Airlines must ensure that ‘hull and liability insurance dovetails’ with cyber cover to ensure well rounded risk protection from cyber attacks, says broker

The airline industry has fast become an attractive target for cyber threats from malign sources, with possible incidents ranging from causing disruption and physical damage, to stealing data or money.

The rise of technology and digitisation in the aviation sector has, therefore, created challenges when it comes to managing cyber vulnerabilities.

Both in the air and on the ground, airlines are increasingly connected - including in-flight systems. This means that flight disruptions, for example, can be caused by system or network outages.

In addition, the data heavy and international nature of airlines means that cyber breaches often lead to complex cross-jurisdictional issues.

According to an article published by independent research firm KonBriefing in February 2023, there were 38 cyber attacks on the aviation industry in 2022 – 11 of these incidents occurred last October and 13 transpired in the US.

Meanwhile, a Eurocontrol report published in July 2021 – entitled Airlines under attack: Faced with a rising tide of cyber crime, is our industry resilient enough to cope? – found that the aviation sector typically faces a ransomware attack every week.

Furthermore, the report noted that 61% of all global cyber attacks in 2020 targeted airlines, with 95% of these incidents being financially motivated.

These cyber attacks caused financial losses in 55% of cases, the report continued, while the theft or leak of customers’ personal data occurred in 34% of incidents.

The maturing cyber insurance market is getting better at understanding the unique risks that apply to airlines - however, it is clear that the sector has some very specific challenges.

Glyn Thoms, head of GB financial, professional and executive risks, cyber and technology, media and telecoms at broker Willis Towers Watson (WTW), explained: “Cyber and technology risks are one of the key challenges facing the transportation industry.

“Airlines are perceived to be high risk by the cyber insurance market because of their reliance on critical IT service providers, such as global distribution systems (GDS) providers, and [because] the airline sector falls under the category of critical infrastructure, [this] makes [it] a greater target for attack.”

Thoms added that on-board systems, including guidance and navigation tools, are particular targets for cyber criminals.

As a consequence, the cyber security underlying the automation used on planes is of vital importance to ensure there is no risk to aircraft, passengers or other physical assets.

Thoms continued: “The growing connectedness within the airline sector means that aeroplanes are more exposed to opportunities for interference [affecting] their operating systems and in-flight systems.

“It is important for airlines to ensure the cyber coverage they purchase under their hull and liability insurance dovetails with the coverage within their cyber insurance policy to address these risks.”

Outage opportunities

System outages and flight grounding are two of the key exposures faced within the airline sector as a result of cyber events.

In February 2023, a computer failure at German airline Lufthansa stranded passengers and forced the cancellation of over 200 flights at Frankfurt, one of Europe’s largest airports. The airline blamed the incident on faulty railway engineering work that had damaged broadband cables.

In the US, meanwhile, around 1,300 flights were cancelled and more than 10,000 flights were delayed in January 2023 following the failure of a key government computer system.

These outages highlight the cyber risks that can arise from interconnectedness with third party systems and infrastructure, in addition to those that stem from cyber criminals and other malign actors.

Thoms said: “[While] there have been a number of highly publicised airline disruptions due to IT system issues, the frequency of these events is still low relative to the number of flights annually.

“It’s essential that airlines continue [to] focus on ensuring high availability and resiliency of their IT infrastructure, to reduce the frequency of events and limit the impact if they do occur.”

Personal data goldmine

A cyber attack on Scandinavian airline SAS in February 2023 paralysed the carrier’s website and leaked customer information from its app. SAS was forced to ask customers to refrain from using the app during the attack because there was a risk of user getting incorrect information from it that was supposedly from the airline.

This attack reinforces Eurocontrol’s findings, emphasising that airlines are data rich organisations that collect large volumes of data annually in the form of passenger records. Therefore, these businesses can be exposed to breaches of personal data, which can include credit card, passport or medical information.

Thoms said: “Airlines typically hold vast quantities of personal data, which could make them an attractive target for malicious actors looking to exploit organisations and profit from cyber extortion.

“In addition, as [airlines’] customer base is often worldwide, a data breach can lead to complex cross-jurisdictional issues due to the myriad of global data privacy regulations.”

Due to this noted increase in the frequency and sophistication of cyber attacks, Thoms added that it is vital that airlines work with underwriters and brokers to enhance their cyber security profile.

He continued: “While the airline sector is perceived as high risk, we have seen a positive shift in appetite within the cyber market in recent months - new cyber insurers have emerged, competition for capacity has increased and premiums have reached levels [that] insurers deem sustainable.

“Cyber insurance for airlines is able to provide financial protection for a number of the third and first party losses arising from a cyber incident.”

Making insurers comfortable

Despite improving cyber insurance conditions for the aviation sector, Thoms believes airlines should run an insurability check with their broker prior to entering the market.

This insurability check will highlight any red flags from a cyber insurer’s perspective - the airline can then make informed decisions regarding next steps.

For airlines specifically - more so than other sectors - there is more pressure to showcase best in class controls to make insurers comfortable with the risk landscape, Thoms noted.

He said: “There is no one-size-fits-all approach to a cyber insurance policy.

“[Airlines must] ensure to identify and quantify [their] exposures and explore the coverages available. [Their] policy can then be tailored accordingly.

“Traditional risk transfer is available to airlines with best in class IT controls. In fact, airlines with a sophisticated approach to IT security are seeing very positive results in the cyber insurance market at present.

“Ensure to consider all options - including insurer preference, programme design and captive utilisation - to secure an appropriate [insurance] programme.”