IAS 37 para 86, contingent liability in respect of cyber attack, disclosure as principal risk

International Consolidated Airlines Group, S.A. – Annual report – 31 December 2019

Industry: airline

31 Contingent liabilities and guarantees (extract)
Theft of customer data at British Airways
On September 6, 2018 British Airways announced the theft of certain of its customers’ personal data. Following an investigation into the theft, British Airways announced on October 25, 2018 that further personal data had potentially been compromised. On July 4, 2019, British Airways received a Notice of Intent from the Information Commissioner’s Office (ICO) in which it informed the airline of its intention to fine it approximately £183 million (€205 million) under the UK Data Protection Act.

British Airways made extensive representations to the ICO regarding the proposed fine and has complied with various further information requests. As part of its procedures, the ICO will seek the views of other EU data protection authorities. The ICO initially had six months from issuing the Notice of Intent to British Airways within which it could issue a penalty notice, which has been extended through to May 18, 2020, to allow the ICO to fully consider the representations and information provided by British Airways. If a penalty notice is issued, British Airways has 28 days within which to lodge an appeal with the First-tier Tribunal in the General Regulatory Chamber. A decision by the First-tier Tribunal may, with permission, be appealed to the Upper Tribunal. Any appeal of the Upper Tribunal decision would be to the Court of Appeal. It is British Airways’ intention to vigorously defend itself in this matter, including using all available appeal routes should they be required.

At December 31, 2019, and through to the date of these financial statements, no final penalty notice has been received from the ICO, although it reserves the right to issue such a notice on completion of its investigation. It has not been proven that British Airways failed to comply with its obligations under GDPR and the UK Data Protection Act. Should any final penalty notice be issued, and having regard to the representations made by British Airways, the Directors consider that it should be for a considerably lower amount than the initial Notice of Intent.

Strategic Report (extract)
Risk management and principal risk factors (extract)
Business and operational risks (extract)
The cyber threat environment remains challenging for all organisations including the airline industry. The Group continues to prioritise investment in the security controls framework, to mitigate and
control these risks.

Business and operational (extract)