FAA outage underscores fragility of the aviation system

On January 11, approximately 11,000 flights were delayed and more than 1,300 flights were cancelled when the pilot alert system of the Federal Aviation Administration (FAA) failed.¹ This outage was the first time since September 11, 2001, that the FAA issued a nationwide ground stop in the U.S.² According to the FAA’s statement on January 19, the Notice to Air Missions (NOTAM) system failure was caused when contract personnel unintentionally deleted files while working to correct synchronization between the live primary database and a backup database.³ NOTAM provides pilots with information about hazards, changes to airport facilities and information that can affect flights. The FAA further stated that they found no evidence of a cyber-attack or any malicious intent by the contractor in question and that necessary repairs were made to make NOTAM more resilient.

The pause on flights across the country highlighted what certain aviation experts say are glaring weaknesses at the under-funded and under-staffed FAA, long considered the world’s premier aviation regulator. Updating certain systems and processes, initially put in place decades ago, proved challenging for the FAA and highlights their struggle to keep up with technological advancements.⁴ The FAA outage comes on the heels of the operational meltdown at Southwest Airlines at the end of 2022,⁵ and underscores the fragility of the nation’s aviation system, as there have been sharp increases in the number of flights and passengers since COVID concerns have subsided.

It is also worth mentioning the 2016 Southwest system outage due to a router breakdown, which caused over 2,000 flights to be cancelled and resulted in $82 million in overall losses, comprised of $25 million in missed bookings, cancelled flights, refunded tickets and vouchers and $57 million in worker overtime, and stranded traveler and crew expenses.⁶

Insurance implications

While it is possible that the FAA outage would be considered a dependent or outsource provider system failure under some cyber policies and, assuming the coverage is available, trigger business or network interruption coverage, it is by no means certain. There could be numerous roadblocks to coverage for this scenario or others like it.

When evaluating coverage under your cyber policy for dependent business system failure coverage, it is important to be cognizant of the following:

1. Is the entity that suffered the outage a dependent business or outsource provider under the policy? The most favorable dependent business definition is one which simply includes any entity the insured relies upon to conduct their business. The FAA would likely fall within this broad definition. It is best to be wary of dependent business or outsource provider definitions which carve out certain public utilities, which could include air-to-ground communication services. It is also worth paying close attention to the infrastructure exclusion that may be part of the policy.
2. Was the outage to the dependent business’ network due to a system failure, security failure or some other operational event and was there a causal link between such an incident and the dependent business being unable to provide services to the insured? A dependent system failure is generally defined as an unintentional and unplanned outage of the network or computer system of a dependent business or outsource provider. A dependent system security failure, on the other hand, is the failure or violation of the security of the dependent’s network or computer system, which could include unauthorized access, unauthorized use, a denial of service attack or the transmission of malicious code. While there could be coverage for dependent business system and security failures, it is unlikely that there would be coverage if the cause was an operational event, like the weather or understaffing. Further, it is important to note that the FAA’s system failure wasn’t what actually caused the impact to the airlines. It was the FAA’s issuance of a ground stop that was the cause. Many cyber policies also have governmental order exclusions which could be raised as well.
3. If the network outage was due to a dependent business system failure and it is determined that there is a causal link between the incident and the dependent business being unable to provide services to the insured, does your policy even provide this coverage and if it does, is the coverage sub-limited? It is far more likely that your policy provides dependent security failure coverage at full limits. Certain carriers have scaled back on offering dependent system failure coverage in recent years or made the coverage cost prohibitive for certain organizations.
4. What is the waiting period? In other words, how long does the dependent outage need to last for the dependent business interruption coverage to be triggered? Waiting periods for airlines have certainly ticked up recently and are often now between 18 and 24 hours. So, even if entity that suffered the outage was a dependent business under your policy, it is very possible that the outage was not long enough to satisfy the waiting period. It is also important to understand exactly when the calculation of business interruption loss, which generally includes business income loss and extra expenses, will begin if the waiting period is met. Will it be calculated starting after the period is met or retroactively back to immediately after the interruption of the dependent business’s network? It is also important to keep an eye on whether the calculation of loss will end when the dependent business’s network is physically back up or when the insured restores its business to the same or similar conditions that existed prior to the outage.

Conclusion

Identifying, understanding and managing cyber related vulnerabilities should be part of the operational resilience strategy of every aviation organization. Preparing in advance is one of the best ways to reduce the cost of dealing with a major cyber incident similar to those described above. All insurers now are insisting businesses meet specific cyber security criteria to be eligible to purchase cyber insurance. Talk to WTW about how we can assist you in tailoring your cyber risk management solution and coverage to suit your risk profile and business needs.

Footnotes

¹ FAA system outage disrupts US

² FAA NOTAM Statement

³ FAA system outage caused by a "damaged database file"

⁴ F.A.A. Outage Highlights Fragility of the Aviation System

⁵ Southwest Airlines C.E.O. Bob Jordan addresses weaknesses in its operations

⁶ $82m Southwest Airlines System Failure

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Author

---

Jason D. Krauss

FINEX NA Cyber Thought & Product Coverage Leader

email Email phone +1 212 915 8374

---