Cyber Security Risks in Aviation Businesses Continued from page 17 Lange recommended completing a client intake checklist and suggested companies use a vendor that specializes in running global sanctions lists, such as the Department of Treasury’s Office of Foreign Assets Control (OFAC) and other watch lists. Once you have completed a client intake checklist, keep it up-to-date and be aware of situations as they change. For example, a client company might be a successful, well-known organization when they begin flying with you, but if newspapers start writing about that company’s likely bankruptcy, you might want to reconsider the terms of the business relationship so you do not become an unsecured creditor as part of a bankruptcy estate. Some charter operators believe traditional TSA secu- rity program watch list matching will identify any suspi- cious characters. In reality, those lists are not designed to identify all individuals with criminal histories or known activities related to fraud and financial crimes. Further, an individual on a global sanctions list might not be a passenger, but might be responsible for arrang- ing and/or paying for transportation. There are many government watch lists across differing government departments and agencies with potential impact based on your circumstances. Although a thorough review of potential clients, bro- kers, and other companies with which you choose to do business is recommended, even a simple Google search can save you a lot of hassle and heartache. Sullivan said, in general, trust your gut. His company was selling an aircraft, and after many contacts with a European prospective buyer, he was told the buyer would wire money to Chantilly Air. Then Chantilly Air would need to wire money to another entity for the pre- buy inspection. The interactions had been suspicious prior to this wire transfer request so Sullivan ended the interaction. He later discovered the prospective buyer was actually in Nigeria, not a European country, and was never a legitimate buyer. Sullivan does not accept email confirmations of wire transfers, either. “It is too easy for someone to doctor up an email sup- posedly confirming a wire transfer,” said Sullivan. “If we lose a last-minute charter because of this policy, we lose the charter, but we don’t fly until the money is actually in our account and we can verify it with our bank.” Preventing financial fraud begins with KYC— Know Your Customer Chantilly Air also uses a “positive pay” program with their bank to prevent check fraud. In the past, some- one copied the company check information and started writing checks against the company account. Now, the accounting staff sends the bank a complete list of checks written each day. When the bank receives a check against that account, it verifies the check is on the list provided by Chantilly Air, and if it is not, refuses to pay the check until contacting Chantilly Air for more information. Finally, Lange cautions that doing business with bad actors could result in bigger problems than financial losses. “Some things should scare a business owner or manager more than losing money,” added Lange. “Unknowingly transporting or otherwise doing busi- ness with nefarious individuals or entities is one of those things. The resulting investigations can be staggering, and unwitting criminal risk is a distinct possibility.” Look at your organization’s business profile, activities, and clients. What are your greatest cyber risks? Do you have policies and procedures in place to mitigate those risks? Use the recommendations in this article as a starting point in your organization’s discussions. Aviation Business Journal | Winter 2019/2020 19
