Heathrow, Dublin, Brussels and other European airports are still experiencing substantial delays after a cyber attack over the weekend. A “cyber-related incident” at Collins Aerospace, the third-party provider behind a widely used check-in and bag-drop platform, forced airports and airlines onto manual workarounds and exposed how concentrated vendor dependencies can paralyse multiple hubs at once. For the insurance market, the outage was a real-world stress test of cyber wordings, contingent business interruption, and supplier contracts that often cap recoveries precisely where losses aggregate.
The operational picture was messy rather than catastrophic. Heathrow said “work continues to resolve and recover from Friday’s outage of a Collins Aerospace airline system that impacted check-in,” adding: “We apologise to those who have faced delays, but by working together with airlines, the vast majority of flights have continued to operate.” Brussels Airport described “difficult airport operations” and stated: “As a result of a cyber-attack on the external service provider of the check-in and boarding systems, check-in operations at several European airports, including Brussels airport, are heavily disrupted.”
Berlin’s Brandenburg Airport acknowledged the same root cause and told passengers: “Due to a systems outage at a service provider, there are longer waiting times… Please use online check-in, self-service check-in and the fast bag drop service.”
Collins’s parent, RTX, told the BBC it was “aware of a cyber-related disruption” at “select airports” and was working to restore service.
Numbers tell the rest of the story: cancellations in the dozens, delays in the hundreds, and queues thickened by handwritten tags and staff redeployments. The incident will lift more than tempers. It will lift loss adjusters’ eyebrows at the precise phrasing of cyber triggers, the scope of dependent-business cover, and the interaction between airlines’ and airports’ first-party policies and a technology vendor’s liability tower.
For carriers and airport operators, the natural backstop is stand-alone cyber insurance with business interruption (BI) and contingent or “dependent” BI. Whether that responds turns on details that feel lawyerly until the day they don’t: does the policy require a “network security failure” (usually a malicious event) or the broader “system failure” trigger (which can catch outages without proven attack)? Are key suppliers named on a schedule, or are they captured only by an unnamed-dependency grant with a modest sublimit and longer waiting period? Did the insured shut systems down as a precaution, and if so does the wording buy back voluntary shutdown? These are not academic distinctions when the event spans multiple terminals and several countries.
Attention will also turn to cyber war and state-actor exclusions, which have evolved quickly and unevenly. If attribution to a hostile state is alleged, insureds can find themselves litigating causation and intent just to reach an indemnity starting line. That prospect alone pushes many buyers to diversify triggers—pairing “network security failure” with “system failure” and seeking explicit carve-outs that prevent attribution debates from becoming a claims veto. Where airports host multiple airlines on shared desks, the aggregation problem multiplies: one software outage can cascade across a day’s wave schedule and then across an alliance’s network.
If first-party covers are the front end of the claims chain, technology errors & omissions (E&O) and cyber liability sit at the back. Airlines and airports that look to the vendor for recovery will confront master service agreements designed to cap exposure—often at a fixed amount or a multiple of fees—and to exclude categories like consequential loss. Even where negligence is alleged, caps may hold, with carve-outs only for wilful misconduct or gross negligence. The vendor’s own E&O and cyber programmes are finite towers against a potentially multinational customer set. Aggregation language, claim-series clauses and eroding defence costs matter as much as nominal limits.
Passengers occupy a different legal lane. Under EU261/UK261, a targeted third-party cyberattack is commonly classed as an extraordinary circumstance, which can defeat compensation claims even as airlines remain responsible for “duty of care” expenses such as meals and hotels. Those costs tend to be operational unless a cyber form’s “extra expense” provisions are robust. Many travellers will instead rely on their own travel insurance or card benefits, and while some of those insurers may eye subrogation, contractual caps upstream make recoveries a long shot.
Reinsurers will examine the event definition and its footprint. If multiple airports and airlines are affected by the same software failure, is this one occurrence or many? How will “interrelated acts” and “series of incidents” language be read across quota share and excess layers? Clash potential is real: a cyber BI claim can coexist with aviation liability (think tarmac incidents or baggage-handling injuries during manual workarounds) and even with D&O exposures if disclosures around operational resilience are challenged. For market participants who built towers from heterogeneous wordings over successive renewals, coverage gaps often emerge not from intent but from inconsistency.
For an industry that measures punctuality in minutes and margins in basis points, a weekend of handwritten bag tags is hardly the end of the world. But it is a glimpse of one. Heathrow, Brussels and Berlin found workarounds; Dublin spoke of a “Europe-wide technical issue”; RTX promised restoration “as quickly as possible.”
The insurance market’s task is to turn that ad-hoc resilience into something contractual and capital-aware: clearer triggers, better mapped dependencies, and supplier agreements that recognise a simple reality. When a shared platform stalls, it is not one customer’s bad day; it is everyone’s exposure, all at once.
