By Jamie Monck-Mason
Despite high profile cyber incidents in recent years, many airlines continue to hide their heads in the sand. Understandably, risk and insurance budgets prioritize safety. Nevertheless, cyber risks pose a huge threat to bottom lines. Airlines continue to invest heavily in technology, but the attendant risks are rarely addressed adequately.
SITA’s 2018 Air Transport IT Insights survey noted that 71% of airlines planned major investment in biometric technology to automate passenger ID management. Though passengers will reap the benefits through streamlined check-in and boarding, those benefits bring cyber exposures. Personal data may be the “new oil,” but it may also be “the new asbestos.”
The 2018 Cathay Pacific and British Airways data breaches highlighted the share price impact and regulatory exposures accompanying such incidents. Airlines aren’t alone in collecting and leveraging large amounts of personal data, but the international nature of their customer-base and the extraterritorial reach of data protection legislation such as the European Union’s General Data Protection Regulation (GDPR), mean that, no matter where it is based, an airline is exposed to the regulatory regimes of numerous countries worldwide. In Cathay’s case, it was 27 regulators in 15 jurisdictions.
Thought needs to be given not only to headline-grabbing fines and class action privacy claims (even in the absence of financial loss or, in some cases, distress) but also to the need for effective incident response mitigating reputational and financial damage.
According to the 2015 SANS Institute Study, an estimated 80% of cyber incidents originate in the supply chain
IT outages are of equal concern, as we saw with the Southwest, Delta, and British Airways system failures of 2016–17 that resulted in thousands of flight cancellations. Quite apart from tens of millions of dollars’ lost income and passenger compensation claims, such outages now bring another threat: cyber security legislation exposure.
Europe’s Directive on the Security of Network and Information Systems (NIS Directive) can lead to GDPR-like fines for failing to prevent disruption to flights through maintaining adequate cyber security. Though not extraterritorial in scope, countries such as Singapore are following Europe’s lead. And whereas compliance with data protection legislation is relatively measurable, airlines are still finding their way in navigating the new breed of cyber security legislation.
Increasingly, individual board members are feeling the heat. Cathay Pacific’s chairman conceded that their breach was “the most serious [crisis] the airline has faced,” as shares slid to a nine-year low. Shareholders hold boards accountable for failing to protect against cyber incidents, and global regulation increasingly targets individual decision makers. Neglecting to take data protection responsibilities seriously in the United Kingdom can lead to the prosecution of individual directors. In Singapore, managers who fail to audit compliance with the Cybersecurity Act can face a fine or imprisonment.
This might be less concerning if airlines weren’t so interconnected with other organizations in the aviation value chain. According to the 2015 SANS Institute Study, an estimated 80% of cyber incidents originate in the supply chain, whether it is GDS providers, ground handlers or IT contractors.
Increased investment in cyber security and training—66% of cyber incidents are caused or contributed to by employee acts or omissions—can improve an airline’s own cyber resilience. Risk transfer is arguably the only effective means of protecting against third-party vulnerabilities, however, especially in safety and time-critical systems. Words: jamie monck-mason
The nature of any airline’s customer-base means that, no matter where it is based, an airline is exposed to regulatory regimes of numerous countries worldwide