Month: November 2025

Sailing, especially on large, open waters, has always carried many risks. Some of these risks can be more easily mitigated (e.g., by building vessels with better construction), while others can only be prevented (e.g., by anticipating adverse weather conditions). 

In today’s world, however, there is another emerging threat – the risk associated with cybersecurity. 

On a yacht, this is not only a technological issue but also a legal one. It can have significant implications for owners, shipowners, and the crew. Ensuring the vessel’s cybersecurity is becoming increasingly important for the safety of navigation, data protection, and avoiding potential legal liability. 

Cybersecurity as an element of maritime safety 

Cybersecurity is the organised management of risks associated with the use of IT systems. 

IT systems affect the daily work of the crew, passenger comfort and overall navigation. These include, for example, Wi-Fi networks and crew and passenger computers. Problems with these systems can delay a voyage, disrupt communication or cause data loss. 

Some of them, such as autopilot systems or propulsion control, have a direct impact on the physical operation of the yacht. Disruption of their operation can lead to loss of controllability, navigation errors or loss of communication. 

The yacht also processes the personal data of crew members and passengers. Violation of personal data protection rules resulting from a lack of adequate security measures may in turn lead to claims or notification obligations. 

Therefore, ensuring cybersecurity on board is an integral part of maritime safety. 

Example:
During a cruise in the Mediterranean Sea, a luxury yacht suddenly changes course. It turns out that a cybercriminal has taken control of the autopilot. The crew must quickly regain control to avoid running aground. 

International rules and regulations 

Cybersecurity rules on yachts are governed by international law. The International Maritime Organisation (IMO) introduced the obligation to include cyber risk in the International Safety Management (ISM) system in 2017. In 2024, an industry shipping consortium involving BIMCO (Baltic and International Maritime Council) and others issued specific guidelines on this issue. 

Although these regulations mainly apply to commercial vessels, their principles are equally important for yachts. Compliance with them can help manage risk, limit legal and financial liability, and keep documentation in order. 

Example:
The yacht owner regularly audited the systems in accordance with IMO guidelines. During the attack attempt, critical areas were protected, which prevented an incident and avoided costly claims. 

Cyber risks on a yacht – what are we facing? 

Cyber threats on a yacht can come from various sources. Here are the most common problems that may occur while sailing: 

1. Targeted attacks – cybercriminals can take control of yacht systems, such as the navigation system, leading to a change of course, data theft or disruption of yacht operations.
2. Accidental attacks – e.g. installing software that contains a virus that can infect systems.
3. Crew errors – crew members may accidentally introduce a threat, e.g. through improper management of access to IT systems.
4. Supplier errors – suppliers who do not adhere to appropriate security standards may introduce devices or software that are vulnerable to attack. 

Common cyber threats include: 

• phishing – attacks involving impersonating trusted sources in order to obtain login details,
• malware – malicious software that infects systems,
• ransomware – locking systems and data and demanding a ransom,
• Wi-Fi attacks – taking control of the Wi-Fi network on a yacht,
• navigation manipulation – e.g. manipulating GPS data in order to steer a yacht onto a dangerous course. 

Example:
A young crew member connects his phone to the on-board network, unknowingly introducing malware that blocks the yacht’s computers and compromises passenger data. 

Cyber risk management cycle – IMO and NIST 

Cyber risk management is based on a cycle consisting of five steps: 

1. Identification – identifying resources and threats related to IT systems,
2. Protection – implementation of appropriate security measures, such as access and user control,
3. Detection – monitoring systems for threats and analysing logs,
4. Response – taking corrective action in response to an incident,
5. Recovery – restoring normal operations after an incident and securing systems.

This cycle, developed by IMO and NIST, should be activated regularly, especially after any system changes or incidents. 

Example:
Upon detecting unusual activity in the logs, the team immediately implemented the response and recovery procedure, minimising the impact of the attack. 

Responsibilities of the owner, operator, crew and suppliers 

Cybersecurity management on a yacht is not the responsibility of just one entity. There are five entities, each with its own specific duties in this regard: 

• owner: responsible for ensuring adequate financial resources for the implementation and maintenance of the cybersecurity system, defining security policies and conducting regular reviews,
• operator: manages cyber risk, verifies service providers, provides crew training,
• crew: complies with access policy, monitors systems and reports any irregularities,
• suppliers: ensure that their products comply with cybersecurity requirements, secure devices and software,
• passengers: they have no specific responsibilities, but should comply with the cybersecurity rules on board.

Cybersecurity is an issue that cannot be ignored from any perspective. A threat to a yacht from one of the entities mentioned above may pose a threat to all. 

Example:
A new navigation system was installed on a yacht, but the supplier did not verify the relevant security measures. Thanks to the shipowner’s vigilance, the vulnerability was detected and immediately removed. 

Protective measures and procedures 

There are simple and common measures to increase cybersecurity on a yacht. From the perspective of those responsible, it is definitely worth implementing: 

• network segmentation – division into zones (guests, staff, critical systems) to minimise the risk of threats spreading,
• access management – use of strong passwords, differentiation of passwords in different systems, regular password changes,
• software updates – regularly updating systems from trusted sources,
• security policy – implementation of procedures concerning access, use of external devices, system monitoring and incident response. 

Imagine a yacht as a hotel – only people with the appropriate “key” are allowed access to the navigation systems, which reduces the risk of unauthorised access. 

Conclusion 

Cybersecurity on a yacht is an important element of navigational safety management, data protection and legal risk minimisation. The use of appropriate protective measures, system monitoring, compliance with regulations and the implementation of incident response procedures help to reduce risk and ensure safety on board. Although cyber attacks in the maritime environment may seem rare, it is worth implementing the recommended procedures to avoid serious consequences. 

We will return to this topic, so if you are interested, keep an eye on our content! 

The end of the year is a time for entrepreneurs to close their accounts, budgets and projects. It is also the moment when most invoice receivables actually expire. If your company has outstanding invoices from 2023 and earlier, there is a high risk that at the end of this year you will lose the opportunity to effectively pursue payment in court.  

It is true that the debtor remains a debtor after the expiry of the limitation period. However, they gain a very powerful tool: they can raise the defence of limitation.   

You will then have a much bigger problem with enforcing your claim.  

After raising the defence of limitation, the court will dismiss your claim, and you will be left with an unpaid invoice, a lost case and the costs of the proceedings.   

In practice, this means that after the limitation period has expired, you can only count on:  

1. either a set-off against your debt (if you owe each other something), 
2. or the debtor’s goodwill – which, unfortunately, rarely works at that point.

When your receivables become time-barred – the most important deadlines 

From the point of view of running a business, there are three basic deadlines: 

• 2 years – receivables from sales made within the scope of the seller’s business (classic sales of goods between companies – Article 554 of the Civil Code) or a contract for specific work;
• 3 years – receivables related to business activities (typical B2B invoices for services, deliveries, some contractual penalties);
• 6 years – this is the general limitation period for receivables not covered by shorter periods (relatively rare in business-to-business transactions).  

The limitation period begins on the date on which the claim became due – most often this is the day following the invoice payment date (e.g. if the invoice payment date is set for 15 April 2023, it becomes due on 16 April 2023).  

In addition, the rule applies that if the limitation period is at least 2 years, it ends on the last day of the calendar year, and not exactly after 2 or 3 years ‘to the day’.  

This is why:   

• many invoices from 2023 (especially for the sale of goods) will expire on 31st December 2025,
• some claims from 2022 covered by a 3-year limitation period (e.g. B2B services) will also expire at the end of 2025.

Example – how it works in practice 

In May 2023, shipyard “Maritime New Wave” issued an invoice to “DEF” for the sale of a hull for a vessel, with a payment deadline of 30 June 2023. “DEF” did not pay, and the shipyard, busy with its current business, did not take any effective legal action, hoping that the payment would be made soon: 

• the claim became due on 1 July 2023,
• the limitation period (sale of goods, 2 years) would ‘nominally’ expire on 1 July 2025,
• but due to the end-of-year rule, the limitation period will not expire until 31 December 2025.  

If, by that date, shipyard “Maritime New Wave” has not taken any action to interrupt or suspend the limitation period, after the New Year the chances of successfully enforcing this invoice in court will fall to virtually zero.   

What interrupts the limitation period  

Interrupting the limitation period means that after the action is completed, the period starts counting again from scratch – as if the clock had been reset. The most important interrupting actions include, in particular:  

• filing a lawsuit for payment in court, 
• acknowledgement of the debt by the debtor – e.g. signing a settlement agreement (judicial or extrajudicial), written confirmation of the balance, request to spread the debt into instalments, partial payment,
• initiation of enforcement proceedings (by a bailiff),
• filing a claim in the debtor’s bankruptcy proceedings.  

From a business perspective, this means that instead of sending reminders for months on end, it is often more profitable to:  

1. try to obtain a settlement/acknowledgement of debt, 
2. prepare and, in the absence of a response, file a lawsuit.

Summons to settlement proceedings and mediation – only suspension  

Currently, filing a request for a summons to settlement proceedings or initiating mediation only suspends the limitation period – for the duration of the settlement proceedings or mediation.  

In practice, this means that:  

• the limitation period is suspended for the duration of the mediation/conciliation proceedings, 
• but after their completion, it continues from where it left off, 
• so if there is one month left before the limitation period expires, after the mediation is completed, there will still be only one month left.  

Therefore, a summons to a settlement attempt or mediation can be a valuable debt management tool, but should not be the only option for protecting a claim, especially at the end of the year.   

However, if it is not possible to file a lawsuit in the last days of the year, for example because the preparation of the formalities would take too long, a summons to a settlement attempt is a good solution:  

• firstly, it demonstrates the good will of the creditor, who does not want to initiate court proceedings immediately, 
• secondly, it suspends the limitation period, which extends the time limit for preparing the claim and the necessary documentation, in case the conciliation attempt is unsuccessful.   

Importantly, drafting a request for a settlement attempt is much less demanding than preparing a statement of claim. Therefore, even when acting at the last minute at the end of the year, calling on the debtor to attempt a settlement can effectively prevent the loss of the opportunity to recover your money.   

What does not affect the limitation period  

Many entrepreneurs live under the misconception that since they send payment reminders, they do not have to worry about the limitation period. Unfortunately, from a legal point of view:  

• payment reminders, reminders, emails, phone calls – do not interrupt or suspend the limitation period, 
• negotiations with the debtor alone – also do not stop time.  

These actions make sense in a business relationship, but from the point of view of the Civil Code, they are neutral – the limitation period clock continues to tick.   

What about interest on invoices  

Interest generally expires after 3 years, at the latest when the principal amount expires. However, if the principal amount has been paid and the dispute concerns only the interest, the latter – as periodic payments – generally expires after 3 years.  

Can the debtor waive the statute of limitations defence?  

Yes, the debtor may waive the statute of limitations defence, but only after the limitation period has expired. An earlier waiver (e.g. a clause in the contract stating ‘I waive the statute of limitations defence’) is ineffective.  

However, it is worth remembering that the vast majority of debtors wait for the limitation period to expire rather than waiving it. Basing a debt recovery plan on the hope that the debtor will voluntarily waive the statute of limitations is therefore, to put it bluntly, a very risky strategy.  

Patience does not pay off – especially at the end of the year  

 The closer we get to 31 December 2025, the less room there is for calm consideration and the more for concrete decisions. Delaying action against unreliable contractors for too long may mean:  

• the definitive loss of the possibility of pursuing claims in court, 
• no real chance of enforcement (debtors often dispose of their assets, change their form of business, or declare bankruptcy in the meantime), 
• the need to write off the invoice in full as an expense – not because of bad law, but because of a lack of response at the right moment.   

What to do now – in a few steps  

At the end of the year, we recommend a simple but very effective course of action for entrepreneurs:  

1.  Make a list of outstanding invoices – focus in particular on those from 2023 (sale of goods) and 2022 (B2B services). 
2. Check the limitation periods – determine the due dates, the relevant period (2, 3, 6 years) and the actual end of the period (usually 31 December of the given year). 
3. Decide on further steps – demand, negotiations, settlement, lawsuit, securing the claim, filing a claim in bankruptcy.
4. Consider seeking the support of a law firm – especially when the receivables arise from mixed cases (goods, services, transport, energy) or when partial payments, settlements or mediation have already taken place.  

The statute of limitations is not a ‘bad rule against creditors,’ but a test of activity and professionalism in receivables management. If you want your company to avoid paying for other people’s delays, the end of 2025 is the time when it is really worth looking at outstanding invoices with a calculator and a calendar. And preferably with a solicitor at your side.

Marine insurance is among the most specific forms of insurance protection, in which the relationship between the parties is based on particular trust and professionalism. Maritime trade, which by its nature is commercial trade between entities providing their services on a professional basis, must guarantee a certain level of certainty for the parties, including the insurer. 

Unlike typical non-marine insurance, where the initiative in gathering information and the responsibility for proper regulation the legal relationship rests mainly with the insurer, in marine insurance it is the policyholder who is obliged to actively disclose all circumstances known to them that may affect the ultimate assessment of the risk. 

This duty, referred to as the system of spontaneous risk declaration, follows directly from article 304 of the Maritime Code and constitutes a development of the general principle of good faith (bona fides) in maritime trade. 

This principle has its roots in the tradition of English law, which treats the contract of insurance as a contract of utmost good faith. In practice, this means that both parties – the insurer and the policyholder – are obliged to act loyally and in a manner that enables a proper assessment of the risk. The result of applying this principle is that the policyholder obtains adequate insurance cover, while on the insurer’s side the risk is minimised and profit maximised. 

Essence of the duty of disclosure 

The duty to disclose material circumstances is one of the elements of the process of concluding a marine insurance contract. The policyholder should inform the insurer of all facts known to them that may have an impact on the assessment of the risk. This duty is of an active nature – it is not limited to answering the insurer’s questions, but requires the autonomous disclosure of all data that are material from the point of view of the risk, including those whose impact on the assessment may appear marginal. 

In marine insurance it is of particular importance that the policyholder is treated as a professional party, possessing knowledge and experience in navigation, including the risks associated with it. Consequently, it is the policyholder who bears responsibility for assessing which circumstances are material and should be disclosed. 

Material circumstances 

A material circumstance is any fact that could influence the insurer’s decision to accept or reject the risk, as well as the determination of the amount of the insurance premium. This covers a wide range of information, including: 

• data concerning the vessel and its technical condition,
• the crew’s qualifications,
• the nature of cargo,
• the planned route,
• and the season of the year. 

In insurance practice, material circumstances also include previous casualties, breakdowns, repairs or other events that may indicate an increased navigational risk. 

The limits of the duty of disclosure are determined by the reasonableness and scope of the policyholder’s professional knowledge. They are not obliged to disclose information that is objectively irrelevant to the assessment of the risk, or information that they could not have known even when exercising due diligence. 

On the other hand, non-disclosure of material facts — even without any intention to mislead — may lead to serious consequences, including releasing the insurer from the obligation to pay indemnity. 

Under Polish maritime law, a breach of the duty to disclose material circumstances when concluding the insurance contract entails serious consequences for the policyholder. 

Pursuant to the relevant provisions (article 305 of the Maritime Code), in such a situation the insurer may withdraw from the contract and at the same time retain the right to the full insurance premium. This means that failure to perform the duty of disclosure – even if the contract is terminated – does not release the policyholder from the obligation to pay the premium for the period during which the insurance risk existed. 

However, the legislature has provided for an exception to this rule: where the lack of information or its inconsistency does not result from the fault of the policyholder or the insured, the insurer may not exercise the right of withdrawal. In such a case, they are only entitled to demand an appropriate increase in the premium reflecting the actual level of risk. 

It follows that the policyholder must not only refrain from concealing data, but must also consider such data carefully and present them to the insurer, in an appropriate form, for further analysis. Moreover, the policyholder cannot hide behind the alleged irrelevance of facts that were not passed on to the insurer, because they are not entitled to unilaterally decide whether a given fact could be significant from the point of view of risk assessment. 

Conclusion 

The system of spontaneous risk declaration in marine insurance is based on the assumption that the policyholder is a professional and possesses the knowledge necessary to independently disclose all material circumstances that affect the insurer’s assessment of risk. Unlike in non-marine insurance, where the insurance company asks the questions, in marine insurance the informational burden rests on the policyholder. 

A breach of the duty of disclosure results in the insurer being able to withdraw from the contract while retaining the right to the full premium. 

In this context, it must be remembered that the rules discussed above are primarily intended to facilitate commercial trade. It is the entrepreneur who is obliged to analyse everything which, within their field of expertise, may be relevant to the insurer, while the insurer limits its activity to calculating the risk and the premium. Consequently, each party to the insurance relationship focuses on the matters specific to it, without intruding upon the competences of the other party.