"What is BMP6 and which vessels does it apply to?"

"Best Management Practices 6 (BMP6) is the industry guidance document published by BIMCO, ICS, INTERCARGO, INTERTANKO, and other shipping associations for self-protection against piracy and armed robbery at sea. BMP6 (published 2023, replacing BMP5 of 2018) covers the Indian Ocean High Risk Area and the Gulf of Guinea. It is not a regulatory requirement -- compliance is voluntary -- but it is de facto standard practice and is referenced in P\u0026I club insurance conditions and charter party clauses for transits through designated areas. Key BMP6 measures include: razor wire and citadel construction, enhanced watchkeeping, reporting to UKMTO (United Kingdom Maritime Trade Operations) before transiting the HRA, use of a Ship Security Alert System, and the vessel hardening checklist. Vessels under 500 GT and non-commercial vessels are included in the guidance but with adapted measures."

Security Intelligence

Maritime Security: Shipping, Offshore, and Vessel Protection | CloseProtectionHire

Q: "What are the current main piracy risk areas globally?"

"The Gulf of Guinea remains the global epicentre of maritime kidnap-for-ransom, though the frequency of offshore attacks has declined since 2020 following Nigerian Navy operations and deployment of private vessel protection detachments. IMB (International Maritime Bureau) data for 2023 records 57 incidents globally, of which 21 were in the Gulf of Guinea. The Red Sea became the dominant acute threat from late 2023: Houthi forces in Yemen launched over 100 attacks on commercial vessels between November 2023 and March 2025, using anti-ship ballistic missiles, cruise missiles, and drone strikes. Multiple vessels were seized or damaged; the Marshall Islands-flagged Galaxy Leader was seized in November 2023 with 25 crew detained. The Strait of Malacca and Singapore Strait remain the world's busiest shipping lane and a persistent armed robbery risk, particularly for vessels at anchor. The Black Sea presented elevated mine threat following the Russia-Ukraine conflict. The Gulf of Aden and Somali Basin have seen reduced activity since the peak of Somali piracy 2008-2012 but are not incident-free."

Q: "Are private maritime security companies (PMSCs) legal and how are they regulated?"

"Private Maritime Security Companies providing armed vessel protection detachments (VPDs) are legal in international waters and in the territorial waters of most flag states and coastal states that have enacted enabling legislation. Regulation varies significantly by flag state and coastal state. The IMO Interim Guidance (MSC.1/Circ.1443, 2012) and the ISO 28007 standard for PMSCs provide the international framework. Flag state permission is required: some flags (Panama, Marshall Islands, Liberia, Bahamas) have facilitative frameworks; others have more complex requirements. Port state law applies when vessels enter territorial waters: Sri Lanka, India, and Egypt all have different requirements for the embarkation and disembarkation of armed guards and the carriage of weapons. PMSCs operating to ISO 28007 and SOLAS requirements use a GUARDCON contract (BIMCO standard form) for engagement. There are no confirmed incidents of crew or vessel casualties caused by PMSC personnel using excessive force in the 2008-2025 period."

Q: "What is a citadel and when is it the right response?"

"A citadel is a hardened, lockable compartment within a vessel -- typically the engine room -- where crew can shelter during a piracy attack. A properly constructed citadel has: independent communications (satellite, not dependent on the ship's compromised systems), independent power, water and food stores for at minimum 48 hours, first aid supplies, and no access from outside without heavy cutting equipment. The citadel protocol requires all crew to reach the citadel when an attack is imminent, to lock down, and to communicate with UKMTO and naval forces while the attackers control the topside of the vessel. The effectiveness of the citadel protocol has been demonstrated in multiple incidents: a vessel whose crew successfully citadels creates a negotiating impasse for attackers -- there is no crew to use as hostages and naval forces have time to respond. BMP6 specifies citadel construction and protocol requirements."

Q: "What close protection is required for offshore platform and rig operations?"

"Offshore platform and rig security combines maritime security with site security principles. Key requirements include: a security risk assessment for the operating area (the Gulf of Guinea, West Africa, and the Caspian all present distinct profiles), personnel screening and access control for all persons aboard including contractors, anti-drone capability where UAV threat assessment warrants it (Gulf of Mexico rigs have reported drone surveillance), and a vessel and personnel protection protocol for crew transfer operations. The crew transfer phase -- between a platform supply vessel and the rig -- is the most vulnerable period from a personnel security standpoint. Crew transfer at night in unfamiliar locations without security oversight creates a targeting opportunity. Offshore security providers including Typhon Offshore, Ambrey Risk, and Signal Ocean provide combined maritime and platform security services for the oil and gas sector. For upstream operations in West Africa specifically, both MDAT-GoG (Maritime Domain Awareness for Trade -- Gulf of Guinea) and Control Risks provide real-time piracy threat intelligence."

Maritime security for commercial shipping, offshore operations, and superyachts. Covers BMP6, Gulf of Guinea, Red Sea Houthi attacks, PMSC regulations, citadel protocols, and close protection for maritime executives.

12 May 2026

Written by James Whitfield, Senior Security Consultant

Speak to the Team

Maritime security covers a range of distinct operating environments – commercial shipping on international sea lanes, offshore platforms and rigs in producing regions, and private vessels including superyachts in cruising areas that intersect with high-risk geography. The threat is not uniform across these environments, and the risk management response is calibrated accordingly.

The International Maritime Bureau (IMB) Piracy and Armed Robbery Report 2024 recorded 116 incidents globally in 2023, including 12 vessels boarded, 6 hijacked, 57 fired upon, and 5 crew kidnapped. Against those incident-level figures, the Houthi anti-ship campaign in the Red Sea represented a qualitatively different threat: state-sponsored, missile-armed, and capable of striking vessels well beyond the range of any prior commercial maritime security planning assumption.

Current Threat Geography

Red Sea and Gulf of Aden. The Houthi campaign launched in November 2023 in response to the Gaza conflict produced over 100 attacks on commercial vessels by March 2025. Vessels targeted included container ships, tankers, and bulk carriers with no direct connection to Israel or Israeli interests – the Houthis adopted a broader targeting policy as the campaign continued. Multiple vessels were damaged by missile and drone strikes; the Galaxy Leader (Marshall Islands flag) was seized with 25 crew in November 2023 and remained detained as of mid-2025. War risk insurance premiums for the area increased 400-600% within months of the campaign’s start, and a significant proportion of global container traffic was rerouted around the Cape of Good Hope, adding approximately 10-14 days to transit times.

Gulf of Guinea. The Gulf of Guinea – covering waters off Nigeria, Benin, Togo, Ghana, Ivory Coast, Cameroon, and Equatorial Guinea – was the world’s kidnap-for-ransom epicentre for commercial maritime from approximately 2014 to 2020. At peak, over 130 crew were kidnapped from vessels annually. Following Nigerian Navy offshore patrol increases, regional maritime interdiction coordination under the CRESMAO framework, and increased private vessel protection detachment deployment, the frequency declined: IMB recorded approximately 20-30 crew kidnapped in 2023. The threat is not eliminated; the baseline measures (BMP6, MDAT-GoG registration, PMSC VPD for offshore operations) remain operational requirements for the area.

Strait of Malacca. The world’s busiest shipping lane passes through the Strait of Malacca between Indonesia and Malaysia, and the Singapore Strait. The predominant threat is armed robbery from small craft targeting vessels at anchor or transiting at low speed, primarily for cargo theft and opportunistic robbery of crew. Hijacking for extended periods is uncommon. ReCAAP (Regional Cooperation Agreement on Combating Piracy and Armed Robbery in Asia) provides incident reporting and cooperative response in the region.

Somali Basin and Indian Ocean. Somali piracy peaked in 2011 with 237 incidents, 28 vessels hijacked, and over 1,000 crew held hostage simultaneously. EU NAVFOR Operation Atalanta, Combined Maritime Forces, and UKMTO counter-piracy coordination, combined with BMP adoption and PMSC VPD deployment, reduced Somali piracy to near-zero levels by 2016. A residual threat remains, but the operational framework – UKMTO registration, BMP compliance, PMSC VPD for transits at higher risk – has been demonstrated to work.

Best Management Practices: BMP6

BMP6 (2023) is the commercial shipping industry’s self-protection guidance for the designated High Risk Areas. Key operational requirements:

Registration with UKMTO before entering the High Risk Area. UKMTO maintains a vessel tracking database and provides incident alerts. Vessels not registered to UKMTO are invisible to the naval support network.
Vessel hardening. Razor wire at vulnerable access points, removal of external ladders and equipment that assist boarding, hoses and fire monitors directed outward to discourage boat approach.
Enhanced watchkeeping. Additional bridge watches during HRA transit, specific instructions on radar watch for small fast craft, and night observation devices where available.
Citadel preparation. Citadel construction, stocking, and communication readiness checked before HRA entry.
Speed and daylight. Maximum speed transits where possible; where speed is limited, preference for daylight hours for the highest-risk segments.

BMP6 applies to all vessel types but includes adapted guidance for slower vessels, vessels operating at anchor, and non-commercial vessels. The guidance is updated periodically and is available free from BIMCO, ICS, and the UKMTO website.

Private Maritime Security Companies

PMSC vessel protection detachments have been the most effective single measure in reducing both Somali piracy and Gulf of Guinea kidnapping. There are no confirmed incidents of successful piracy of a vessel with a PMSC VPD embarked (ICC IMB, 2024). The deterrent effect is substantial.

Engagement of a PMSC requires:

GUARDCON contract (BIMCO standard form) specifying the scope of engagement, liability allocation, weapons carriage, and escalation of force policy.
ISO 28007 certification by the PMSC – the international quality standard for maritime security companies covering management systems, personnel vetting, training standards, and use-of-force policies.
Flag state compliance – the vessel’s flag state must permit the carriage of armed personnel. Some flags have simple notification procedures; others require specific approval.
Port state compliance – weapons must be either secured in a locked weapons locker during port calls in jurisdictions that do not permit armed guards ashore, or transferred to a floating armoury (purpose-built vessels holding weapons between deployments). Both procedures are documented in GUARDCON.

Leading PMSC providers active in commercial maritime include Ambrey Risk, Typhon Offshore, and Signal Ocean. Assessment of providers should include ISO 28007 status, operational track record, and references from operators in the specific geographic area.

Offshore Platform and Rig Security

Offshore oil and gas operations in the Gulf of Guinea, Caspian, and other high-risk producing regions require a combined approach to maritime and site security.

The crew transfer phase – movement between a platform supply vessel and the rig – is the highest-risk point for personnel security. Night-time transfers in unfamiliar locations without security oversight have been exploited in documented incidents. Security protocols for crew transfer include: daylight-only transfers where operationally possible, security personnel oversight of transfer operations, and manifest verification of all persons boarding.

Platform access control must be treated with the same rigour as any other high-security site: biometric or card-based access, manifest-matched entry, contractor screening, and an anomaly reporting protocol. Offshore platforms present a valuable target for industrial espionage (competitive intelligence on production data) and for kidnapping (the confined nature of a platform means that a successful boarding results in 100% of personnel being at risk).

For the oil and gas sector security framework that encompasses both onshore and offshore operations, see our oil and gas energy sector security guide. For superyacht owners and operators planning cruising routes through high-risk maritime areas, see our security guide for luxury yachts and superyachts.

Sources: IMB (International Maritime Bureau): Piracy and Armed Robbery Report 2024. BIMCO/ICS/INTERCARGO/INTERTANKO: Best Management Practices 6 (BMP6) 2023. UKMTO: Vessel Registration and HRA Transit Guidance 2024. IMO: MSC.1/Circ.1443 (PMSC Interim Guidance) 2012. ISO 28007:2015 (Ships and Marine Technology – PMSC). BIMCO GUARDCON 2022 (Standard Form Contract for the Engagement of PMSCs). ICC IMB Annual Report 2024. ReCAAP ISC: Piracy and Armed Robbery Report 2024. MDAT-GoG: Gulf of Guinea Incident Report 2023. EU NAVFOR Operation Atalanta: Annual Report 2023. Control Risks: Maritime Security Threat Assessment 2024.

Summary

Key takeaways

The Red Sea crisis has reshaped global shipping threat assessment

Houthi anti-ship missile and drone attacks on commercial vessels from November 2023 reshaped the global maritime threat picture. Over 100 attacks in 18 months, multiple vessels seized or damaged, and the effective diversion of a significant proportion of global container shipping away from the Suez Canal route demonstrated that state-sponsored maritime threat is a live commercial risk, not a theoretical scenario. War risk premiums in the Red Sea increased 400-600% in the six months following the first attacks.

Gulf of Guinea kidnapping has declined but not ended

Nigerian Navy offshore patrols and the deployment of private vessel protection detachments (VPDs) contributed to a reduction in Gulf of Guinea offshore kidnapping from a peak of 130+ crew kidnapped annually (2018-2020) to approximately 20-30 in 2023. The threat has not ended; the frequency has reduced. Vessels transiting or operating in the Gulf of Guinea without current BMP6 measures and without reporting to MDAT-GoG are operating outside the risk mitigation baseline.

ISO 28007 is the quality benchmark for PMSC selection

The ISO 28007 standard for private maritime security companies specifies requirements for management systems, personnel vetting, training, use-of-force policy, and operational procedures. Selecting a PMSC that holds ISO 28007 certification provides assurance on both quality and legal compliance. GUARDCON (BIMCO) provides the standard contract framework for PMSC engagement and governs liability, weapons carriage, and port state notification.

Crew welfare and mental health are operational security issues

Crew exposed to piracy incidents, near-miss attacks, or prolonged high-threat transits are at elevated risk of PTSD and operational stress reactions. ITF (International Transport Workers' Federation) and nautical welfare organisations document the psychological impact of piracy incidents on crew who receive no post-incident support. Crew who are mentally and physically fit perform better in crisis situations and are less likely to make the errors of judgement -- failure to maintain watch, fatigue-related navigation errors -- that reduce vessel security.

Superyacht and private vessel owners need separate risk assessment

Commercial shipping security is designed for professional crew on vessels whose operators have security management systems, P&I club cover, and industry guidance. Private superyacht owners and operators face the same geographic threats with less institutional support. Superyachts transiting or cruising in high-risk areas need a specific security risk assessment, PMSC arrangement or professional security crew, and a close protection team for the owner and guests during port calls in P1 city environments.

FAQ

Frequently Asked Questions

Best Management Practices 6 (BMP6) is the industry guidance document published by BIMCO, ICS, INTERCARGO, INTERTANKO, and other shipping associations for self-protection against piracy and armed robbery at sea. BMP6 (published 2023, replacing BMP5 of 2018) covers the Indian Ocean High Risk Area and the Gulf of Guinea. It is not a regulatory requirement – compliance is voluntary – but it is de facto standard practice and is referenced in P&I club insurance conditions and charter party clauses for transits through designated areas. Key BMP6 measures include: razor wire and citadel construction, enhanced watchkeeping, reporting to UKMTO (United Kingdom Maritime Trade Operations) before transiting the HRA, use of a Ship Security Alert System, and the vessel hardening checklist. Vessels under 500 GT and non-commercial vessels are included in the guidance but with adapted measures.

The Gulf of Guinea remains the global epicentre of maritime kidnap-for-ransom, though the frequency of offshore attacks has declined since 2020 following Nigerian Navy operations and deployment of private vessel protection detachments. IMB (International Maritime Bureau) data for 2023 records 57 incidents globally, of which 21 were in the Gulf of Guinea. The Red Sea became the dominant acute threat from late 2023: Houthi forces in Yemen launched over 100 attacks on commercial vessels between November 2023 and March 2025, using anti-ship ballistic missiles, cruise missiles, and drone strikes. Multiple vessels were seized or damaged; the Marshall Islands-flagged Galaxy Leader was seized in November 2023 with 25 crew detained. The Strait of Malacca and Singapore Strait remain the world’s busiest shipping lane and a persistent armed robbery risk, particularly for vessels at anchor. The Black Sea presented elevated mine threat following the Russia-Ukraine conflict. The Gulf of Aden and Somali Basin have seen reduced activity since the peak of Somali piracy 2008-2012 but are not incident-free.

Private Maritime Security Companies providing armed vessel protection detachments (VPDs) are legal in international waters and in the territorial waters of most flag states and coastal states that have enacted enabling legislation. Regulation varies significantly by flag state and coastal state. The IMO Interim Guidance (MSC.1/Circ.1443, 2012) and the ISO 28007 standard for PMSCs provide the international framework. Flag state permission is required: some flags (Panama, Marshall Islands, Liberia, Bahamas) have facilitative frameworks; others have more complex requirements. Port state law applies when vessels enter territorial waters: Sri Lanka, India, and Egypt all have different requirements for the embarkation and disembarkation of armed guards and the carriage of weapons. PMSCs operating to ISO 28007 and SOLAS requirements use a GUARDCON contract (BIMCO standard form) for engagement. There are no confirmed incidents of crew or vessel casualties caused by PMSC personnel using excessive force in the 2008-2025 period.

A citadel is a hardened, lockable compartment within a vessel – typically the engine room – where crew can shelter during a piracy attack. A properly constructed citadel has: independent communications (satellite, not dependent on the ship’s compromised systems), independent power, water and food stores for at minimum 48 hours, first aid supplies, and no access from outside without heavy cutting equipment. The citadel protocol requires all crew to reach the citadel when an attack is imminent, to lock down, and to communicate with UKMTO and naval forces while the attackers control the topside of the vessel. The effectiveness of the citadel protocol has been demonstrated in multiple incidents: a vessel whose crew successfully citadels creates a negotiating impasse for attackers – there is no crew to use as hostages and naval forces have time to respond. BMP6 specifies citadel construction and protocol requirements.

Offshore platform and rig security combines maritime security with site security principles. Key requirements include: a security risk assessment for the operating area (the Gulf of Guinea, West Africa, and the Caspian all present distinct profiles), personnel screening and access control for all persons aboard including contractors, anti-drone capability where UAV threat assessment warrants it (Gulf of Mexico rigs have reported drone surveillance), and a vessel and personnel protection protocol for crew transfer operations. The crew transfer phase – between a platform supply vessel and the rig – is the most vulnerable period from a personnel security standpoint. Crew transfer at night in unfamiliar locations without security oversight creates a targeting opportunity. Offshore security providers including Typhon Offshore, Ambrey Risk, and Signal Ocean provide combined maritime and platform security services for the oil and gas sector. For upstream operations in West Africa specifically, both MDAT-GoG (Maritime Domain Awareness for Trade – Gulf of Guinea) and Control Risks provide real-time piracy threat intelligence.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.