July 2004

Article written by Richard Orme
Published in The Yacht Report Magazine (Issue October 69)

What do you do when you receive a SSAS message from one of your yachts? This is the question that we, and most probably all other management houses, owners and most certainly Captains have questioned at some point while implementing ISPS.

Like many new codes and legislations there is always a period of uncertainty, criticism and scepticism from all camps while the various applications are filtered into the Large Yacht industry. ISPS has been no different.

At YPI management, we include the services of CSO and the application of an ISPS system as part of the full management package or as an individual service. However in the development of these services, it was clear to us that we needed to be sure that we could act accordingly when we actually received a real security alert. Just completing the necessary courses, developing an internal alert system and implementing the systems on the yachts was not enough.

Security threats at sea, whether it piracy, theft, terrorist acts, violent attacks or simply drunken behaviour are not new. These types of incidents have been around for hundreds of years and most probably, unfortunately, will be around for many more. The question as to whether ISPS will actually reduce or deter these types of activities in the Large Yacht industry is still to be seen over time. What we do know, with immediate effect, is that ISPS introduces accountability. Like ISM it defines duties and responsibilities for the Captain, Crew, Flag States and of course companies acting as CSO’s.

With accountability comes diligence, and for a CSO to be diligent requires more than a 5-day CSO course and all of a sudden declaring themselves as a security expert. Certainly a CSO course will give an individual the tools to start implementing ISPS on their respective managed yachts, plus a solid grounding into the concept of ISPS and what it strives to achieve. But being a CSO also means that you should be able to deal with any security threat that hits your desk, or mobile at 3am whatever nature. Can a 5 day course provide these skills? this is questionable, therefore to be diligent a form of Competent Authority should be considered.

There are a number of companies offering their services as competent authorities, one of whom YPI management have worked with closely on this poignant issue of SSAS response, is Drum Cussac. It is not unrealistic to state that a CSO could deal with 99% of all security incidents that occur on their managed yachts in house, it is that very important 1% that requires the extra skills, experiences, contacts and support from someone who can. It is this 1%, this very slight chance, that at some stage a company offering CSO services will receive the alert that their yacht has been boarded by pirates or worst still guests and crew taken as hostages for ransom. What do you do, well this is the question we wanted to answer. And the best way to answer this question, we felt was to throw ourselves into a 5 hour exercise and see what happened.

Like many companies, YPI management have been running internal exercises and drills based on safety and environmental protection for the requirements of the ISM code for many years. Therefore the idea of running a drill was pretty routine, however the nature of the drill and the use of a competent authority in such a manner was not. The two main objectives of the drill were to identify the following:

1. YPI management internal response to a serious piracy and hostage taking onboard a managed yacht
2. The response and services of a competent authority

The planning for the drill started 3 months prior to the day, with numerous meetings held with the team at DC (Drum Cussac) to ensure both parties knew the requirements and that every last detail was covered. Starting with a detailed description of our existing internal ISPS system, how this will be implemented for the drill, how the competent authority will be integrated, the type of security incident, the location, the personnel involved, the yacht and scenario, the confidentiality aspects plus many more points that needed to be covered in order for the drill to run as smoothly as possible.

With the main objectives of the drill in mind the scenario was set. It was decided to use a fictitious yacht, owned by a self-made billionaire with no obvious political or high profile enemies. The 80m motor yacht in question was on a world tour, stopping in Singapore for general maintenance and supplies. Onboard were family and guests of the owner plus a full complement of crew. The owner would not be onboard during the incident and was currently at home in the US. Following departure from Singapore, the yacht entered the infamous Malacca straights, where after the second night of cruising the SSAS alert was received by the CSO. It was assumed for the purpose of the drill that no extra security personnel were contracted onboard for the passage and the yacht was operating at security level 2.

To provide some background into the structure of the drill, the DC team manned the control room, which effectively played the part of yachts crew and guests, the owner, aggressors and of course the competent authority. In total there was a team of three from DC controlling the drill at all times so they were able to adjust to our in-house response team decisions and respond accordingly. Three days prior to the drill a full breakdown of the scenario was received from DC including backgrounds on the owner, the yacht, the crew, the scenario setting the scene plus details of the lines of communication. So as CSO we had our ISPS procedures in place as normal, we had the DC competent authority number as normal, and a general background knowledge of the drill scenario which was due to take place at a set time, conveniently 10.00 BST.

The day of the drill. To start the drill off it was arranged for one of our ‘real’ managed yachts to activate their SSAS as part of their normal monthly check and for our in-house response team to confirm the internal alert system was operational. This was duly done and the drill commenced.

Armed with the general knowledge of the pre-determined scenario, (which in reality is far more than a CSO would be privileged to have, however for the purpose of the exercise was essential) and an activated SSAS alert our internal ISPS procedures went into action.

Following the real time alert, activating the in-house response teams mobile phones (via sms text) and emails, the first response, for the CSO, or the in-house duty response manger is to confirm the scenario onboard. Our procedure for this is to call the yacht and through a pre-arranged codeword ascertain whether they can talk about the situation onboard or simply not because they have a gun to their head! From the drill log the first 6 minutes of the exercise continued as follows:

10:00 SSAS activated

10:02 SSAS alert received via in-house response team mobiles (via txt) and email alerts

10:02 – 10:05 In-house response team notified and put on standby, data of for yacht obtained to confirm crew and passenger lists, GA, and SSP, current security level and sit-rep of the location confirmed, CSO confirmed the yachts position, course and speed via the internet tracking system. Incident emergency response log opened and prepared to make the first contact with the yacht.

10:06 Call made to yacht by CSO, direct to Captain. Pre-arranged code word stated, no response from Captain. Captain stated ‘I can’t talk now’ and the line went dead.

The purpose of the first response call is to gather as much information as possible. If the Captain can talk great, however if he can’t, you as CSO need to respond accordingly. In the realms of the drill, thanks to DC we appeared to have a worst-case scenario, a yacht in the Malacca straights, guests onboard, captain not able to talk freely on the phone.

This was the first critical decision for the CSO to make. At this point of the drill we knew for definite key factual points, location, persons onboard etc… however we could only assume what was actually happening, could it be a terrorist attack, pirates or an irate crew member?

For the purpose of the drill, we did have the limited knowledge that the yacht had been boarded by pirates so we could move onto the next stage. However in reality, what as CSO do you do? How long do you wait until you can confirm what is actually happening onboard, when do you contact the owner, when do you contact the authorities, how confidential must the situation be kept. These are all questions we raised from the drill and concluded answers need to be known, filled and recorded in the response portfolios for each yacht before an incident occurs.

Following on from the first response call, it was clear for the CSO that the services of the competent authority were required.

With each yacht owner comes very different requirements, when they need or wish to be advised of a ‘situation’ is the golden question. The role of a Manger, Captain, DPA or CSO will all have their own thoughts on this. However when it comes to a security incident this is a decision that needs to be agreed prior to any incident occurring. However a great deal of this comes down to common sense, and with a yacht in a situation such as the drill, the decision was clear, you call the owner.

The next surprise from the DC team was a text message from a crew member stating ‘gunshots had been heard’. As CSO do you believe its real or a message from the aggressors? At this stage of the drill we have only assumed the worst, does the text confirm it – the assumption was yes. The next critical decision for the CSO was whether to reply to the text to try and gain more information. We did.

As the events were unfolding, the communication was flowing continuously between the in-house response team, the competent authority, the owner and when received, the yacht. A dedicated line was opened for the yacht so at any time the Captain or the aggressors could communicate. This is critical as with any emergency situation a Captain does not want to have to go through a companies switch board or receptionist to talk to the right people.

The breakthrough finally came 25 minutes into the exercise with a call received from the aggressors onboard demanding 5m USD in ransom for the safe release of the guests and crew. It became apparent that the aggressors knew the owner of the yacht and through searching the guests’ passports identified the owners family onboard. Realised they had the ace card and were prepared to play it.

25 minutes into the exercise, the CSO and response team knew what they were dealing with. Conferring with the competent authority, a decision was made for all further communications with the aggressors to be conducted by their trained ‘civilian’ negotiator who with the translators were on stand by and most capable of bringing the situation to a peaceful conclusion. Again this was a critical decision, being a CSO does not automatically mean you can negotiate kidnap and ransom terms, this must be done by trained professionals. A good example of this, was our reply to the crew members text, which subsequently lead to a crew member being caught by the aggressors and in the realm of the drill aggravated them and increased the ransom to 8m USD at the same time putting the crew member in a dangerous position. Will all have to remember a drill of this type is ‘role play’ however our action caused this very possible reaction onboard. The lesson learnt, to communicate with the yacht only when you know the person on the other end of the line is secure (i.e. not an aggressor) or it is safe to do so for that person, if in doubt don’t do it!

The drill then continued as planed for the next five hours, with various demand changes from the aggressors, loss of communications and AIS signal, arrangement of fund transfers with the owners, and practical arrangements like reception committees being located on the ground to arrange medical care, visa’s, flights, embassy staff, local authorities, media, the list was endless.

The second interesting curve ball from DC, was a random call from a journalist, whom seemed to know all about the situation. The test here was quite clear, have a convincing cover story per-arranged. As when you are in the middle of a scenario, even in a drill, to make something convincing up on the spot just doesn’t work and hanging up only fuels their inquisitiveness.

The drill finally ended peacefully with the funds being transferred, and the aggressors departing the yacht in a pre-arranged location, which was being monitored by a team provided by the competent authority to track the yacht and to secure it once the aggressors had departed. The ground committee were by this time on site and there to safe guard the guests and family.

With the aggressors departed, the guests and family safely ashore the yacht was then re-located with a commercial tug escort to Singapore.

It is often hard in a drill to keep things as realistic as possible. For example this drill was conveniently 5 hours long through our working day, however what would happen if it was 3am on a Saturday and lasted 3-4 days, do we as CSO and as an in-house response team have the man power to last 4 days, do we have the communications, do we have the resourses. These are some of the questions we got from this drill and ones we now have the answers to.

With regard to the competent authority, no one should be under any pretences that any civilian company will arrange guys in black suits to fly by helicopter to re-take a seized yacht. This simply is not realistic. However what became evident through our exercise was that there is a tremendous amount that can be offered by a competent authority in such a situation without resorting to any type of military action.

How did we respond? Well there were many questions raised from the drill that no doubt refined our internal ISPS procedures for this type of incident, and the use of a competent authority in this type of scenario proved extremely valuable. But like any incident prevention is better than a cure, so to try and prevent these types of incidents happening as CSO’s is the way forward, however as a CSO you must always ask yourself the ‘what if’ just in case.

Richard Orme Yachting Partners International