Are GDPR and cyber risks on airlines' radar?
Above: (left to right) Sjaak Schouteren and Paul Waring.
It is no secret that airlines are businesses that run on very tight margins even during the good economic periods, let alone when conditions are more difficult.
That reality means that disruption, of any sort, on a large scale can have a massive knock on effect. This is particularly true when this involves technology, which is increasingly at the core of just about everything in the industry.
Last year’s British Airways tech troubles – described by the company itself as a “major IT system failure” - resulted in more than 1,000 flight cancellations and 75,000 stranded passengers. It was no doubt a costly endeavour, given the fact Europe’s Flight Compensation Regulation 261/2004 gives passengers the right to claim compensation up to £532 (€600) if a flight has been delayed by at least three hours.
The stark reality is that airlines are facing even more turbulent skies in the future, with cyber storms bearing down on all fronts. However, rising levels of cyber incidents isn’t the only issue airlines currently have to deal with. The long shadow of the impending General Data Protection Regulation (GDPR) and the ever-present risk of human error all have the potential to bring airlines to their knees.
GDPR Ready
One of the most imminent issues for every industry, including airlines, is the launch of GDPR later this month on the 25th of May. It is the most sweeping data and privacy regulation in history.
Fundamentally, the airline business is perhaps one of the most truly international industries, given the simple reality of moving people, along with their data, from place to place around the globe. So in addition to GDPR, airlines have to contend with other data protection laws and privacy regimes across different legal jurisdictions, creating enormously complex challenges. The industry is coming to grips with the need to be keenly aware of what data is stored and where, in order to make sure they are fully compliant with any data protection regulations in the countries they service.
One central and unique pillar of how the industry works – the now ubiquitous codeshare agreement – adds even further complications. Allowing two or more airlines to publish and market the same flight under their own airline designator, codeshares mean that different airlines will necessarily hold data together, with obvious implications for data protection and risk management. If someone is on a flight with a codeshare agreement, their data may well be in the hands of an organisation that they are not necessarily dealing with directly.
Getting to grips with GDPR and wider data protection challenge is not necessarily an easy task, with the industry’s data coming from varied and sometimes unlikely sources. The airline and security office will hold key customer data in their booking system, while the social media team will likely have access to a whole trove of data on customers and potential customers. That kind of data will need to be looked at carefully and either stored correctly or destroyed, with GDPR in mind.
Cyber risks on the radar
Even as GDPR looms large, the risks of disruption from cyber incidents and exposure seems to grow exponentially by the day. Technology sits at the core of the airline industry, with all systems on a flight completely interlinked and the customer experience driven by mobile apps and online booking. The verdict is still out as to whether such technological dependence makes it easier or more difficult for hackers to penetrate and disrupt airlines systems, but the outcome can be disastrous regardless.
Looking at a scenario of a cyber incident on a European airline, the airline is required by law to notify any affected parties by both electronic and physical mail. Even just the simple cost of a postage stamp, when extrapolated to millions of customers, will reach into the hundreds of thousands of pounds of cost straight away. Add to that the reinstatement cost of the data that has been breached, and the potential liabilities can be eye watering.
Given a scenario of a system shutdown, on the other hand, can either be carried out by a malicious third party, or merely be the result of human error. The effect can be the same, as a customer turns up to an airport with boarding pass on their mobile phone but no way to check in for their flight (which may be unable to take off anyway). The potential negative effects from such incidents can be hard to estimate. While planes will eventually fly again, the reputational hit can lead to huge losses for the business.
What can be done?
In order to face these myriad challenges head-on, airlines must start by carrying out a risk audit and thoroughly understand their cyber capabilities and vulnerabilities. They need to look at where the most exposed areas of the business are and where the metaphorical ‘crown jewels’ are stored. It is impossible to manage cyber risks if the key areas are unknown, and companies must be aware to be able to plan for the worst.
In addition, steps need to be taken to ensure that data security is at the heart of the business and strategic planning. The responsibility for and awareness of these issues must be shared throughout the company, whether that is marketing, HR, the legal department or the finance department. Leaving the onus solely on the Chief Information Security Officer (CISO) will not guarantee cyber safety. Quite the opposite, the issue must have the attention of everyone from the board to the rank-and-file, otherwise there will inevitably be weak links that can and will be exploited.
Even with the best data protection and cyber security measures in place, a breach will still be a possibility. Whether that comes from human error, system failure or the ever-evolving threat of hackers, the final piece of how airlines need to protect themselves and ensure the impact to the bottom line is minimised is, unsurprisingly, insurance. Adequate cover makes sure that no possibilities fall through cracks, increasing dramatically the likelihood of an airline surviving a catastrophic disruption. With such tight margins, speed of payment in the event of a breach is particularly critical. Where insurance was previously limited only to just cyber-attacks, it now includes system outages or even human failure. Such a broad range of cover is increasingly vital, as a cyber-attack is but one of many ways that the systems underpinning an airline can fail.
With the skies darkening, airlines need to be sure to adequately protect against the oncoming storm.
