Is There a Light at the End of the Tunnel? The Outlook for Cybersecurity Insurance and Transit in 2024

The last few years have brought a significant increase in the number and scale of cybersecurity attacks against companies of all sizes, including public transit agencies. January 2024 had a record number of attacks—the second highest number of attacks for a month ever and 130 percent more than last January. The latest Mineta Transportation Institute (MTI) perspective, Is There a Light at the End of the Tunnel? The Outlook for Cybersecurity Insurance and Transit in 2024, examines the changes in the cyber risk landscape, the responses of the insurance market and public agencies to these changes, and provides recommendations for how the different segments of the market can continue to help manage the risk of catastrophic loss.

This perspective explores issues related to cyber risks and posits that:

• Cybersecurity attacks and threats to United States critical infrastructure are a major concern as they can have significant economic, national security, and public safety implications.
• The global transit industry has experienced a 186 percent year-over-year increase in weekly ransomware attacks since June 2020. In North America, attacks have occurred on transit agencies in California, Colorado, Kansas, New York, Texas, Washington, and multiple cities in Canada just in the past few years.
• Along with the growth in cyberattacks, there has been a corresponding rise of cyber insurance claims, and cybersecurity insurance underwriting practices are adapting. These changes also increase costs to cover lost business, detection and escalation, post-breach response, and notification expenses.

The perspective also includes recommendations for this evolving cyber threat environment. The authors posit that, “Public transportation agencies that are not currently taking cybersecurity risks seriously must invest in understanding their exposure and take action to build more resilient cybersecurity programs. This means they must recognize cyber risk as part of their overall enterprise risk management. Fortunately, funds and services are available to help.” The authors continue to explain that, at this time, discretionary grant programs have cybersecurity requirements while formula grant programs do not. Thus, “Having requirements on both would encourage smaller agencies to adopt cybersecurity programs.”

The volume of cyberattacks is increasing, and the number of successful attacks and the average cost to recover from them has increased as well. Insurance is adapting. Every operator interviewed for this study indicated their coverage costs increased between 100 and 200 percent after 2020. Transit agencies can benefit from a deeper understanding of the threat landscape, its costs to the industry, and how best to approach security in the digital age.

ABOUT THE MINETA TRANSPORTATION INSTITUTE

At the Mineta Transportation Institute (MTI) at San Jose State University (SJSU) our mission is to increase mobility for all by improving the safety, efficiency, accessibility, and convenience of our nations’ transportation system. Through research, education, workforce development and technology transfer, we help create a connected world. Founded in 1991, MTI is a university transportation center funded by the US Department of Transportation, the California Department of Transportation, and public and private grants, including those made available by the Road Repair and Accountability Act of 2017 (SB1). MTI is affiliated with SJSU’s Lucas College and Graduate School of Business.

ABOUT THE AUTHORS

Scott Belcher is a Mineta Transportation Institute Research Associate; Co-Founder of Cybrbase, LLC; and the Chief Executive of SFB Consulting, LLC. Todd Chollet is a Risk Advisor and Cyber Practice Leader at Sunstar Insurance Group.

Media Contact: