Dive into cyber spotlights on notable incidents, latest threats, current trends, and tailored solutions for the aviation industry.
This spotlight delivers an overview of the latest cyber risks impacting the sector generally, including recent incidents and emerging threat vectors. We also highlight our specialised insurance solution designed to address the unique cyber vulnerabilities faced by passenger airlines in particular. Read more from our insights to help enhance your organisation’s cyber risk management approach.
The increased frequency of these incidents reflects the heightened cyber risk landscape in the aviation sector. Understanding the scope and ramifications of such incidents will inform your organisation’s ability to effectively develop risk management and transfer strategies.
On July 19, cyber security company CrowdStrike released a flawed software update to Falcon Sensor, their vulnerability scanner that detects system intrusions and hacking attempts. The update disrupted 8.5 million computers worldwide that used the Windows operating system. Whereas many airlines globally use a “point to point” operating model which mitigated the knock-on effects of the outage, several major US airlines were particularly susceptible because of the “hub and spoke” method favoured by them, funnelling passengers into hubs where they can connect to ongoing flights to their ultimate destination; an operating model that relies on a finely tuned, integrated system to ensure the connections can be made. One airline is said to have cancelled more than 5,000 flights between July 19 and 25, at a cost of about USD500m.
On 26 August, passengers in Seattle were asked to complete as much of the pre-flight process as possible at home after a cyber-attack left the airport without internet and web systems.
The following examples show some of the larger aviation cyber claims handled by WTW’s claims team:
Our airline client was the victim of a ransomware attack and could not access their systems or emails. They were able to continue to operate reduced flights on manual processes for a short time. The airline’s backups had also been encrypted and not usable/viable. Such was the impact of the attack that the client decided to pay the ransom. The insured losses included business interruption costs, and lost clients as a direct result of the incident and wider reputational damage incurred. Various costs included system restoration, quantum hosting, overtime, hiring other staff and flight support.
Total event cost: $2.5m
Ransomware attack on a supplier that supplied the insured’s jets meant the supplier halted all operations to contain the attack. The supplier paid the ransom demanded, and systems restored.
Total event cost: $4m
The client airline’s software vendor suffered a system failure which severely impacted the insured’s operations for several weeks leading to flight delays, cancellations, and monetary losses. Investigation found the cause was a storage device that was affected. Insured filed proof of loss for loss of income, forensic and other expenses sustained during the restoration and business interruption period.
Total event cost: $4.5m
Our client became aware of a hack within the payment / billing system of their website and app. They closed the payment system when they became aware of the hack, but it transpired the hackers had been within the system for several weeks. The hack affected thousands of customers, both in terms of financial data and non-financial data (addresses, names, email addresses). The hackers allegedly gained access to the client’s system by inputting malicious code into a third-party’s Java script library. A class action was filed as a result of the breach of customer data. The UK regulator fined the insured stating the data was compromised due to poor system security. Notification, forensic and investigation, legal and defence, and cyber security expert costs were incurred.
Total event cost: $38m.
Source: WTW proprietary claims data
Loyalty programs are increasingly being targeted by cyber criminals. The number of compromised accounts rose from 5.348 (representing 4.303.498 miles) in 2022, where approximately 36% of the compromised accounts did not contain miles, to 18.670 (representing 11.367.190 miles) in 2023, where 29% of the compromised accounts did not contain miles. It is estimated that the value of frequent flyer miles outstanding (i.e., miles that have been issued but not yet redeemed) could be worth around US$200 billion (all airlines, worldwide). Frequent flyer programs represent highly profitable assets which can be monetised quickly on the dark web.
Read more hereCyber regulation in the aviation industry: The NIS 2 Directive must be implemented by European Union (EU) member states by 17 October 2024. The Directive aims to achieve a common level of cybersecurity across the EU, imposing stricter cyber-security requirements with regard to risk management, incident reporting and the exchange of information. It comes in response to the escalating threats brought on by digital transformation and the rise in cyber-attacks, and replaces the Network and Information Security (NIS) Directive of 2016, which will be repealed with effect from 18 October 2024.
Like the 2016 Directive, the new directive will inevitably be mirrored by the EU’s closest trading partners including the UK and those members of the European Economic Area (EEA) who are not already members of the EU (eg Norway). It bears other similarities to the 2016 Directive, laying down obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs). Essential sectors – including air transportation and space - will be covered by the Directive.
In order to achieve greater harmonisation than was the case with the 2016 Directive, NIS 2 sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each Member State. It formally establishes the European cyber crisis liaison organisation network (EU-CyCLONe), which will support the coordinated management of large-scale cybersecurity incidents and crises at the operational level and ensure the regular exchange of relevant information.
Read more hereA broker’s perspective:
The cyber insurance market has consistently had unfavourable appetite towards risks within the aviation industry due to:
01
The high dependency on critical technology, presenting a high system failure outage exposure.
02
Classing both airlines and airports as national infrastructure and as such, perceived as highly exposed targets for cyber-attacks
03
Industry-unique systemic exposure via the utilisation of common vendors within the supply chain (Amadeus, for example).
04
A high volume of passenger information, creating a significant data privacy exposure.
Recently however, insurers have shown a growing interest in aviation risks, offering greater flexibility and commerciality when considering cyber quotations. Whilst this is partially due to improved market conditions, with more active cyber insurers entering the market (both newer entrants and more established markets broadening their appetite), we have also seen a trend for improvements in the level of investment and maturity in cyber security standards across the aviation industry.
Throughout 2024, we have continuously seen enhanced buying conditions for all industries in the cyber insurance market, however most notably for the aviation sector we have seen a welcomed increase in appetite and capacity from cyber insurers, which has historically been dominated by our CyFly partner, AIG. This has created a competitive environment for airlines and airports purchasing cyber insurance, where premium reductions, increased capacity, lower self-insured retentions and coverage enhancements have been obtained.
We expect market conditions to stabilise for Q4 2024 and into 2025, with insurers’ interest in aviation risks to continue to increase. There is a possibility that they reassess their appetite for coverages such as system failure following the CrowdStrike event in July 2024.
