On January 11, approximately 11,000 flights were delayed and more than 1,300 flights were cancelled when the pilot alert system of the Federal Aviation Administration (FAA) failed.1 This outage was the first time since September 11, 2001, that the FAA issued a nationwide ground stop in the U.S.2 According to the FAA’s statement on January 19, the Notice to Air Missions (NOTAM) system failure was caused when contract personnel unintentionally deleted files while working to correct synchronization between the live primary database and a backup database.3 NOTAM provides pilots with information about hazards, changes to airport facilities and information that can affect flights. The FAA further stated that they found no evidence of a cyber-attack or any malicious intent by the contractor in question and that necessary repairs were made to make NOTAM more resilient.
The pause on flights across the country highlighted what certain aviation experts say are glaring weaknesses at the under-funded and under-staffed FAA, long considered the world’s premier aviation regulator. Updating certain systems and processes, initially put in place decades ago, proved challenging for the FAA and highlights their struggle to keep up with technological advancements.4 The FAA outage comes on the heels of the operational meltdown at Southwest Airlines at the end of 2022,5 and underscores the fragility of the nation’s aviation system, as there have been sharp increases in the number of flights and passengers since COVID concerns have subsided.
It is also worth mentioning the 2016 Southwest system outage due to a router breakdown, which caused over 2,000 flights to be cancelled and resulted in $82 million in overall losses, comprised of $25 million in missed bookings, cancelled flights, refunded tickets and vouchers and $57 million in worker overtime, and stranded traveler and crew expenses.6
While it is possible that the FAA outage would be considered a dependent or outsource provider system failure under some cyber policies and, assuming the coverage is available, trigger business or network interruption coverage, it is by no means certain. There could be numerous roadblocks to coverage for this scenario or others like it.
When evaluating coverage under your cyber policy for dependent business system failure coverage, it is important to be cognizant of the following:
Identifying, understanding and managing cyber related vulnerabilities should be part of the operational resilience strategy of every aviation organization. Preparing in advance is one of the best ways to reduce the cost of dealing with a major cyber incident similar to those described above. All insurers now are insisting businesses meet specific cyber security criteria to be eligible to purchase cyber insurance. Talk to WTW about how we can assist you in tailoring your cyber risk management solution and coverage to suit your risk profile and business needs.
1 FAA system outage disrupts US
3 FAA system outage caused by a "damaged database file"
4 F.A.A. Outage Highlights Fragility of the Aviation System
5 Southwest Airlines C.E.O. Bob Jordan addresses weaknesses in its operations
6 $82m Southwest Airlines System Failure
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).