in Features

Are GDPR and cyber risks on airlines' radar?

Posted 1 May 2018 · Add Comment

Sjaak Schouteren, Partner, European Cyber Team and Paul Waring, Partner, Aviation Team, at JLT Specialty, consider airlines' preparedness for GDPR and cyber risks.



Above: (left to right) Sjaak Schouteren and Paul Waring.

It is no secret that airlines are businesses that run on very tight margins even during the good economic periods, let alone when conditions are more difficult.

That reality means that disruption, of any sort, on a large scale can have a massive knock on effect. This is particularly true when this involves technology, which is increasingly at the core of just about everything in the industry.

Last year’s British Airways tech troubles – described by the company itself as a “major IT system failure” - resulted in more than 1,000 flight cancellations and 75,000 stranded passengers. It was no doubt a costly endeavour, given the fact Europe’s Flight Compensation Regulation 261/2004 gives passengers the right to claim compensation up to £532 (€600) if a flight has been delayed by at least three hours.

The stark reality is that airlines are facing even more turbulent skies in the future, with cyber storms bearing down on all fronts. However, rising levels of cyber incidents isn’t the only issue airlines currently have to deal with. The long shadow of the impending General Data Protection Regulation (GDPR) and the ever-present risk of human error all have the potential to bring airlines to their knees.

GDPR Ready
One of the most imminent issues for every industry, including airlines, is the launch of GDPR later this month on the 25th of May. It is the most sweeping data and privacy regulation in history.

Fundamentally, the airline business is perhaps one of the most truly international industries, given the simple reality of moving people, along with their data, from place to place around the globe. So in addition to GDPR, airlines have to contend with other data protection laws and privacy regimes across different legal jurisdictions, creating enormously complex challenges. The industry is coming to grips with the need to be keenly aware of what data is stored and where, in order to make sure they are fully compliant with any data protection regulations in the countries they service.

One central and unique pillar of how the industry works – the now ubiquitous codeshare agreement – adds even further complications. Allowing two or more airlines to publish and market the same flight under their own airline designator, codeshares mean that different airlines will necessarily hold data together, with obvious implications for data protection and risk management. If someone is on a flight with a codeshare agreement, their data may well be in the hands of an organisation that they are not necessarily dealing with directly.

Getting to grips with GDPR and wider data protection challenge is not necessarily an easy task, with the industry’s data coming from varied and sometimes unlikely sources. The airline and security office will hold key customer data in their booking system, while the social media team will likely have access to a whole trove of data on customers and potential customers. That kind of data will need to be looked at carefully and either stored correctly or destroyed, with GDPR in mind.

Cyber risks on the radar
Even as GDPR looms large, the risks of disruption from cyber incidents and exposure seems to grow exponentially by the day. Technology sits at the core of the airline industry, with all systems on a flight completely interlinked and the customer experience driven by mobile apps and online booking. The verdict is still out as to whether such technological dependence makes it easier or more difficult for hackers to penetrate and disrupt airlines systems, but the outcome can be disastrous regardless.

Looking at a scenario of a cyber incident on a European airline, the airline is required by law to notify any affected parties by both electronic and physical mail. Even just the simple cost of a postage stamp, when extrapolated to millions of customers, will reach into the hundreds of thousands of pounds of cost straight away. Add to that the reinstatement cost of the data that has been breached, and the potential liabilities can be eye watering.

Given a scenario of a system shutdown, on the other hand, can either be carried out by a malicious third party, or merely be the result of human error. The effect can be the same, as a customer turns up to an airport with boarding pass on their mobile phone but no way to check in for their flight (which may be unable to take off anyway). The potential negative effects from such incidents can be hard to estimate. While planes will eventually fly again, the reputational hit can lead to huge losses for the business.

What can be done?
In order to face these myriad challenges head-on, airlines must start by carrying out a risk audit and thoroughly understand their cyber capabilities and vulnerabilities. They need to look at where the most exposed areas of the business are and where the metaphorical ‘crown jewels’ are stored. It is impossible to manage cyber risks if the key areas are unknown, and companies must be aware to be able to plan for the worst.

In addition, steps need to be taken to ensure that data security is at the heart of the business and strategic planning. The responsibility for and awareness of these issues must be shared throughout the company, whether that is marketing, HR, the legal department or the finance department. Leaving the onus solely on the Chief Information Security Officer (CISO) will not guarantee cyber safety. Quite the opposite, the issue must have the attention of everyone from the board to the rank-and-file, otherwise there will inevitably be weak links that can and will be exploited.

Even with the best data protection and cyber security measures in place, a breach will still be a possibility. Whether that comes from human error, system failure or the ever-evolving threat of hackers, the final piece of how airlines need to protect themselves and ensure the impact to the bottom line is minimised is, unsurprisingly, insurance. Adequate cover makes sure that no possibilities fall through cracks, increasing dramatically the likelihood of an airline surviving a catastrophic disruption. With such tight margins, speed of payment in the event of a breach is particularly critical. Where insurance was previously limited only to just cyber-attacks, it now includes system outages or even human failure. Such a broad range of cover is increasingly vital, as a cyber-attack is but one of many ways that the systems underpinning an airline can fail.

With the skies darkening, airlines need to be sure to adequately protect against the oncoming storm.

 

 

* required field

Post a comment

Other Stories
Advertisement
Latest News

USAF Academy selects Merlin flight simulators

The USAF Academy, Colorado, have ordered four new simulators for their teaching facility from the Merlin Flight Simulation Group in the UK.

SAMI acquires AEC

Saudi Arabian Military Industries (SAMI) has announced the signing of a Term Sheet Agreement to acquire 100% ownership in Advanced Electronics Company (AEC), which took place at a Saudi Arabia–UK industry event in London in the

Royal Thai Air Force is first international T56 upgrade customer

The Royal Thai Air Force has become the first international customer to update its C-130H transport fleet with the Rolls-Royce T56 Series 3.5 engine upgrade.

BAE Systems launches Hunter Class prototyping phase bid process

BAE Systems Australia is today launching the process to bid for work on the Hunter Class Frigate Programme’s prototyping phase.

Cobham wins Airbus innovation award

Last week at the Paris Air Show, Cobham Aerospace Communications Dourdan was presented with an innovation award by Airbus Helicopters, for their integrated antenna technology.

Edinburgh Airport has its busiest May

A total of 1,381,187 passengers travelled through Edinburgh Airport last month making it the busiest May on record.

ODU 0201311219
See us at
SMI GMS BT1906071119DSEI JP BT1605201119VIDSE BT1605060320ADSS1000DBT1706171019SMI FAV BT1006141119SMI ActiveP BT1206121119