The aerospace industry was left contemplating the devastating impact of cyber-attacks after hackers stole €50m ($55m) from the aerospace parts manufacturer FACC via wire fraud last month.
It increasingly seems to be a question of when, rather than if, an organisation will fall victim, with PwC's Global State of Security Survey 2016 stating that there were 38% more cyber security incidents detected in 2015 than in 2014. 2016 is already off to a bad start…
Whilst the value of the fraud – and its knock-on effect - is worrying enough (after FACC announced the theft, its share price dropped by 19%), this incident should cause companies to consider not only how secure their financial systems are, but also what exposure they have to cyber terrorists who may be after potentially more valuable assets – their confidential information.
For an aerospace company (at whatever layer of the supply chain) its relationships are key and a loss of (or tampering with) confidential information (whether its own or that of a supplier or customer) may significantly damage confidence and affect commercial relationships. Aircraft and engine condition monitoring systems transfer substantial volumes of data from aircraft to operator, and between operator, manufacturer and maintenance provider.
Multiple parties in the supply chain routinely exchange confidential information on specifications, performance and technology for bids to supply equipment or services and to collaborate on research, design, production and support. These data are all valuable commodities to cyber terrorists with unscrupulous clients in this competitive industry, who may seek to use this data to copy products, undercut prices and seek to outperform rivals.
A loss of confidential data also exposes the company to legal claims from parties up and down the supply chain whose data may have been compromised. Contracts provide strict rules on observance of parties' confidential information and similarly strict contractual penalties for its loss.
Where an operator relies on data to ensure airworthiness and comply with, for instance, maximum maintenance intervals, there may be severe operational disruption if that data is lost or compromised and suitable backups are not available. If the data lost is personal information of employees, the company may be exposed to investigations and potential fines by regulators (in the case of the UK, by the Information Commissioner's Office).
In short, the consequences of a hack can be severe, and sometimes fatal, to an organisation. So how can an organisation mitigate its vulnerability to an attack and how should it to respond when it occurs?
Firstly take appropriate steps to ensure that networks and infrastructure are protected against internal and external attacks and that such attacks (or the threat of) can be detected as soon as possible.
Secondly, carry out a risk assessment of existing processes, procedures and supply contracts to identify valuable assets that need to be protected, the potential threats and the impact on the business if those assets were compromised. Can particularly sensitive data be ring-fenced and afforded increased levels of security against cyber-threat? Is data overseas and therefore more exposed to an attack?
Have an incident management strategy in place. It is imperative to plan ahead and establish a cyber-response team including internal and external personnel (e.g. PR representatives, forensic investigators and lawyers).
The ICO reported that 93% of incidents it investigated in Q4 of 2014- 2015 were caused by human error. Educate and train employees on cyber security risks and policies for keeping assets secure. The FACC incident reportedly came about through a spear-phishing email. How confident are you that you would be able to recognise such an email and respond appropriately?
Preventing an attack is preferable to dealing with the consequences. However, these steps should be taken should a data breach occur:
• Make quick decisions on who to notify and how to manage the media upon detection of an attack.
• A hacker may still be inside an organisation's system following news of an attack. Appropriate measures need to be in place to contain the attack, proportionate to the nature of the attack and the type of business in question. Can this be done without "tipping off" the hacker?
• Involve an internal or external legal team to investigate the hack and advise on whether notification to a regulator (such as the ICO) is required. Involving lawyers will best ensure communications are protected from subsequent disclosure in potential legal proceedings.
• Inform third parties – consider whether this is necessary and, if so, the timing of any notifications. If a criminal offence has been committed (as was the case for FACC), the matter many need to be reported to the police, and you may need to seek legal advice on the best way to do this. Any cyber risk insurers will require prompt notification to ensure the policy is triggered.
• If an attack results in the release of personal information, you may need to consider whether to notify the individuals affected, and/or regulatory bodies such as the ICO. Such communications require careful consideration regarding their form and content to minimise the risk of legal proceedings being brought against an organisation.
• Learn from your mistakes. If regulators are involved, an attack will most likely be followed by an investigation, which will usually facilitate remediation and review. Regulators may require you to give undertakings; these are open to negotiation to a certain extent so consider what you can offer. Be aware of other possible legal consequences such as the payment of fines for regulatory liability and/ or compensation payments following legal proceedings.
Cyber-attacks on companies in the aerospace industry are not new. Organisations should presume that numerous security systems have been challenged whilst this article has been read. Some will have been successful, others not. At an organisational level, cyber security should certainly be placed on the board's agenda before an attack occurs, not as a result of one.
Michael Stocks is a legal Director and Helen Bryce an associate at international law firm Bird & Bird