Printed from BusinessInsurance.com

Cyber risks crowd the friendly skies

Posted On: Jan. 8, 2018 12:00 AM CST

Cyber risks crowd the friendly skies

As airlines become more connected to the internet, insurance and risk management experts warn they are becoming more exposed to cyber risk.

Deborah Lee James, former secretary of the U.S. Air Force, warned that “at present, there is an absence of clear or strong foundations in aviation cyber security to adequately prepare for and counter emerging threats across aircraft, unmanned aircraft systems, air traffic management, airports and their supply chains,” according to a report released last month by the Washington-based Atlantic Council’s Brent Scowcroft Center on International Security, which provides security analysis.

Potential cyber risks come at a time when air travel is booming. In February, the International Air Transport Association said full-year global passenger traffic in 2016 jumped 6.3% over the previous year as 3.7 billion people took to the skies. The passenger list is expected to grow to 7.2 billion by 2035, the association said.

“Every bit of technology that every airline uses is under constant threat,” said Bob Parisi, New York-based cyber product leader for Marsh L.L.C. “Large companies are starting to view cyber risk as a strategic risk, as an enterprise risk, and it’s something they need to manage. It’s not something they can just simply buy a new piece of technology for. It’s part of their operational day-to-day thinking.”

Steven Anderson, Dallas-based vice president and product executive for privacy and network security with QBE North America, a unit of Australia’s QBE Insurance Group Ltd., said airlines are more exposed than other businesses “because they have so many target points, whether it’s procurement, maintenance, operations.”

Pilots now carry tablets rather than the old-time flight bags that carried charts, operational manuals and other items, Mr. Anderson said. “Makes sense, right? But that’s more exposure. They have to have access to a network, that’s another device that someone can break into. The commercial airlines now have in-flight entertainment systems, WiFi, so that anything from the movies that are being streamed to the wireless we have, that’s another access point that commercial airlines didn’t have to deal with 10 years ago. And now they’re having to deal with it,” he said.

Steve Bridges, Chicago-based senior vice president for the cyber and errors and omissions practice, with JLT Specialty USA, a subsidiary of Jardine Lloyd Thompson Group P.L.C., said commercial airlines face a twofold cyber threat.

“One is the data breach threat,” Mr. Bridges said. “Commercial airlines have lots of personally identifiable information, credit card numbers, etc., of their passengers. Like any retailer, they have that threat of a hacker getting into their systems, stealing that information, and all the costs and losses that would arise out of a data breach. And given the amount of data they have, that’s a big issue for them.” 

The other big risk is the attack that leads to a system outage such as denial of service, or ransomware, where airlines cannot operate for a period of time, Mr. Bridges said.

“They’ve got all sorts of lost-revenue issues,” he said. “They can’t fly their planes for a period of time, they lose the revenue during that period of time, they’ve got incredible amounts of extra expense, baggage fees, putting people up in hotels, moving planes — so their business interruption loss exposure is also really big.”

Airlines are also dependent on other organizations’ technology, such as global distribution systems for bookings, said Jamie Monck-Mason, London-based executive director of cyber and technology, media and telecommunications at Willis Towers Watson P.L.C. “If you’re an airline,” he said, “all of your bookings one way or another are going to come through a global distribution system, which is a software system. There are only a handful of companies that provide this system.” 

Mr. Monck-Mason stressed the importance of cyber security as a cultural issue with companies. “What is so important is making sure that people feel senior management is buying into that whole process so that it is part of the culture of the organization as a whole,” he said. “It’s something cyber insurers are increasingly aware of and increasingly interested in.”

In September, Geneva-based information technology company Société Internationale de Télécommunications Aéronautiques released its Air Transport IT Trends Insights 2017 report, which said that airlines around the world will spend a total of $24.3 billion, or 3.3% of their revenue, on IT in the current calendar year.

SITA said 95% of airlines and 96% of airports plan to invest in major programs or research and development on cyber security initiatives over the next three years.

“It’s a heightened awareness by the boards,” Mr. Anderson said. “It’s heightened awareness by CEOs, it’s heightened awareness by risk managers, and we’re seeing that in the submissions we get and the large commercial airlines that we look at.”