Last month’s global IT outage at British Airways (BA) is symbolic of the airline industry’s reliance on technology and associated exposure to business interruption. Yet this is a risk that can in large part be transferred to insurers.
The three-day global IT failure at BA from May 27 affected some 75,000 passengers and 1,000 flights, knocking the airline’s share price and reputation. The company now faces a sizable bill from compensating passengers and business interruption.
The initial estimate by BA’s owner International Airlines Group (IAG) put the cost of the outage at around USD 100 million, including lost revenue and the expense of accommodating, re-booking and compensating passengers.
While the outage was first billed as an IT failure, BA says it was in fact the result of “human error” after a contract engineer is thought to have disconnected the power at BA’s data centre. This was followed by an “uncontrolled” restoration of the company’s IT systems, which created physical damage to the systems and significantly exacerbated the problem.
Airlines are particularly exposed to IT outages. They were early to embrace technology and are now heavily dependent on IT systems, from booking and baggage handling, to flight scheduling and operations. But ageing IT and fragile legacy systems have left them vulnerable.
The sector has experienced a string of outages in recent years. BA suffered a smaller IT failure in September, while in June the airline suffered an unspecified failure of its baggage handling system that saw thousands of passengers depart without their luggage.
A number of US airlines have also been troubled by IT outages. Delta Air Lines experienced several major outages in 2016 and 2017, one in August 2016 cost the airline USD 150 million. An outage at Southwest Airlines, which saw 2,100 fights cancelled last year, cost the airline USD 54 million.
Although the exact cause of the BA outage has yet to be determined, cyber insurance can be tailored to provide protection for airlines cyber exposures, including IT outages. Some cyber policies will exclude losses from external power supply failure, but the cause of the disruption for BA is said to have been triggered by human error.
Cyber insurance policy wordings differ when it comes to business interruption triggers. Some will only cover business interruption following a cyber-attack, while others will cover systems failure on an ‘all risk’ basis or on a named failure basis.
The insurance industry is beginning to tailor policies to specific industry needs, and JLT’s collaborative approach across cyber and aviation has resulted in innovative thinking around the scope of cyber and IT outage coverage for airlines.
Compensation claims by passengers can also be covered by cyber insurance where an incident is caused by a cyber trigger. In an industry with paper thin margins, this expense could be the difference between making a profit or loss.
Outages, like the ones suffered by BA, Delta and Southwest airlines also highlight the importance of a robust incident response plan. For all their resource, many large public companies still find themselves ill-equipped to deal with the fall-out from a cyber incident.
One crisis management expert said that the BA outage provided a “textbook” example of how organisational systems need backup and effective communications when they fail. Denis Fischbacher- Smith, Research Chair in Risk and Resilience, University of Glasgow (who experienced the disruption first hand) said that companies need to plan their response to the catastrophic failure of a critical system.
Incident response assistance is the keystone of any well-crafted cyber insurance policy allowing for a structured, multifaceted response to a range of issues insureds are unlikely to have incurred before.
There are also a number of insurers that will provide “reputational harm” coverage to insureds as part of their cyber risk solution. The wordings available are quite broad and can cover any income loss, increased cost of working and PR expenses incurred during the ‘reputation indemnity period’.
Download Cyber Decoder – June 2017
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org