With its high dependency on technology, the aviation industry faces a broader spread of cyber exposures than most other sectors. From business interruption and privacy liabilities, to fears over the potential threat to airline safety, cyber risk cuts across almost all parts of the airline industry.
Privacy and security
The majority of our aviation clients have shown most interest in protecting the data and liability elements of cyber risk, primarily around personal identifiable consumer data.
Last year, hackers released confidential data on 400,000 members of Vietnam Airlines’ frequent fliers club. This followed a 2015 cyber attack that saw British Airways Executive Club accounts compromised and the 2014 attack against Japan Airlines, where hackers stole the details of up to 750,000 customers.
Our analysis shows that the number of reported aviation breach incidents doubled between 2008-2011 and 2012-2015. On average 78,000 records were compromised per airline breach. The majority (58%) of airline data breach incidents were the result of hacking, while 14% were due to lost or stolen laptops.
Airlines appear to have relatively effective controls in place to prevent data breaches, at least when compared to other sectors. And experience has shown that insurable losses for large data breaches are below USD 400 million, in-line with available cyber insurance capacity of USD 300 million to USD 500 million.
But data breach exposures are likely to rise with the introduction of tougher data protection laws.
In Europe, the General Data Protection Regulation (GDPR) will introduce mandatory breach notification requirements and increased penalties when the new rules come into force in May 2018. Aviation companies headquartered outside the EU will be subject to the GDPR if they collect data on EU citizens.
However, airline executives are also now confronting a new set of cyber risks. For example, major technological advances in the industry, such as tablet-based electronic flight bags (EFB) and the installation of the in-flight entertainment and Wi-Fi connectivity systems (IFEC), have provided an enlarged environment for threat actors to operate within.
Last year, security researchers showed that IFEC’s used by major airlines are vulnerable to hacking, which could enable attackers to alter flight information displays. In 2014, a security researcher revealed he had repeatedly hacked aircraft in-flight entertainment systems, on one occasion briefly taking control of the airliner’s engines.
The International Civil Aviation Organization (ICAO) has acknowledged that on-board and ground-based aviation systems are potentially vulnerable to outside cyber-attacks. And in April, the organisation committed to developing a global cyber security framework for the aviation industry and working towards achieving effective cyber resilience for the industry.
As reliance on technology has grown, the airline industry has also been plagued by a series of system outages, which caused major disruption to services and reputational damage.
On Saturday 27th May a major IT failure brought down the networks of British Airways, affecting its major London hubs of Heathrow and Gatwick. To date detailed information has been scant.
Alex Cruz BA’s Chairman and Chief Executive went on record saying that a power surge “had a catastrophic effect over some communication hardware which eventually affected the messaging across our systems.” However numerous data centre designers have come forth suggesting that it is unlikely that a power surge would be able to bring down a data centre, let alone a data centre and its back up. Data centres are built with surge protection technology designed to specifically protect against exactly this incident. They also have an uninterruptible power supply, a UPS, which is in place to condition the power – i.e. smooth out the peaks and flows in current. What can be confirmed is that 1,000 flights were cancelled and 75,000 passengers were affected by the disruption. Analysts forecast that the episode will cost the airline over GBP 100 million.
In July 2016 a faulty router at the Southwest Airlines caused a major system outage, while Delta and United Airlines both suffered disruption in January 2017 after they experienced IT problems. Initial losses for the Southwest loss are between USD 60 million and USD 100 million after 2,300 flights were cancelled over five days.
Many of these key cyber risks can be effectively covered by insurance. For example, we recently launched a dedicated cyber insurance policy for the airline industry.
Data and Reliance on Technology (DART) protection for airlines provides cover for the operational impact of a cyber incident impacting an airline, such as an unplanned outage or a security breach. The policy also covers security and privacy liability, data restoration and breach response costs, as well as covering liabilities associated with the GDPR.
The airline industry appreciates that IT fundamentally underpins the success of organisations, and that vulnerable legacy systems are exposed to both malicious and non-malicious cyber incidents.
As a result, more and more airlines are protecting their balance sheets through cyber insurance. Approximately half of our airline clients are discussing insurance with 40% currently buying.
Aviation insurance has long been a core specialism of JLT, and our cyber team has placed policies for a number of the world’s largest airlines and service providers.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org