The cyber risks faced by the aviation industry - ten things to know

Publication October 2016

Cyber risk is a broad concept that encompasses a range of risks arising out of the use of data and information technology.

Cyber risk is a concept that the aviation industry has been engaging with for some time and the industry is generally perceived to be some distance ahead of others in terms of cyber risk management.

However, recent analysis suggests that cyber risk is a growing threat to the industry,  with one recent report suggesting that it is now subject to over 1,000 cyber-attacks per month.

This article provides an overview of the ways in which cyber risk affects the aviation industry and how this risk might best be managed.   

1. Cyber risk can expose you to regulatory liability

Airlines hold large amounts of personal data belonging to crew and customers. For an airline to directly engage with customers on an e-commerce platform, it needs to retain a large amount of potentially sensitive personal data ranging from credit card details to medical information.

If this data is lost, compromised or otherwise used in an inappropriate way, an airline could be exposed to considerable liability to regulators. An airline’s customers or clients are likely to be based in a range of jurisdictions, which in theory could lead to a number of national data privacy regulators taking action against the airline in the event of an adverse data incident.

Regulatory changes, such as the impending EU General Data Protection Regulation, mean that stakeholders in the aviation industry are likely to be at greater risk of regulatory liability in future.

2. Cyber risk can leave you liable to clients and customers

As well as exposure to regulators, loss or misuse of personal data can lead to stakeholders in the aviation industry facing legal action from their clients and customers.

The legal landscape is evolving in a number of jurisdictions to allow a broader range of claims to be brought in these circumstances. For example, the English courts recently acknowledged a claimant’s ability to bring a tort claim for misuse of private information and allowed claims to be brought under the Data Protection Act 1998 in circumstances where no pecuniary loss has been suffered.

The incidental costs involved in responding to adverse cyber incidents, which may involve providing credit monitoring services or remediation plans to all affected customers, can also be very high.  

3. Cyber risk affects physical assets

A number of commentators have suggested that automated systems used in the aviation industry may contain weaknesses that may allow aircraft to be hacked and remotely controlled, with potentially catastrophic consequences. While there is little solid evidence surrounding the feasibility of such a hacking, it is undeniable that aviation is now more reliant than ever on automation and that the cybersecurity underlying this automation is of vital importance in ensuring there is no risk to aircraft or, as a consequence, to passengers and other physical assets.    

4. Cyber risk affects your ability to do business

There are a number of ways in which cyber risk can lead to lengthy and costly interruptions to business. The much-publicised possibility of a cyber-attack on air traffic control systems could, for example, lead to widespread disruption in the industry which would lead to extensive business interruption losses.

Company-specific cyber risks, such as the prospect of a distributed denial-of-service attack on an airline’s website, could equally cause extensive disruption to that airline’s ability to do business.

5. Cyber risk can damage your reputation in the market

To date, there has not been a high-profile adverse cyber incident in the aviation industry that has brought into focus the reputational harm that cyber risk can cause. However, one only has to look at high-profile incidents in other industries  - perhaps most notably, healthcare and retail following high-profile incidents in the US – to see the reputational harm that can be caused.

How to manage those cyber risks

6. You can’t manage your cyber risks unless you know what they are

In order to effectively manage risk it is vital to identify and monitor the risk landscape that you are facing, from a technological and operational risk perspective as well as in terms of legal and regulatory risk.

This should be seen as a pervasive element of any stakeholder’s risk management strategy and should not be seen as an issue that is confined to IT or technology.

7. You need proper policies and procedures to manage cyber risk

Policies and procedure documents are a key risk management tool. They provide a framework around which cyber risk should be managed on a day-to-day level and also provide the basis for a rapid and effective response in the event than an adverse incident does occur – this can be invaluable in containing the impact of an incident.

8. You are only as strong as your weakest link when it comes to cyber risk

Aviation in an interconnected industry and reliance is placed on the cyber infrastructure of a range of third parties, from air traffic control to outsourced service providers.

It is therefore important that you are happy that all elements of your supply chain have sufficient cyber risk management strategies in place, to prevent adverse incidents occurring that could lead to you incurring losses or liabilities. You may wish to consider how this is dealt with in contractual arrangements with third-party service providers.  

9. Effective cyber risk management involves a cultural shift

Cyber risk is something which all individuals working in the aviation industry should bear in mind. Adopting good day-to-day cyber hygiene habits – such as always encrypting data belonging to customers – should become second-nature and an essential element of good working practices.

10. Cyber risk management strategies should be robustly tested

Without testing the strategies that are in place, it is not possible to determine how well cyber risks are being managed. This is reflected in guidance from the American Institute of Aeronautics and Astronautics, which has recommended conducting cyber stress-tests to determine the areas most susceptible to attack.


Practice area:

Industry:

Recent publications

Subscribe and stay up to date with the latest legal news, information and events...