The latest Mineta Transportation Institute (MTI) perspective, “Is There a Light at the End of the Tunnel? The Outlook for Cybersecurity Insurance and Transit in 2024,” examines the changes in the cyber risk landscape, the responses of the insurance market and public agencies to these changes, and provides recommendations for how the different segments of the market can continue to help manage the risk of catastrophic loss.

The last few years have brought a significant increase in the number and scale of cybersecurity attacks against companies of all sizes, including public transit agencies. January 2024 had a record number of attacks — the second highest number of attacks for a month ever and 130% more than last January.

MTI Report Findings

With the above in mind, MTI’s report explores issues related to cyber risks and posits that:

• Cybersecurity attacks and threats to U.S. critical infrastructure are a major concern as they can have significant economic, national security, and public safety implications.

• The global transit industry has experienced a 186% year-over-year increase in weekly ransomware attacks since June 2020. In North America, attacks have occurred on transit agencies in California, Colorado, Kansas, New York, Texas, Washington, and multiple cities in Canada just in the past few years.

• Along with the growth in cyberattacks, there has been a corresponding rise of cyber insurance claims, and cybersecurity insurance underwriting practices are adapting. These changes also increase costs to cover lost business, detection and escalation, post-breach response, and notification expenses.

Cyberattack Recommendations

The perspective also includes recommendations for this evolving cyber threat environment.

The authors posit that, “Public transportation agencies that are not currently taking cybersecurity risks seriously must invest in understanding their exposure and take action to build more resilient cybersecurity programs. This means they must recognize cyber risk as part of their overall enterprise risk management. Fortunately, funds and services are available to help.”

The authors continue to explain that, at this time, discretionary grant programs have cybersecurity requirements while formula grant programs do not. Thus, “Having requirements on both would encourage smaller agencies to adopt cybersecurity programs.”

The volume of cyberattacks is increasing, and the number of successful attacks and the average cost to recover from them has increased as well.

Every operator interviewed for this study indicated their coverage costs increased between 100% and 200% after 2020. Transit agencies can benefit from a deeper understanding of the threat landscape, its costs to the industry, and how best to approach security in the digital age, according to MTI.