in Features

Are GDPR and cyber risks on airlines' radar?

Posted 1 May 2018 · Add Comment

Sjaak Schouteren, Partner, European Cyber Team and Paul Waring, Partner, Aviation Team, at JLT Specialty, consider airlines' preparedness for GDPR and cyber risks.



Above: (left to right) Sjaak Schouteren and Paul Waring.

It is no secret that airlines are businesses that run on very tight margins even during the good economic periods, let alone when conditions are more difficult.

That reality means that disruption, of any sort, on a large scale can have a massive knock on effect. This is particularly true when this involves technology, which is increasingly at the core of just about everything in the industry.

Last year’s British Airways tech troubles – described by the company itself as a “major IT system failure” - resulted in more than 1,000 flight cancellations and 75,000 stranded passengers. It was no doubt a costly endeavour, given the fact Europe’s Flight Compensation Regulation 261/2004 gives passengers the right to claim compensation up to £532 (€600) if a flight has been delayed by at least three hours.

The stark reality is that airlines are facing even more turbulent skies in the future, with cyber storms bearing down on all fronts. However, rising levels of cyber incidents isn’t the only issue airlines currently have to deal with. The long shadow of the impending General Data Protection Regulation (GDPR) and the ever-present risk of human error all have the potential to bring airlines to their knees.

GDPR Ready
One of the most imminent issues for every industry, including airlines, is the launch of GDPR later this month on the 25th of May. It is the most sweeping data and privacy regulation in history.

Fundamentally, the airline business is perhaps one of the most truly international industries, given the simple reality of moving people, along with their data, from place to place around the globe. So in addition to GDPR, airlines have to contend with other data protection laws and privacy regimes across different legal jurisdictions, creating enormously complex challenges. The industry is coming to grips with the need to be keenly aware of what data is stored and where, in order to make sure they are fully compliant with any data protection regulations in the countries they service.

One central and unique pillar of how the industry works – the now ubiquitous codeshare agreement – adds even further complications. Allowing two or more airlines to publish and market the same flight under their own airline designator, codeshares mean that different airlines will necessarily hold data together, with obvious implications for data protection and risk management. If someone is on a flight with a codeshare agreement, their data may well be in the hands of an organisation that they are not necessarily dealing with directly.

Getting to grips with GDPR and wider data protection challenge is not necessarily an easy task, with the industry’s data coming from varied and sometimes unlikely sources. The airline and security office will hold key customer data in their booking system, while the social media team will likely have access to a whole trove of data on customers and potential customers. That kind of data will need to be looked at carefully and either stored correctly or destroyed, with GDPR in mind.

Cyber risks on the radar
Even as GDPR looms large, the risks of disruption from cyber incidents and exposure seems to grow exponentially by the day. Technology sits at the core of the airline industry, with all systems on a flight completely interlinked and the customer experience driven by mobile apps and online booking. The verdict is still out as to whether such technological dependence makes it easier or more difficult for hackers to penetrate and disrupt airlines systems, but the outcome can be disastrous regardless.

Looking at a scenario of a cyber incident on a European airline, the airline is required by law to notify any affected parties by both electronic and physical mail. Even just the simple cost of a postage stamp, when extrapolated to millions of customers, will reach into the hundreds of thousands of pounds of cost straight away. Add to that the reinstatement cost of the data that has been breached, and the potential liabilities can be eye watering.

Given a scenario of a system shutdown, on the other hand, can either be carried out by a malicious third party, or merely be the result of human error. The effect can be the same, as a customer turns up to an airport with boarding pass on their mobile phone but no way to check in for their flight (which may be unable to take off anyway). The potential negative effects from such incidents can be hard to estimate. While planes will eventually fly again, the reputational hit can lead to huge losses for the business.

What can be done?
In order to face these myriad challenges head-on, airlines must start by carrying out a risk audit and thoroughly understand their cyber capabilities and vulnerabilities. They need to look at where the most exposed areas of the business are and where the metaphorical ‘crown jewels’ are stored. It is impossible to manage cyber risks if the key areas are unknown, and companies must be aware to be able to plan for the worst.

In addition, steps need to be taken to ensure that data security is at the heart of the business and strategic planning. The responsibility for and awareness of these issues must be shared throughout the company, whether that is marketing, HR, the legal department or the finance department. Leaving the onus solely on the Chief Information Security Officer (CISO) will not guarantee cyber safety. Quite the opposite, the issue must have the attention of everyone from the board to the rank-and-file, otherwise there will inevitably be weak links that can and will be exploited.

Even with the best data protection and cyber security measures in place, a breach will still be a possibility. Whether that comes from human error, system failure or the ever-evolving threat of hackers, the final piece of how airlines need to protect themselves and ensure the impact to the bottom line is minimised is, unsurprisingly, insurance. Adequate cover makes sure that no possibilities fall through cracks, increasing dramatically the likelihood of an airline surviving a catastrophic disruption. With such tight margins, speed of payment in the event of a breach is particularly critical. Where insurance was previously limited only to just cyber-attacks, it now includes system outages or even human failure. Such a broad range of cover is increasingly vital, as a cyber-attack is but one of many ways that the systems underpinning an airline can fail.

With the skies darkening, airlines need to be sure to adequately protect against the oncoming storm.

 

 

* required field

Post a comment

Other Stories
Advertisement
Latest News

Serco acquires Sapienza

Serco Group plc has entered into an agreement to acquire Sapienza Group, from TP Group plc, to expand its offering to the European space sector.

Menzies Aviation renews Air Canada contract at Heathrow

Menzies Aviation today announced it has renewed a significant ground services contract with Air Canada at Heathrow Airport (LHR) and won new business at Copenhagen Airport (CPH).

Views sought to boost security of UK data centres and cloud services

Looking to strengthen security and resilience of UK’s data infrastructure to protect against outages and national security threats, the Government has announced it is seeking views on how to boost the security and resilience of

UK Government to host AFF22 onboard HMS Prince of Wales in New York

On 28th-29th September, the UK Government will host the Atlantic Future Forum (AFF22) on the aircraft carrier HMS Prince of Wales in New York, bringing together senior politicians, policymakers, military leaders, academia, business

Stay ahead of the airplane

Neil Ballinger, head of EMEA at EU Automation, looks at ways of stepping up to the challenges currently facing aerospace supply chains.

Airbus launches UK ZEDC

Airbus is strengthening its presence in the UK with the launch of a Zero Emission Development Centre (ZEDC) for hydrogen technologies, to be based in Filton, Bristol.

ODU SK0105310522
See us at
Advanced Engin BT2504031122DVD BT2704220922Future Armoured Vehicles Weapon Systems BTFuture Arm Vehicles Power Systems BTFuture Arm Vehicles Active Protection Systems BT