5 Cyber Security KPIs Superyachts Should Measure and How to Track Them

Cyber risk management is about building awareness, setting baselines, and embedding good habits.

Here are 5 KPIs (Key Performance Indicators) every superyacht should monitor, based on industry best practice from the IMO, BIMCO, and NIST cyber security publications and frameworks:

1. Crew Cyber Awareness Completion Rate

• What it measures: Percentage of crew who’ve completed cyber awareness training.
• Why it matters: Human error remains the #1 cause of successful cyber incidents.
• How to measure: Use a simple tracker or learning management system to log completed annual cyber training and refresher sessions.
• Example Goal: 100% of the crew trained within the first 3 months on board.

2. Patch and Update Timeliness

• What it measures: Time taken to install critical security updates for onboard IT and OT systems.
• Why it matters: Delayed updates are a key vulnerability, many cyber attacks exploit outdated software.
• How to measure: Maintain a log of update notices vs. actual install dates, including firmware and operating systems.
• Example Goal: 100% of critical patches installed within 14 days.

3. Network Segmentation Effectiveness

• What it measures: Onboard VLAN networks are correctly separated to prevent lateral movement during an attack.
• Why it matters: Poorly segmented networks allow attackers to move from low-security areas (like guest or crew Wi-Fi) into critical systems (such as navigation or engine systems).
• How to measure: Include network segmentation as part of the cyber risk assessment and test it during routine drills. (Preferably tested and verified by a specialist third-party).
• Example Goal: Demonstrate network segmentation in place and reassess quarterly. 

4. Incident Response Drill Frequency and Readiness

• What it measures: Number and quality of cyber incident response drills conducted.
• Why it matters: Even a basic plan, well-practised, reduces chaos and downtime during actual events.
• How to measure: Record drills, evaluate crew participation and speed of response, and update response plans based on lessons learned.
• Example Goal: Minimum one drill per year, ideally one per half-year or quarter.

5. Third-Party Access and Risk Review Completion

• What it measures: Review of who has remote access to the yacht (e.g., suppliers, support engineers) and whether access is secure and necessary.
• Why it matters: Many attacks enter through trusted third parties.
• How to measure: Maintain a list of all vendors with access and review it quarterly; ensure MFA (multi-factor authentication) and access controls are enforced.
• Example Goal: 100% of remote access audited and compliant with agreed controls.

These KPIs aren’t just for ticking boxes; they help create a culture where cyber safety is part of standard operations, just like fire drills or engine checks.