacht seasonal circuit runs through three distinct threat environments. Eastern Mediterranean (GNSS at "Substantial" Marshall Islands level, IT breaches documented), Canary Islands (transatlantic staging, bunkering infrastructure attacked, crew BYOD window), Caribbean (GNSS interference confirmed from 29 October 2025, port authority hit by PYSA ransomware, USCG rule now active). The threat follows the fleet.

5. The Fortinet question is real but hedged. FortiGate has replaced Kerio as the dominant superyacht firewall. FortiBleed's 73 000-device credential-stuffing scope makes the link plausible via market penetration — but no public victim list of named vessels exists. The unhedged finding is that MFA and restricted management GUI access are not optional on any network edge in this environment.

6. Cyber resilience is a commercial asset. MSC.428(98), IACS E26/E27, and the USCG final rule (effective 16 July 2025) provide the compliance floor. Luca Carrà's framing at RINA is right: the vessel that can demonstrate its security posture is more insurable, more charterable, and more sellable. The cost of a ransomware incident is $2 million in the documented case. The cost of the controls that would have prevented it is a fraction of that.

What I'm watching next

  • Whether the USCG final rule (effective 16 July 2025) produces the first enforcement actions against commercial yachts, and whether that drives behaviour change in the flag-of-convenience segment

  • The market response from hull and P&I insurers to superyacht cyber exposure — specifically whether underwriting questionnaires begin including network architecture and MFA as pricing factors

  • Whether Starlink issues a technical workaround or clarification after disabling the local position service that maritime users relied on as a spoofing cross-check

  • Whether any of the 2025–2026 Crestron and AVTech CVEs (CVE-2025-47419, CVE-2025-34054) appear in confirmed superyacht incident reports — the active exploitation record of CVE-2025-34054 makes this likely

  • GNSS interference patterns in the Caribbean ahead of the 2025–2026 charter season, following the confirmed interference events off Venezuela and Trinidad from 29 October 2025 onward

  • The cyber due-diligence provisions in superyacht sale and purchase agreements — currently almost nonexistent; expect change as incident costs become visible to the S&P market

Resources

  • Marshall Islands Marine Safety Advisory YSA-2025-05 — the official flag-state safety advisory on GNSS spoofing with Eastern Mediterranean classification as "Substantial"; register-iri.com

  • UK P&I Club (2026) — guidance on GNSS spoofing and its propagation through integrated bridge systems; ukpandi.com

  • EUROCONTROL EVAIR 2024 — 3115 GNSS events, 550 spoofing cases, hotspot analysis; eurocontrol.int

  • Windward maritime intelligence — AIS position displacement data (600 km → 6300 km), 13 000+ vessels affected; windward.ai / rntfnd.org

  • Starlink local position service disabled (effective 20 May 2026) — SpaceX removing the dish-derived local position that maritime users used as an independent GPS cross-check; reporting: 5gstore.com, edparsons.com, militarnyi.com

  • USCG Cyber Final Rule (17 January 2025) — mandatory Cybersecurity Plan, Cybersecurity Officer, NRC reporting; uscg.mil

  • IACS UR E26/E27 — unified requirements for vessels and onboard systems, applies to newbuilds contracted from July 2024; iacs.org.uk

  • Hudson Rock FortiBleed credential checker — check whether a FortiGate management IP appears in the credential-stuffing dataset; hudsonrock.com

  • NVD entries for CVE-2025-47419, CVE-2025-34054, CVE-2025-24132, CVE-2026-7865 — NVD verification of all four active CVEs cited in this issue; nvd.nist.gov

  • University of Texas Radionavigation Lab / Humphreys (2013) — "Spoofing a Superyacht at Sea", the foundational superyacht GNSS PoC; radionavlab.ae.utexas.edu

  • Monaco Yacht Show knowledge magazine (August 2025) — superyacht phishing/file-server case study; monacoyachtshow.com

  • Tristate Marine ransomware cost case — $2 million ransomware incident, superyacht context; tristate-marine.com

  • MarineMax 8-K (2024) — public disclosure, SEC EDGAR; SEC.gov; coverage: The Record, SecurityAffairs, Bitdefender, Comparitech

Keep reading