Latest BA IT Failure Threatens Willis CyFly Cyber Programme

An IT failure which affected more than 500 British Airways (BA) flights in August threatens to erode the lower layers of its cyber insurance programme, industry publication The Insurance Insider understands.

Sources told this publication that BA buys Willis Towers Watson’s CyFly product, an insurance solution specifically designed to address airline cyber exposures – in particular the failure of critical IT systems.

AIG is understood to lead the product, and the rest of the tower is largely written in the London market. Sources said the 2018 programme had EUR200mn ($222mn) of limit, but it is not clear whether BA had chosen to increase the amount of protection it purchased for the 2019 programme.

The loss quantum from the August event at this stage is not clear, as there are understood to be waiting times in place in the wording for the business interruption (BI) element of the coverage.

However, market sources have speculated that the lower layers were likely to be eroded due to resulting legal costs alone.

The BA loss hit the market just less than two weeks after Capital One disclosed a severe data breach, which could exhaust the limit of the firm’s $400mn cyber placement.

If the full $400mn Capital One limit is exhausted – which, given the scale of the breach, sources speculate is a possibility – it would be a new record claim for the cyber market. Axis, AIG and Axa XL have the largest gross exposure to the loss.

BA, which is owned by International Airlines Group, has experienced at least one IT failure or cyber security incident a year since 2016.

The most recent IT failure on 7 August, which lasted from 9.30am UK time until around 4pm, led to more than 500 flights being cancelled or delayed. The airline said the outage had only affected London airports but others in the UK and Europe had experienced knock-on disruption.

The August failure followed a breach of BA’s security systems in 2018, which was first disclosed on 6 September but is believed to have begun the previous June.

In the hack, details of around 500,000 customers were stolen and the incident led to a record £183mn ($222mn) fine – or 1.5 percent of turnover – by the Information Commissioner’s Office.

Sources said the cyber market is still debating the insurability of the fine.

In 2017, a global system failure forced BA to cancel all flights out of London on 27 May, with thousands of cancellations racking up over the following two days.

At the time, Insurance Insider reported that it was pursuing its property insurers for a sizeable BI claim in relation to the outage, as it had no standalone cyber insurance cover in place.

Prior to this, BA also experienced a number of system outages and delayed flights during 2016, at least one of which was attributed to a new check-in system installed that year.

AIG, Willis Towers Watson and International Airlines Group declined to comment.