As strong as the weakest link
What we do not always discuss is the inevitability of IT failures or attacks in such an interdependent environment. Our experience in multiple business sectors is that networks are only as strong as the weakest link. Interestingly, this may translate to the more established and traditional airline carriers being more vulnerable. There is an inevitability of a struggling airline having little or nothing to spend on updating IT systems when their precious dollar spend must be used for air safety. When an airline is then purchased, the new owner or partner is more likely to try to adopt the legacy system rather than fully integrate and update. Newer airlines without this legacy have a better chance of keeping control of their IT systems and could be a more attractive insurance option.
If insurers and reinsurers want to support this sector with all its challenges, they need a good understanding of the risks involved in this complex and interdependent industry. Airlines are reliant upon global distribution systems which allow automated transactions between travel service providers, typically linking airlines, hotels and car rental companies. Added to this is the process as we take a journey through the airport – from check-in to baggage control, security checks, passport and customs control, catering, fuelling, air traffic control and in-flight entertainment. As a travelling public, our expectation is for all of these to operate seamlessly from departure to destination. Quite a tall order indeed for an industry which is under constant pressure to keep safety standards up and costs down.
Stricter data protection and high fines
Recent incidents have shown that the costs of losses resulting from IT system failures can soon escalate. In 2016, two US airlines experienced system failures that led to major disruption to the booking programmes and even flight cancellations. Although these events may not have been hacking or malware issues, they nevertheless provided us with an insight into the level of disruption and costs relating to IT failures. They led to questions from Congress and a statement to the effect: “As operators in this critical transportation industry, it is your responsibility to ensure that your IT systems are both reliable and resilient.” This is in an environment of consolidation, which has meant that just four operators now control 85% of US domestic capacity.
The costs of the failures to these two airlines are a matter of some speculation, but publicly expressed views indicate figures of between US$ 80m and 150m each. In May of 2017, over a busy public holiday weekend, the computer systems of the British flag-carrier airline failed, apparently due to human error, leaving some 75,000 passengers stranded. The parent company suggested that the cost of the incident was £80m – and that does not account for the reputational damage which has followed.
What are the takeaways from these incidents?
Naturally, prevention and a good regime of cyber resilience and IT “hygiene” are crucial. If problems arise despite these defences, then excellent claims management is required.
For airlines this means:
- Fast, effective and well-practised resolution is key.
- Communication failures are an unnecessary expense to the business.
- Poor passenger experiences soon trend on social media and can be damaging, both reputationally and financially.
- Transparency and ownership of the problem make a real difference to the public reaction.
For its part, the insurance industry has to ensure that the claim-preparation and settlement process is simpler, more effective and easier to quantify.
- Coverage and how it will work in practice need to be fully understood.
- Established contact partners make communication easier.
- It is important to explore ways in which differences in expectations can be kept to a minimum.
- Pre-agreed forensic accountants can produce a trusted outcome for both parties.
- Some insurance products offer fixed minimum amounts per passenger flight cancelled.
Insurers know that when an insured has had to spend huge amounts of time and effort to quantify a loss, queries and reductions can strain the relationship. Misunderstandings are not just financially expensive. Naturally, anything we can do to speed up the process and achieve better understanding is in the best interests of all parties.