Client alert: Recent airport denial-of-service attacks

What happened

Several major U.S. airports were recently targeted by pro-Russian hackers identifying themselves as Killnet in a distributed denial-of service (“DDoS”) campaign. The hackers warned of the attack on their Telegram channel on the evening of Sunday, October 9, 2022, and carried out their threats the following day – a busy Monday morning travel day. Killnet flooded the target airports with junk data which overwhelmed the target servers, rendering the external-facing websites of the airports inaccessible. A DDoS attack happens when a massive number of machines are directed to bombard the target with traffic. This attack is an example of a typical DDoS attack, which happens when a network or system becomes overwhelmed, and it cannot respond to service requests.

The impact

While the websites were inaccessible for several hours on Monday, the majority were back online later that day. The TSA has confirmed that the attacks, “did not disrupt airport operations or access to information."¹ Because there was no actual intrusion into any of the subject airports’ critical internal networks or systems, the attack’s impact was relatively minor in comparison to a ransomware attack or other malicious intrusion.

However, this event has further strengthened the government’s desire to impose additional cybersecurity requirements on airport and airline operators. In response to the cyber attack, the TSA signaled that in addition to recently issued regulations requiring airports and airlines to, “designate a cybersecurity coordinator and report cybersecurity incidents, conduct a cybersecurity assessment, and develop remediation measures and incident response plans,” it would, "soon issue additional performance-based cybersecurity requirements for critical aviation systems."² Meanwhile, the FAA has also placed conditions on carriers and airports requiring enhanced cybersecurity measures as a condition to receiving grants and construction funding, and is likely going to promulgate additional regulations intended to protect the networks and systems required to safely operate aircraft.³

Insurance implications and considerations

Most cyber policies provide coverage to address DDoS attacks, similar to the one described above. DDoS attacks are generally considered network security incidents, or as some policies define them—security breaches or failures. Most cyber policies provide for the recovery of response costs and/or business interruption damages stemming from the DDoS attack and any third party liability claims that may arise from the incident. The language of most policies provide coverage for DDoS attacks on a computer system or network of the insured, as well as “computer system” servers hosted by third parties under a written contract with an insured, or networks connected through “cloud computing” and the internet.

If an insured believes that they may incur response costs or business interruption damages or that a claim could result from the incident, it would be wise to notify their carrier to meet the reporting requirements of most policies. In the most recent attacks, the reality is that because the websites were only inaccessible for a short period and were relatively easily restored, damages may not exceed many insureds’ retentions, especially if internal resources were able to resolve the issue without the need for costly outside vendors.

What you should do

If you were impacted by these attacks, or find yourself facing a similar attack in the future, we recommend the following steps be taken:

1. Review your policy along with your broker and pay special attention to the definitions of a security breach or failure and whether DDoS attacks are specifically included. Review your policy’s definition of computer systems as well to determine the likelihood that a DDoS attack on an external-facing website will be covered.
2. If you require the engagement of outside resources to counter such an attack, and anticipate incurring costs, it is wise to notify your carrier and seek consent to engage such vendors, as this is a requirement of most policies. You may be required to use panel approved vendors under your policy.
3. Review any hosting agreement you have for your website, and determine if you may have any rights of subrogation in the event of a DDoS attack that exploits any vulnerabilities of that third-party’s hosting service.
4. If you suffer business income loss, possibly due to your dependence on external facing websites to sell tickets, be sure to track lost revenue during the period in which your website is disabled. This will allow you to present a claim for those damages under any business interruption coverage triggered by the DDoS attack.
5. Periodically review your own cybersecurity response plan and ensure that you are compliant with all current TSA, FAA or other government regulations specific to the airline or other industry relevant to your company’s business.

Why WTW

As a global leader in human capital solutions, risk advisory and broking services, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions and radically improve your ability to successfully recover from future attacks.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Footnotes

¹ US to add cybersecurity requirements for critical aviation systems

² Id.

³ Id.