Bespoke cover launched to address airline cyber risks

05 April 2018

JLT Specialty has launched a new cyber insurance policy to address specific and often overlooked risks related to data and a growing reliance on technology. The policy gives airlines greater contract certainty when insuring cyber exposures, as well as ensuring a faster payout for business interruption losses.

The airline industry continues to face a growing threat from cyber attacks, which if not handled effectively can have a devastating effect on a business, causing serious damage to reputation and consumer trust.

As the industry becomes more dependent on IT systems and technology, and with the growing sophistication of cyber attacks, the need for cyber security solutions is becoming more important. JLT has combined its in-depth experience of the aviation industry and its cyber insurance expertise to assist the insurers developing the product to ensure that it will help airlines recover more quickly should they become the victim of a cyber attack or an unplanned systems outage.

Recent years have seen a number of airlines affected by major systems outages. An IT systems outage cost British Airways almost GBP 60 million in May 2017. Several US airlines, including Delta Airlines and Southwest Airlines, also suffered major outages in 2016.

Airlines have also been hit with cancellations and delays resulting from outages at third party service providers. Passengers suffered long delays in September last year when a software glitch hit check-in desks at a number of major airports around the world. Airline and hotel reservation company Sabre Corp was hacked in 2017 after stolen credentials were used to access personal data and payment card details.

In July last year, Virgin America confirmed that hackers had accessed its corporate network, stealing personal data and login credentials of employees. In another incident last year, Canadian airline WestJet was forced to apologise to customers after the personal details of its reward scheme members were disclosed online.

FILLING GAPS

DART (Data and Reliance on Technology), fills a distinct gap in the current market, and ensures airlines are protected in the ever evolving cyber risk landscape.
Airline insurance provides some limited cover for cyber incidents tied to property damage and liability coverages. However, policies are not intended to cover non-damage business interruption and data breaches.

In a bid to clarify cover, the London market’s Aviation Insurance Clauses Group (AICG) published Data Event Clause AVN 124. The model clause effectively excludes data breaches and non-damage business interruption losses from standard aviation hull and liability policies, although the exclusion does not apply to physical damage to aircraft and bodily injury.

DART protection insurance is designed specifically to fill commonly identified cyber gaps in existing airline insurance portfolios, in particular the risks of data breach and non-damage related business interruption losses. The wording has been designed with insurers seeking to provide a rapid settlement of claims with pre-agreed flight values.

Cover includes the essential elements of cyber insurance, including access to a panel of cyber incident response vendors at pre-agreed rates. DART indemnifies the costs of incident response and data restoration, as well as cyber extortion, cyber and data breach liability and business interruption loss.

OUTAGES

DART covers business interruption for extended outage of websites and on-board point of sale systems. It also covers business interruption for flights cancelled or delayed by more than three hours due to a cyber incident. To ensure rapid settlement of cyber business interruption claims, cover is on a pre-agreed value basis which takes into account lost revenue, duty of care and statutory passenger compensation.

Optional extensions to the policy can expand business interruption coverage to include outsourced service provider dependencies, such as cyber and technology issues at global reservation booking systems and other direct service providers. A technology infrastructure extension can also extend cover to named entities providing internet, cable or telecommunication infrastructure services.

Specific policy extensions are also available for data privacy or to cover the cost of customer goodwill initiatives as part of the incident response. The facility is underwritten in the London market and can provide capacity in excess of USD 125 million.

For further information, please contact:

Steve Bridges
Senior Vice President
Cyber / Errors & Omissions Practice
Email
Tel: 312.637.6119

Shannon Groeber
Senior Vice President
Cyber / Errors & Omissions Practice
Email
Tel: 215.309.4495