By Glen Thoms – Executive Director, Cyber & TMT, Willis Towers Watson
Taking into account what has happened for a number of large, global airlines over the past six months to a year, it is clear that aviation risk is an issue that is front and centre for airline directors. Demonstrating preparedness in a volatile environment is an essential part of what is now a boardroom issue.
Interestingly, from our Transportation Risk Index (TRI), if you look down at some of the top risks across the transportation sector – and across the aviation sector, specifically – these all ring true in terms of the incidents that we’ve seen. The TRI analyses the severity of impact and ease of management of the top 50 risks facing the transportation industry by grouping them into five megatrends and examining their current impact on the sector and how this will change in the future. The increased threat from cyber and data privacy breaches, failure of critical IT systems and the complexity of increasing global data protection and cyber security regulation are all key risks, which we’ve seen come to the fore within the airline sector.
Defining the threat
Most people’s definition of cyber historically has centred around malicious attacks and malicious third parties who are intentionally trying to do bad things to your IT systems and data – that is, invoking the idea of a ‘breach’ rather than a ‘failure’. But looking at what has happened to British Airways in recent weeks and some of the larger American airlines last year, these are issues that come more from ‘system failure’ than from cyber attacks, whether that is a result of negligent acts, deliberate acts or just component failures.
“The media coverage of recent incidents, including Delta and Southwest Airlines last year, shows consumer feedback wasn’t particularly complimentary. Those stories firmly bring response and disaster recovery into focus”
These recent incidents have highlighted the fact that airlines, particularly consumer airlines, are complex logistics businesses. These ‘retailers with wings’ have exposure because they are effectively selling a product – that being getting someone from A to B – in the same way that you would sell a lot of other consumer goods. When things go wrong for these complex businesses there are huge ramifications. The actual outages and disruption that can occur can be relatively short, but the knock-on effects in terms of ongoing disruption, financial damage and reputational harm are very extensive: reports estimate that BA’s incident could cost as much as £150million. From that incident, 12,000 flights with more than 75,000 passengers were cancelled over three days – these are big numbers.
Adapt your approach
A corollary of the historical focus of cyber risk management on the threat of malicious actors is that organisational spend has largely been on technology – trying to build the wall higher to prevent people getting in. But there are a lot of exposures that can come from areas within the business that can cause the same levels of disruption.
From an organisational context, this switches the way you approach cyber security and IT security: there needs to be a firm focus on incident response.
When incidents happen – whether as a result of hacking or system failure – time is critical. The cascade effect kicks in very quickly and it’s at that point that you start looking at your disaster recovery and incident response planning. Organisations in the aviation sector and beyond need to have those processes, policies and procedures around incident response to allow them to deal with these things quickly. A lot of companies have these processes in place, but the key issue is how regularly you test those systems. There is no point in having a plan unless you test it. When these things happen, you need to be confident that your plan is going to work.
Another shift in focus is occurring, moving away from technology protection that aims to stop incidents from happening, towards acceptance that incidents are now somewhat inevitable and looking at how the organisation is set up to respond. Response is largely what you are going to be judged on. That’s how the media will look at you, that’s the reputational impact. The media coverage of recent incidents, including Delta and Southwest Airlines last year, shows consumer feedback wasn’t particularly complimentary. Those stories firmly bring response and disaster recovery into focus.
Dealing with data and regulatory reform
For airlines, a big piece of the cyber risk jigsaw is built around data risk and data privacy risk. Airlines hold lots of customer information – names, addresses, passport numbers, credit card information – that is attractive to hackers. In large international airlines, there is this further layer of complexity due to operating across multiple jurisdictions and bringing into play regulatory issues depending on which territories your consumers are located in.
So when you look at the cyber-risk profile for airlines, there is not only the potential impact of catastrophic business interruption caused by a cyber event, but significant data privacy issues, too. This is particularly relevant for those in Europe where stricter regulations are either in place or coming into force. Next May the European General Data Protection Regulation (GDPR) comes into effect, so airlines dealing with customers who are EU nationals have a much stricter regulatory regime that imposes significant requirements around the way consumer data is collected, handled and processed, with significant financial consequences if you get that wrong.
Regulatory reforms are both a help and a hindrance. Take data privacy: formally legislated rules will focus the mind on the need to look at how data is collected, held and protected, and whether entities even know what data is being held. Questions then arise around whether sufficient controls and procedures are in place around that. Therefore, stricter regulations force companies who are collecting large volumes of consumer data to look at their overall approach and procedures more closely because, in the event of a breach, that’s going to be one of the areas that the regulator focusses on. When you talk of fines being levied – up to four per cent of global turnover – an airline that can demonstrate good cyber hygiene, good risk management, good recognition of risks and controls (and which responded to the incident well) would likely be judged and penalised less harshly in comparison to a company that didn’t demonstrate any of these.
So regulation in itself can potentially focus a company’s thinking around how it deals with some of these issues. Strong understanding and proactive compliance also have the potential to serve as a differentiator in terms of doing business. If consumers are confident around the way a business collects and stores their data, they are likely to be more comfortable using that business.
The flip side is the increased burden that strict regulation brings for organisations implementing change to stay compliant. To some extent, it’s difficult to know whether you did the right thing until after an incident happens and an investigator decides whether your actions were right or reasonable. But with GDPR there’s a lot of grey area that companies must grapple with as well, but with GDPR enforcement less than 12 months away, we have certainly seen a marked shift with our client base in those sectors that are collecting lots of customer and personal information. There is a real focus now on making sure they can justify compliance.
For consumer-facing business that are collecting large volumes of information, whether retailers, financial institutions or airlines, this is firmly on the boardroom agenda. As a member of the board of those companies where there is such a potentially significant exposure, you must be able to demonstrate that not only have you recognised that cyber or data is a risk for you, but that you are doing something about it in terms of protection and risk management.
Train pre-attack; communicate post-attack
Our claims data shows that workplace culture and employee engagement around cyber risk is also important to the risk profile. Building the wall higher to keep people out is useful, but neglects the fact that there are many threats from inside the wall. Negligent or deliberate acts from employees or contractors can lead to big exposure.
Pre-loss, training and awareness around data and cyber security is critical. As is people buying into why this is important to the business. There is often a danger with training courses that they simply become a tick-box exercise. We continue to see a lot of cyber incidents arising from social engineering and phishing scams where people click on the link they weren’t supposed to.
The extent to which you can make employees engaged and help them understand the importance of these issues is going to infinitely improve your risk profile and reduce the potential for incident. Make sure that all employees know how to notify and escalate internally. Training and education is critical for prevention but also for responding appropriately. And remember that the method of training delivery is vital: this can’t be treated as a once-a-year, onerous compliance initiative where you pay lip service to the issue of training and then forget about it for another 12 months.
Predictability and preparedness
Volatility around the risk environment is pretty extreme in this field. Take the WannaCry ransomware attacks: ransomware is not a new threat but the 2017 attack that crippled critical systems worldwide demonstrated the extent to which this can spread so quickly – there’s no geographical boundary. If you’re looking at risk physically and trying to protect against natural catastrophes like earthquakes and hurricanes, there’s generally a blast radius which, if worse comes to worst, limits the affected area. The WannaCry incident really emphasised the fact that this can impact multiple companies across multiple geographies quite quickly from a single attack. While that had always been a threat, incidents like WannaCry can act as scenario testing for organisations.
“Most airlines are reliant on third-party technology and other providers to operate their businesses”
While airlines would be prudent to map out a broad architecture for incident response, you also have to accept that the nature of a new incident could be uniquely complicated and something nobody has seen before, so adapting your response in real time is the only way to counter volatility and uncertainty in the risk environment.
You also have to look at motive when talking about risk – whether that’s monetary gain, criminal hackers, activists with religious or ideological aims, a disgruntled employee with a grudge to bear, or even a negligent employee or contractor. Look at those potential threat actors and establish what they will be interested in. That level of granularity to identify threat actors, and what they’re interested in, will help you build the appropriate controls, encompassing people, process and technology, around those risk exposures.
External v. internal management of supply chain
Most airlines are reliant on third-party technology and other providers to operate their businesses. That exposes them to failures or issues with the supply chain and increases the surface area over which they can suffer attack. If airline systems are interacting with a number of third-party systems then there is the potential that that becomes an access point and creates another exposure. That digital supply chain complexity is something all companies are grappling with and there is always a discussion around whether each component part of a supply chain is something that is better managed internally or externally. You may be giving away control to a contracted third party and therefore relying on the strength of a contract if things go wrong. But if you’re outsourcing to a major technology provider, they are continually reinvesting in making sure they have resilience, protection and recovery. While exposure comes from giving access away, at present we haven’t seen it causing huge issues for companies. So, the risk is there but this is often outweighed by cost benefits and by the fact that, for the most part, you actually improve your risk profile because you outsource to a company that is better placed to perform this function.
The question is: how do you select, vet and contract to ensure a company is dealing with data and IT security in the way you want it dealt with? Have visibility on who your outsourced service providers are, how you select and monitor them and contract with them. Outsourcing is a business reality, so make sure there is visibility, rigour and control around who you contract with, beyond just looking at cost.
Cost cascade and controlling the controllables
All is not doom-and-gloom in the world of aviation cyber, however. With every incident, risk management standards subsequently improve, either through enforced regulation, or improved best practice (and investment) in recognition and preparedness.
Relative to the number of airlines and flights operating globally, incidents are not as commonplace as one would expect. It is an issue that can get exaggerated, but that’s not to say additional focus and investment is unwelcome. Incidents may be relatively few and far between, but the cascade effect of an outage and ongoing delay and disruption can be limitless.
The direct impact and tangible cost impact comes through myriad factors, including loss of revenue from cancelled flights, the costs of staff overtime, of emergency practices to keep things ticking over, regulatory penalties and fines, fees for recovery assistance, legal and accountancy fees, insurance calculation time, and passenger compensation – which in some cases has been as much as €600 per delayed passenger. With up to 75,000 passengers impacted by an incident (for example through number of flights cancelled) this direct cost alone is potentially huge.
Then there are intangible costs, such as reputational damage, additional regulatory scrutiny and damage to staff morale. This in turn can impact on an organisation’s ability to attract investment or to attract talent from a recruitment perspective. So, while annual reports and accounts can give an indication of what has been set aside, it is impossible to measure the true financial impact.
Mitigating impact is easier than measuring it. Risk profile and incident response must therefore be a constant boardroom bullet point. Organisations must be mindful of new trends and track technology, as today’s outliers have the potential to become tomorrow’s norm – as we’ve seen with social engineering, a cyber threat that most companies are now exposed to. Mitigating the impact of this and other threats is easier than measuring them. Risk profile and incident response must therefore be a constant boardroom bullet point. Stay vigilant and control your controllables.
About the Author:
Glyn joined the FINEX Division of Willis Towers Watson in 2015 to head the London Cyber and TMT E&O capabilities. Glyn has worked in the London insurance market for 15 years specialising in Cyber risk placements across a range of industry sectors as well as Errors & Omission placements speci cally within the Telecommunications, Media and Technology sectors. Glyn advises clients on programme design, placement and risk pro ling with a particular focus on policy wording and coverage analysis.