Cyber threats in aviation

Although malicious hacking of critical flight systems is indeed possible, in reality perhaps the more likely scenario is that of less alarming but financially damaging events causing disruption to our travel schedules and losses to the airlines that carry us. The past year or more has seen a number of airlines whose grounding of aircraft has been attributed to a variety of IT failures. Whatever the actual cause, the impact to the travelling public is invariably the same: cancellations and delays often lasting for days, business meetings called off or rescheduled, precious holiday time lost in airport departure lounges.

What we do not always discuss is the inevitability of IT failures or attacks in such an interdependent environment. Our experience in multiple business sectors is that networks are only as strong as the weakest link. Interestingly, this may translate to the more established and traditional airline carriers being more vulnerable. There is an inevitability of a struggling airline having little or nothing to spend on updating IT systems when their precious dollar spend must be used for air safety. When an airline is then purchased, the new owner or partner is more likely to try to adopt the legacy system rather than fully integrate and update. Newer airlines without this legacy have a better chance of keeping control of their IT systems and could be a more attractive insurance option.

If insurers and reinsurers want to support this sector with all its challenges, they need a good understanding of the risks involved in this complex and interdependent industry. Airlines are reliant upon global distribution systems which allow automated transactions between travel service providers, typically linking airlines, hotels and car rental companies. Added to this is the process as we take a journey through the airport – from check-in to baggage control, security checks, passport and customs control, catering, fuelling, air traffic control and in-flight entertainment. As a travelling public, our expectation is for all of these to operate seamlessly from departure to destination. Quite a tall order indeed for an industry which is under constant pressure to keep safety standards up and costs down.

Add to this the increase in regulation which came into force in May 2018: the 2018 European General Data Protection Regulation, anticipating a far stricter data protection environment with significant fines for non-compliance, and the “IATA resolution 753 baggage tracking” with a full chain of custody requirements. Customer information is exchanged with booking agencies and frequent flyer programmes. If data is breached, mandatory notice requirements are triggered, accompanied by a substantial risk of fines and penalties. Many airlines also outsource a number of their IT functions to TP providers, thus complicating the chain and potentially opening up weaker links.

Recent incidents have shown that the costs of losses resulting from IT system failures can soon escalate. In 2016, two US airlines experienced system failures that led to major disruption to the booking programmes and even flight cancellations. Although these events may not have been hacking or malware issues, they nevertheless provided us with an insight into the level of disruption and costs relating to IT failures. They led to questions from Congress and a statement to the effect: “As operators in this critical transportation industry, it is your responsibility to ensure that your IT systems are both reliable and resilient.” This is in an environment of consolidation, which has meant that just four operators now control 85% of US domestic capacity.
 
The costs of the failures to these two airlines are a matter of some speculation, but publicly expressed views indicate figures of between US$ 80m and 150m each. In May of 2017, over a busy public holiday weekend, the computer systems of the British flag-carrier airline failed, apparently due to human error, leaving some 75,000 passengers stranded. The parent company suggested that the cost of the incident was £80m – and that does not account for the reputational damage which has followed.

Naturally, prevention and a good regime of cyber resilience and IT “hygiene” are crucial. If problems arise despite these defences, then excellent claims management is required. 

For airlines this means: 
 

• Fast, effective and well-practised resolution is key.
• Communication failures are an unnecessary expense to the business.
• Poor passenger experiences soon trend on social media and can be damaging, both reputationally and financially.
• Transparency and ownership of the problem make a real difference to the public reaction.

For its part, the insurance industry has to ensure that the claim-preparation and settlement process is simpler, more effective and easier to quantify.
 

• Coverage and how it will work in practice need to be fully understood.
• Established contact partners make communication easier.
• It is important to explore ways in which differences in expectations can be kept to a minimum.
• Pre-agreed forensic accountants can produce a trusted outcome for both parties.
• Some insurance products offer fixed minimum amounts per passenger flight cancelled.

Insurers know that when an insured has had to spend huge amounts of time and effort to quantify a loss, queries and reductions can strain the relationship. Misunderstandings are not just financially expensive. Naturally, anything we can do to speed up the process and achieve better understanding is in the best interests of all parties.