Latest MTI report outlines changing pattern in transit cybersecurity risk and how to manage it

April 25, 2024
The report offers recommendations on cybersecurity risk management to transit providers, insurance companies, as well as the federal government.

The latest Mineta Transportation Institute (MTI) report examines the changes in the cyber risk landscape, the responses of the insurance market and public transit agencies to these changes and provides recommendations for how the different segments of the market can continue to help manage the risk of catastrophic loss.  

The report, Is There a Light at the End of the Tunnel? The Outlook for Cybersecurity Insurance and Transit in 2024, explores issues related to cyber risks and posits that: 

  • Cybersecurity attacks and threats to United States critical infrastructure are a major concern as they can have significant economic, national security and public safety implications. 
  • The transit industry has experienced a 186 percent year-over-year increase in weekly ransomware attacks since June 2020. In North America, attacks have occurred on transit agencies in California, Colorado, Kansas, New York, Texas, Washington and multiple cities in Canada just in the past few years. 
  • Along with the growth in cyberattacks, there has been a corresponding rise of cyber insurance claims and cybersecurity insurance underwriting practices are adapting. The changes also increase costs to cover lost business, detection and escalation, post-breach response and notification expenses. 

In the report, the authors, Scott Belcher, MTI research associate, co-founder of Cybrbase, LLC, and chief executive of SFB Consulting, LLC, and Todd Chollet, risk advisor and cyber practice leader at Sunstar Insurance Group, note, “Public transportation agencies that are not currently taking cybersecurity risks seriously must invest in understanding their exposure and take action to build more resilient cybersecurity programs. This means they must recognize cyber risk as part of their overall enterprise risk management. Fortunately, funds and services are available to help.”  

The authors continue to explain that, at this time, discretionary grant programs have cybersecurity requirements while formula grant programs do not. Thus, “Having requirements on both would encourage smaller agencies to adopt cybersecurity programs.” 

MTI says the volume of cyberattacks is increasing and the number of successful attacks and the average cost to recover from them has increased as well. Insurance is adapting. Every operator interviewed for the study indicated their coverage costs increased between 100 and 200 percent after 2020. The report concludes transit agencies can benefit from a deeper understanding of the threat landscape, its costs to the industry and how best to approach security in the digital age. 

According to MTI, while the volume of cyberattacks has increased exponentially, the bigger concern for most transit agencies is the number of successful attacks and the average cost to recover from them has increased as well. Many transit operators have taken steps to shore up their cyber resiliency while others continue to assume that they will not be targeted. Insurance companies have limited coverage, adjusted the cost of coverage, tightened underwriting, and even exited the market. Regulators have responded with increased education, resources and the imposition of basic cybersecurity requirements. 

The full report can be found here