In 2016 WTW conducted a survey, the WTW Transportation Risk Index, which identified cyber and technology risk as one of the key challenges facing the transportation sector. Since 2017, the cyber risk environment of airlines has transformed and as a result, insurance market conditions for airline cyber risks have become more challenging.
In January 2022, WTW took a fresh look at the key cyber risks and insurance challenges facing the commercial airline sector, to better understand the outlook for airline cyber insurance and shape solutions required to support the sector – which continues to be perceived as high risk by the cyber insurance market. This review of the insurance market’s perceptions of airline cyber risk identified some consistent themes.
Leading cyber insurers raised various key challenges including the following:
It is true that airlines rely on IT service providers to perform day-to-day functions. This ranges from booking systems to IT telecommunication providers. However, the question is whether this reliance on IT service providers is higher than other industry sectors. For example, the retail industry is reliant upon payment processors and the banking industry is reliant upon financial technology (fintech) providers. WTW questions whether airline exposure is justifiably considered higher than those respective industries.
Within a standard cyber policy, by covering an airlines’ business interruption as the result of an outage at an IT service provider, insurers are concerned with the potential for aggregation across their portfolio. In short, should there be a significant outage at a service provider upon whom numerous airlines are reliant, an insurer could be exposed to losses across several, if not all, of their airline insureds. Nonetheless, this applies to all interconnected insureds - not exclusively to airlines.
Airlines are considered critical infrastructure. Due to the essential services they provide and the importance of their continued operations, legislation has been implemented for airlines to establish a baseline level of cyber security requirements for their network and information systems.
This was put into force in the European Economic Area by the Network & Information Systems Directive (NISD), and then implemented via national legislation, including via the Network & Information Systems Regulations (NISR) in the UK. Similar regulations have been adopted or are being adopted in other territories (for example the Singapore Security Act), thus increasing the regulatory requirements for airlines worldwide.
We would challenge the perception that airlines are a greater target than other critical infrastructure. In fact, the increased regulatory environment for airlines will encourage advancement in IT maturity across the sector and therefore airlines should be less vulnerable to attack.
The COVID-19 pandemic has undeniably affected all organisations in some manner, including airlines but the extent of its impact on IT investment is unknown. However, it is our understanding from speaking to airlines that cyber security budgets were ringfenced during the pandemic and are not sacrificing cyber security spending to invest in other operations. In addition to internal pressures at airlines to enhance IT security, the increased regulatory environment further supports the need to focus on IT and cyber maturity.
With the knowledge that airlines are heavily reliant on the availability of systems and networks, cyber insurers perceive that the business interruption impact will not only be immediate but also significant should an airline suffer an interruption to its systems and network. WTW claims data can provide context and clarity to this assumption. An average duration of an airline/aviation cyber event according to WTW data is 10.5 days and the average loss equates to USD 10.6M. (Source: WTW client notifications, between 1 January 2015 to 1 June 2022).
Without the support of data from airlines, insurers will assume a worst-case scenario and here we would encourage airlines to share what data they have, to challenge any misconceptions. This quantification analysis will often not require new resource, but an assessment of the data already held regarding flight groundings arising from traditional non-cyber perils, for example volcanic ash clouds.
Airlines by their nature are data rich organisations. Collecting large volumes of data records annually in the form of passenger data results in airlines being exposed to breaches of personal data which can include credit card information and, in some cases medical information. The airline industry is not alone in being data rich, other industries including hospitality and healthcare providers also collect and store vast quantities of customer data that could make them an attractive target for malicious actors looking to exploit organisations and profit from cyber extortion.
Three key steps for airlines to follow:
The cyber insurance market has experienced an unprecedented shift over the last two years. There has been a significant increase in cyber losses in the insurance market and as a result there has been an improved understanding and focus on the IT maturity of insureds. We have now seen a common stance amongst insurers to set out minimum standards with regards to IT controls. Where an insured does not meet the minimum standards, insurers will often not consider the risk any further.
It is more important than ever for airlines to run an ‘insurability check’ with their broker prior to entering the market. The insurability check will highlight any ‘red flag’ areas from a cyber insurer perspective and the airline can make informed decisions regarding next steps. This could be requesting internal budget approvals to fund IT improvements prior to entering the market. Should airlines enter the market prematurely and before running an insurability check, they are at risk of the market declining and the process negatively impacting their future chances of securing market interest. For airlines specifically, there is more pressure for the display of best-in-class controls to make insurers comfortable with the risk.
There is no one-size-fits-all approach to a cyber insurance policy. We would encourage airlines to work with their brokers to understand the coverages available, both standard and bespoke. With this knowledge, their broker can work with them to understand their areas of exposure and risk appetite. In addition, through the identification and quantification of key cyber risk scenarios, airlines can understand areas of weakness and subsequently brokers will be able to tailor policies accordingly.
Traditional risk transfer, whilst challenging, is still available to airlines with best-in-class IT controls. In fact, airlines with a sophisticated approach to IT security are seeing positive results in the cyber insurance market at present. It is possible that they will have access to increased limits and expanded or enhanced coverage.
Where budget restrictions are present, airlines may consider increasing their self-insurance. This could be via increased self-retentions/deductibles, reducing the limits or coverages purchased on their programmes or withdrawing from the cyber market in its entirety.
Outside of traditional risk transfer, airlines are considering alternative solutions to address cyber exposure. Where airlines have access to a captive solution, its involvement is being cautiously considered in conjunction with traditional risk transfer solutions.
Alternative risk transfer (ART) is another route being explored to address these exposures where traditional means are not readily available. The viability of such programmes is yet to be established but the investigation of such indicates that airlines are looking outside of the traditional insurance market to address their cyber exposures should the market not be able to assist.
Despite the challenges, we have seen a shift in the cyber market generally. Although insurers are still relatively cautious across all industry sectors, new cyber insurers have emerged, competition for capacity has marginally increased and premiums are approaching levels insurers will deem sustainable. While these changes have not been reflected in the market’s approach to airlines, this may be a sign of future change.
With increased regulatory requirements, airlines advancing with regards to IT maturity, the market shifting for the better and airlines considering alternative solutions to address their cyber exposure, will this encourage the cyber market to assist the airline industry? Or will the airline industry be reluctantly pushed to seek solutions elsewhere?
It has always been important for any industry to partner with the right, well informed broker but this is especially important with complex industries facing challenges with their perception. Going forward it will be vital that airlines choose the right broker to put themselves in the best position to achieve results. WTW are committed to assist in navigating the insurance market to challenge any inaccurate perceptions, educate the insurance market and find agreeable risk transfer solutions for our airline clients.