1

Cyber Risk and Insurance for Transportation Infrastructure Gina Tonna*, Jay P. Kesanb, Linfeng Zhangb, Jeffrey Czajkowskia aWharton Risk Management and Decision Processes Center, University of Pennsylvania 3819 Chestnut Street, Suite 130, Philadelphia, PA 19104

bUniversity of Illinois, Urbana-Champaign, IL 504 East Pennsylvania Ave., Champaign, IL 61820 *Corresponding author: gtonn@wharton.upenn.edu, 1.215.746.0473 Acknowledgments Support for this research was provided by the Critical Infrastructure Resilience Institute (CIRI). The authors would like to thank the infrastructure managers and insurers who provided valuable insights for this research via their participation in interviews. Abstract While advances in information technology and interconnectivity have improved efficiency for transportation infrastructure, they have also created increased risk associated with cyber systems. This study includes both an analysis of cyber incident data for transportation systems and a series of interviews with transportation infrastructure managers and insurers. The objective is to inform transportation policy and management by identifying barriers to a robust cyber insurance market and improved cyber resilience for transportation infrastructure. Results indicate that the annual number of cyber incidents and associated costs are on the rise. The most common incidents involve data breach, while incidents involving unintentional data disclosure have the highest average loss per incident. Cyber risk assessment, mitigation measures, and insurance are being implemented to varying degrees in transportation infrastructure systems but are generally lacking. Infrastructure managers do not currently have the tools to rigorously assess and manage cyber risk. Limited data and models also inhibit the accurate modeling of cyber risk for insurance purposes. Even after improved tools and modeling are developed, residual cyber risk will be significant, and insurance purchase can be an important risk management strategy to allow transportation infrastructure systems to recover from cyber incidents. Keywords: cyber insurance; cybersecurity; transportation infrastructure

2

1. Introduction Transportation systems support the movement of people and goods within a defined region and include the combination of vehicles, infrastructure, and operations that enable these movements (Cox et al. 2011). The U.S. transportation network includes aviation, roads and bridges, inland waterways, ports, rail, and transit. These transportation systems are vital to the U.S. economy and way of life, and disruptions can have short-term and long-term socio-economic impacts. Information technology and interconnectivity have improved efficiency and functionality for transportation infrastructure. However, they have also brought increased risk associated with cyber systems that are now essential for safe and continuous operation of transportation systems (Ezell et al. 2013). According to the US Department of Homeland Security, there are more than 60 US critical infrastructure entities for which damage associated with a single cyber entity could potentially result in $50 billion in economic damages, 2,500 immediate deaths, or a severe impact to US national defense (deSmidt and Botzen 2018). Cyber risks are increasing, and cyber related losses are growing as new technologies are implemented and reliance on them increases. Thus, it is likely that full cybersecurity for transportation infrastructure is not achievable solely by technological improvements. Therefore, in addition to attempting to prevent attacks and lower cyber risk, transportation managers should also prepare financially for inevitable losses through self-insurance and insurance (Toregas and Zahn 2014). Cyber insurance is currently available, but limited, and expansion of cyber insurance coverage is needed to manage the growing risk. In this study, we aim to identify barriers and opportunities for a robust cyber insurance market and improved cyber resilience for transportation infrastructure. Section 2 provides background on general cyber risk and insurance as well as cyber risk specific to transportation infrastructure. Section 3 describes methods and data. Section 4 provides insights from analysis of cyber incident data for transportation systems. Section 5 describes the current state of cyber insurance for transportation infrastructure based on the findings from interviews with insurers and infrastructure managers. Section 6 concludes and presents recommendations for future research.

2. Background 2.1 Overview of general cyber risk and insurance Cyber losses can be associated with liability from a customer data breach, property damage or theft (e.g., accidents caused by compromise of signaling systems), data damage (e.g., hacking maritime cargo management systems), loss of income due to outages and failure, website defacement, and cyber extortion (Bandyopadhya et al. 2009). Cyber attackers can be hackers, criminal organizations and thieves, state-sponsored attackers and spies, other companies or organizations, terrorists, malicious insiders, and contractors (Pate-Cornell et al. 2017, Clark and Hakin 2017). There are four main layers of cyber systems, each of which are at risk for cyber-attack. The first is the perceptual layer, which links cyber and physical systems through components like wireless sensors and GPS. The second layer involves network systems which transmit information (e.g. satellite networks and the internet mobile communication network). The third includes support systems such as cloud computing and intelligent computing, and the fourth is the application layer

3

which links users and the physical world with cyber systems (e.g. intelligent transportation and environmental monitoring) (Nogal and O’Connor 2017). Given the variety of possible cyber losses, there are also a variety of approaches to mitigating these losses. Approaches can include design methods which improve system architecture and activities or operational methods that involve changes to business operations (Nogal and O’Connor 2017, Gisladottir et al. 2017). Other approaches to managing cyber risk include countermeasures like security software, system design and operations improvements, and investments in the cyber workforce. Protective measures like firewalls, software encryption, virus detection, and system compartmentalization are also used to reduce cyber risk. Security benefits of these protective measures must be balanced against associated costs and productivity losses. Institutional measures for managing cyber risk can be structural (software and hardware), procedural (management and operation of systems), and responsive (response and damage management after an incident is detected) (Pate-Cornell et al. 2017). 2017 was possibly the worst year for cyber-attacks to date, with three significant events changing the cyber risk landscape. In May 2017, the WannaCry ransomware attack created global impacts including significant effects on the UK Health System. In June 2017, the NotPetya virus was launched in Ukraine and spread to many parts of the world, resulting in over $1 billion in economic damage. In August 2017, a breach at the Equifax consumer credit agency created a market cap loss exceeding $5 billion (Marsh & McLennan 2018). Marsh & McLennan predicts the situation to worsen and identified two emerging trends. The first is attacks on industrial control systems, with the potential for cyber-attacks to result in physical damage. The second is a tightening of cyber security laws as attacks grow more severe. The extensive nature of cyber-attacks in 2017 emphasizes that sufficient cyber risk management cannot be achieved solely through information technology management that attempts to mitigate the risk. A further way to deal with the residual cyber risk is to transfer the risk through insurance. As cyber risks increase, heightened concern among executives over liability associated with customer data breach as well as financial and operational effects of cyber risks will likely drive changes in cyber insurance purchases and in the cyber insurance market with policies that reflect the expanding nature of cyber-attacks (Aon 2018). For example, on the demand side, businesses will likely turn to more tailored enterprise cyber insurance policies, whereas on the supply side insurers will likely limit the cyber loss coverage of traditional property, casualty, and other business policies (Aon 2018). While cyber risk ranks high in risk surveys for potential insurance purchasers, penetration rates are still relatively low (Maynard and Ng 2017). A survey by the Council of Insurance Agents & Brokers (CIAB 2018) puts take-up rates at approximately 32%. Buyers lack understanding of cyber risk and coverage and there is a lack of standardization of terms and conditions in the cyber insurance market (Maynard and Ng 2017). Existing cyber risk insurance coverage often includes security and privacy liability, remediation, network business interruption, and legal and regulatory fines and penalties and is primarily designed to cover losses associated with a data breach. New or future products could address more holistic coverage for operations, system failures, business interruption, extortion, and supply chain disruption (Aon 2015, Bandyopadhya et al. 2009, Maynard and Ng 2017). And even today, cyber policies are generally very client-specific and

4

negotiated on a case-by-case basis. In addition to the transfer of risk to willing partners, benefits of cyber insurance include incentivization of investment in IT security, and a boost in overall IT security, because as cyber insurance increases, best practices and standards spread through the economy (Toregas and Zahn 2014, Kesan et al. 2004, Marotta et al. 2017). Furthermore, in some cases, insurers require certain security measure as a condition of insurance (Franke 2017). The cyber insurance market is growing in the U.S. in conjunction with the rising number and cost of data breaches. As of 2015, the U.S. cyber insurance market had $2-$2.5 billion of gross written premium, and this is expected to grow to $20 billion or more by 2025 (Franke 2017). However, 40% of companies surveyed by insurance broker Aon did not assess cyber risk or assessed only by “gut feel” (Aon 2015). Unlike terrorism risk, cyber risk has the potential for a thorough data set to support a robust insurance market. However, the cyber insurance market is relatively new and not yet mature. How to set premiums is a key question for the development of a more mature cyber insurance market. Setting premiums is particularly challenging for cyber risk due to lack of actuarial data from past events and lack of normative standards (Toregas and Zahn 2014). Some cyber risks may not be quantifiable, and therefore are not insurable. The ability to model cyber risk is currently limited but will improve substantially as more data is accumulated and shared. Additionally, cyber insurance products lack clear loss triggers and objective determination of loss severity (Aon 2015). Beyond the issues surrounding the quantification of risk, conceptual issues exist around correlated risk and lack of re-insurance. Also, traditional insurance market issues apply to cyber insurance, including moral hazard and adverse selection caused by information asymmetry (Toregas and Zahn 2014, Young et al. 2016). For example, there is a moral hazard associated with companies that may not feel the need to improve cyber security if they are insured (Toregas and Zahn 2014). Other cyber insurance challenges include a lack of legal framework, with uncertainty in liability and lack of cyber standards. All-told, cyber insurance hasn’t fully taken off yet due to these issues, and market inexperience leads to conservative pricing (Bandyopadhya 2009). However, Aon estimates that by 2025, cyber will be a major line of business for insurers (Aon 2015).

2.2 Cyber risks to transportation infrastructure

The various modes of the U.S. transportation system act as a system of systems locally, regionally, and nationally. Transportation infrastructure consists of three main components: hard infrastructure, vehicles, and operations components. Network infrastructure and components are a key part of the hard infrastructure (Nogal and O’Connor 2017). Growing concerns about cyber risks to transportation infrastructure have led to a call for the U.S. government to establish an entity analogous to the National Transportation Safety Board (NTSB) to investigate cyber-attacks (Shackelford and Brady 2018). In this study, we are focused on three primary types of transportation infrastructure: aviation, rail and transit, and marine. U.S. aviation infrastructure includes aircraft, air traffic control systems, about 450 commercial airports, and 19,000 additional air transportation facilities for movement of people and cargo (Pesch-Cronin and Manon 2017). Rail and transit systems operate locally and nationally and include a variety of modes of transportation including trains, buses, subways, trolleys, and the systems that support passenger and cargo transport. U.S. freight rail includes over

5

140,000 miles of active railroad and 1.3 million freight cars, with over 12,000 trains operating daily (Pesch-Cronin and Manon 2017). Marine transportation includes cargo transport and cruise ship passenger transport. Components include ports, ships, and control systems. IT systems are used to manage the movement of vehicles and to control vehicular traffic. They are also vital to the management, identification, and tracking of passengers and cargo throughout the system. Transportation infrastructure is subject to cyber dependency, where its state is dependent on information transmitted through information infrastructure. This information infrastructure is used to manage the flow of vehicles and goods, and the reliance on information technology and communications infrastructure makes transportation infrastructure particularly susceptible to cyber-attacks (Rinaldi et al. 2001, Frydenlund et al. 2016). Cyber-attacks can affect the power grid, sea port operations, air traffic control, and other components and services of transportation infrastructure. A cyber-attack on global positioning systems could significantly impact many infrastructure sectors, including transportation infrastructure (Pate-Cornell et al. 2017). Cyber risk is significant and growing in the aviation industry, with 85% of airline CEOs expressing concern about cyber risk (PwC 2016). Airlines are at risk for theft of customer or company data, but also for their communications and connectivity systems to be compromised. Managing aviation cyber risk requires efforts from airlines, manufacturers, maintenance providers, air traffic controllers, airports, and third-party suppliers. Cybersecurity measures can include threat intelligence, identity and access management, data protection and encryption, application security, and security awareness (PwC 2016). Cyber systems are used in rail transport for communications-based automatic train control. Cyber components include wireless communication and control systems, both of which can be subject to cyber-attacks (Chen et al. 2014). Cybersecurity measures are needed to reduce the risk of data loss and to ensure steady and stable rail operations. Previous rail related cyber incidents include a 2008 derailment of tram trains in Poland via an adapted TV remote, a two-day shutdown of train service in the northwest U.S. in 2011 due to remote computer attacks, and a 2016 ransomware attack on the San Francisco Bay Area Rapid Transit (BART) ticketing machines which disrupted public transit (Masson and Gransart 2017). Cyber incidents impacting marine transportation can involve navigation, cargo control, and other industrial processes, threatening lives, the environment, and property, and disrupting trade activity (Clark and Hakin 2017). Marine cyber disruptions can impact control of temperature for refrigerated containers and emergency systems. Port operations such as raising a drawbridge, controlling traffic lights, scheduling trucks, and controlling pumps, valves, and pipelines for delivery of fuel and liquid cargo to ships can be impacted. There are two factors increasing marine cyber risk: increasing control of computer systems and increasing networking of computers with each other and the internet (Clark and Hakin 2017). One example of a cyber-marine incident involved malware impacting a dynamic positioning system used in the offshore oil industry for precise navigation control. Malware on a crew member’s smart-phone which was plugged into an electronic chart system deleted or corrupted all charts, causing a two-day delay. In another incident, organized crime exploited a European container terminal’s tracking system for cargo, allowing for use of the system in drug smuggling (Clark and Hakin 2017). A survey by the Global Maritime Forum (2018) regarding issues facing the maritime industry ranks cyber-attacks and data

6

theft highest in likelihood, lowest in industry preparedness, and third in impact. In light of increasing risk, the International Maritime Organization (IMO) issued high level guidelines on maritime cyber risk management in 2017.

3 Methods and Data 3.1 Cyber incident data and analysis methods

One approach we use to understand and gain insight into cyber risk in the transportation infrastructure industry is to study historical cyber incidents collectively. The incident data is provided by Advisen, a leading insurance data provider, which collects and organizes a wide variety of corporate loss data, including cyber losses1. Advisen employs a team of analysts actively collecting cyber incident data from multiple sources including public sources such as news media, governmental and regulatory sources such as state data breach notification sites, and third-party vendors. While the Advisen dataset is used for our study, we have also examined other data sources. For example, the VERIS Community Database (VCDB)2,3 is the second largest cyber incident database that we are aware of with around 8,000 recorded incidents. Because it is a voluntary reporting repository, a majority of its data comes from the healthcare sector, which is one of the business sectors with the strictest cyber incident reporting requirements under the regulation of HIPAA (Health Insurance Portability and Accountability Act). In comparison, Advisen’s active data collecting process and diverse information channels mitigate some of such bias issues by having more incidents from other industries included, and meanwhile effectively enlarge the dataset size, which exceeds 40,000 records at the time of writing this article. Each Advisen record has over 60 attributes, comprehensively covering the most important aspects of an incident, including:

• Information about the victim company • Case characteristics including affected asset, case type, etc. • A timeline marking different stages during the development of this incident • Outcomes including loss types and loss amounts

With the victim company information, we can tell which industry each company operates in by its NAICS (North American Industry Classification System) code. To match the scope of this study, which primarily consists of aviation, rail and transit, and marine transportation infrastructures, we distinguish companies in the transportation infrastructure industry from companies in other industries, and we define the transportation infrastructure industry as a collection of sub-industries based on their 6-digit NAICS codes. By selecting the cyber incidents that correspond to these NAICS codes, we obtain a sample of 284 records from the dataset4.

1 More information is available at: https://www.advisenltd.com/ 2 VERIS stands for Vocabulary for Event Recording and Incident Sharing. More information about this framework is available at: http://veriscommunity.net/index.html 3 The database is available at: https://github.com/vz-risk/VCDB 4 With regards to the cyber incident number, the Transportation and Warehousing sector is ranked 13th among all 20 NAICS sectors, representing a relatively small group. The top 4 sectors are Finance, Healthcare, Public Administration and Information, which are of greater interest to cyber criminals and contribute more than half of the incidents in the entire dataset.

7

In this study, we consider not only risks associated with potential malicious actions, such as hacking or phishing, but also risks arising from data handling procedures, such as privacy violations during data collection or disclosure. Table 1 describes the cyber incident types included in our analysis. The right column shows the coding of 15 cyber incident types (possible values of variable CASE_TYPE) adopted in the original dataset5, and incidents of the same type have similar causes (Advisen 2015). However, it is impractical and unnecessary to segregate all these different types of incidents in a sample with limited number of observations (Romanosky 2016). In order to reduce the number of categories, we put these 15 incident types into 6 higher-level groups based on their eventual losses. A cyber incident can simultaneously result in multiple types of losses, such as loss of physical assets, loss of data, and third-party liabilities from lawsuits, and we denote the composition of different types of loss as a loss pattern. Many incident types have distinct loss patterns. For example, cyber extortion incidents usually lead to financial losses such as response costs and ransomware payments only, whereas privacy-related incidents not only cause financial losses such as response costs, but also often trigger administrative fines and penalties. From the insurance perspective, loss pattern is an important characteristic of cyber incidents, because it determines how the losses will be reimbursed. Therefore, we use clustering methods, such as k-means and hierarchical clustering, to group together the incident types that have similar loss patterns and get the following 6 high-level categories of cyber incidents.6 Some incidents have unknown causes, and are removed from our sample, reducing the number of observations from 284 to 273.

Table 1: Cyber Incident Types

Privacy violation Privacy - Unauthorized Contact or Disclosure Privacy - Unauthorized Data Collection

Disruption Industrial Controls & Operations

Denial of Service (DDOS)/System Disruption Network/Website Disruption Industrial Controls & Operations

Fraud/Extortion

Cyber Extortion Digital Breach/Identity Theft Identity - Fraudulent Use/Account Access Phishing, Spoofing, Social Engineering Skimming, Physical Tampering

Data breach Data - Malicious Breach Data - Physically Lost or Stolen

IT error IT - Configuration/Implementation Errors IT - Processing Errors

Unintentional data disclosure Data - Unintentional Disclosure This dataset has several limitations, even though it is so far the most comprehensive source of cyber incident information. First, only a small fraction of all cyber incident data is collectable. As

5 There are 16 case types in the dataset. “Undetermined/Other” is excluded here because incidents in this category are lacking in information and do not necessarily have common characteristics. 6 The categorization method is described in detail in the working paper: Kesan, Jay P. and Zhang, Linfeng, Bridging Causes and Outcomes of Cyber Incidents (August 22, 2018). Available at SSRN: https://ssrn.com/abstract=3237057

8

pointed out by Romanosky (2016), for a cyber incident data point to be eventually generated, the incident has to be detected, publicly disclosed and noticed by observers like Advisen. Each step in this process can filter out a number of incidents. Some cyber incidents are extremely difficult to detect. For example, it often takes months or even years for a victim company to discover a data breach (Ponemon Institute 2018). In addition, companies are reluctant to report incidents if not required by regulation, and some incidents may be too small to be revealed by news media. This suggests that there are incidents not visible to the public, and the collected sample possibly leans towards incidents which are reportable and severe, such as data breaches and major security breaches. According to two independent studies conducted by the Online Trust Alliance (2017) and Barclays-IoD (2016), reported incidents are estimated to represent only around 30%7 of all cyber incidents. Regulation also plays a key role in the visibility of cyber incidents. According to the UK’s Information Commissioner’s Office8, a General Data Protection Regulation (GDPR) enforcer, the monthly reported number of data breaches experienced a fourfold increase after the enforcement of GDPR, which sets a stricter rule on incident reporting. This inconsistency caused by regulation, in terms of reported incident numbers, exists in our sample as well. Figure 1 shows a clear cut-off between year 2004 and 2006 regarding annual incident numbers, because security breach notification laws were enacted in many U.S. states in the early 2000s (34 states by 2006) requiring organizations to disclose data breach incidents with customer information involved. As a result of these laws, incident data started to become more abundant.

7 The estimations given by these two studies are 33% and 28% respectively. 8 More information is available at: https://ico.org.uk/

9

Figure 1: Annual Recorded Cyber Incidents in the Transportation Infrastructure Industry

Moreover, aside from the filtering effect of this data collection process, there is also a time interval between the occurrence of an incident and its entry into the dataset. This lag makes the incident numbers in recent years even more inaccurate. By examining variables of the accident date (ACCIDENT_DATE) and the data entry date (CREATION_DATE) in our sample, we find that it takes around 2.7 years on average for an incident to be added to the dataset. Therefore, at the time of acquiring this dataset, which is March 2017, many incidents taking place in 2015 and after may have not been collected yet, which explains the significant decline in incident number in 2015. Considering these possible biases in our sample, we find it most appropriate to use data only from 2006 to 2014. The final sample contains 186 observations. We acquire additional data from the US Census Bureau9 to provide some background information on the industry. The data includes numbers of firms in the transportation infrastructure industry according census surveys from 200710 and 201211. Along with the cyber incident data, we study the cyber risk within the transportation infrastructure industry by recognizing major trends in cyber incidents in terms of frequency and severity and identifying the key threats to this industry. 3.2 Interviews with transportation infrastructure managers and insurers To provide an industry informed view of cyber risk and insurance in the transportation industry, discussions were undertaken with insurers and transportation infrastructure managers. Researchers having expertise in resilience of air transport infrastructure and cyber resilience for infrastructure systems were also included. The purpose of the insurer interviews was to gain insight from insurers on current cyber insurance offerings along with barriers to expanded offerings and hindrances to cyber insurance demand. Interviews with infrastructure managers were undertaken to gain insight into current cyber risk management tactics, cyber risk perception, and insurance uptake in transportation infrastructure systems. Our approach is similar to that of Franke (2017) wherein a small number of key players in the Swedish cyber insurance market were interviewed to develop a picture of the cyber insurance market in Sweden. Table 2 describes the roles and transportation focus areas of the interviewees. Identifying insurers and infrastructure managers willing to candidly discuss cyber risk and insurance was a challenge. Thus, the number of interviewees is limited. However, on the insurance side, interviewees included representatives from insurance,

9 More information is available at: https://www.census.gov/ 10 Link to the 2007 dataset: https://www2.census.gov/programs-surveys/susb/tables/2007/us_6digitnaics_empl_2007.xls 11 Link to the 2012 dataset: https://www2.census.gov/programs-surveys/susb/tables/2012/us_6digitnaics_2012.xls

0

10

20

30

40

50

10

reinsurance, and insurance brokerage. On the infrastructure side, interviewees represented transit, maritime port, airport, and rail infrastructure. While the total number of interviews was small, the interviewees provide a view of cyber risk across the transportation infrastructure and insurance industries.

Table 2: Summary of Interviewees

Title(s) of Interviewees Transportation Areas Head of corporate insurance partners, reinsurance Various Manager of Transportation Services, insurance broker

Maritime

Vice President – Risk Consulting Maritime Sr. Director, Enterprise CAT strategy Sr. Vice President Catastrophe Risk

Various

Strategy and Sustainability planner Director of strategic planning and analyses Project Manager – Resilience Office of the General Counsel

Transit (rail, subway, trolley, bus)

Sr. Manager of Risk Management Port (maritime and airport) Environmental Engineer Director of Risk Management Port (maritime and airport) Director of Risk Management Rail Sr. Program Officer Sr. Program Office

Air transport

Assistant Professor Air transport The interviews focused broadly on risk and insurance for transportation infrastructure systems, but cyber risk and insurance were included prominently in each discussion. Topics of discussion included specific concerns about cyber risk, modeling and management of cyber risk, and cyber insurance. Insurers discussed their current cyber insurance offerings and research needs to enable a more robust cyber insurance market. Infrastructure managers discussed their perceptions of cyber risks as they pertain to their infrastructure systems, cyber risk mitigation measures, and if or how their system is insured against cyber risks. Both insurers and infrastructure managers suggested research needs and other advances that they expect would enhance infrastructure cyber resilience and insurance. The discussions were informal, semi-structured interviews conducted in conjunction with broad conversations on infrastructure resilience and insurance. While a specific script was not followed, a set of questions were used as a guideline for the discussion. Cyber risk and insurance questions for infrastructure managers were as follows (Tonn et al. 2018):

• Do you insure against all types of hazards including cyber? Do you purchase separate plans for separate hazards?

• What is the current role of network security in your resilience plans?

Specific cyber risk and insurance questions for insurers included the following:

11

• What is the process to measure risks due to cyber threats caused by exploitation of known vulnerabilities in any specific technology or web-based communication?

• Is there a good understanding of the impacts of cyber-attacks on transportation infrastructure (operation/services delay, passenger injury, damages to freight, data theft)?

• Does cyber risk management in transportation systems follow specific guidelines? • Are insurance policies differentiated based on the vulnerability of different

organizations’ cyber systems? • What are the processes or incentives for organizations to address known threats

and prevent repeat exploitation of vulnerabilities? • How do the cybersecurity practices of transportation entities compare to the

practices of policy holders in other sectors?

4 Analysis of cyber incident data for transportation infrastructure 4.1 Cyber incident data analysis

As discussed in Section 2.1, risk assessment data is a key limitation to the current state of cyber insurance for transportation infrastructure. However, some data on transportation-related cyber incidents is available, and we analyzed it to gain a better understanding of the number and types of transportation related cyber incidents, as well as the costs of these incidents. Cyber risk is dynamic and evolves over time (Eling and Wirfs 2018), and our analysis highlights this evolution.

Figure 2: Cyber Incident Number and Affected Company Number over time

As mentioned previously, our sample contains 186 incidents from the transportation infrastructure industry from 2006 to 2014. Figure 2 illustrates the number of incidents per year, the number of affected companies, and the number of incidents per company over this period. From 2006 to 2014, both the incident numbers and numbers of affected companies in the transportation infrastructure industry are growing. To see if such growth in number of affected companies is driven by the increase in number of companies in this industry, so that the likelihood of a company

0

0.5

1

1.5

2

2.5

05

1015202530354045

2006 2007 2008 2009 2010 2011 2012 2013 2014

Number of Incidents Number of Affected Companies

Incident/Company Linear (Incident/Company)

12

experiencing at least one cyber incident in a year roughly remains the same, we have examined Statistics of U.S. Businesses (SUSB) Annual Datasets in years 2007 and 2012 from the US Census Bureau. From the datasets, we find that the total number of companies in the transportation infrastructure industry has declined from 158,888 in 2007 to 152,963 in 2012 at an average rate of -0.76% per year, while the annual number of companies affected by cyber incidents has experienced a 42% growth from 12 to 17 during this period. This indicates that the growth in number of affected companies is truly driven by the spread of cyber risk. This suggests a growing likelihood that companies in this industry will experience a cyber incident. In spite of such spread of cyber risk within the entire industry, individual companies are less likely to be hit by more than one incident in a year, suggested by the decreasing incident/company ratio over the past years. By looking at how the loss amount evolves over time (Figure 3), we find that the yearly average loss resulting from a single cyber incident in the transportation industry is typically around $1 million and has been slowly increasing in recent years. The maximum loss caused by a single incident increases over time at a much faster pace, which means that although most of the losses are still quite small, in the case of extreme events, the losses suffered by victim companies are becoming more unbearable. If this trend continues, companies will have to consider transferring some of the risk to other parties since retaining the risk is getting costlier and less efficient, and one way of doing so is through cyber insurance. This points to an increase in demand for cyber insurance in the transportation infrastructure industry.

Figure 3: Average Losses and Maximum Losses by Year

Cyber risk can lead to a variety of incident types, as illustrated on Figure 4. In the transportation infrastructure industry, the most common incident type is data breach, which is the leak of confidential information caused by malicious actors or loss of data storage devices such as hard drives and printed records. Figure 5 shows that most data breach events involve the breach of personal financial identities (PFI) and personally identifiable information (PII) belonging to employees and customers. Servers, a major source of breach representing the support layer of a cyber system, are essentially hackable devices that host valuable information. Attackers can remotely exploit the vulnerabilities within them and gain unauthorized access to the hosted information. Hence, it is critical for companies to implement adequate electronic access controls and patch vulnerabilities frequently (NIST 2018). There are also many data breaches resulting from physically lost or stolen data storage units. For example, in 2017, the Houston Airport System was investigated for selling used equipment containing confidential information, because the hard drives installed in these computers were not properly removed (KHOU 2017). Thus, in addition to

0

2

4

6

8

2006 2007 2008 2009 2010 2011 2012 2013 2014

$ M

illio

ns

Max of Losses Average of Losses Linear (Max of Losses) Linear (Average of Losses)

13

electronic access controls, physical device management is also important. Data breaches make up 45.7% (85/186) of all incidents, and they result in an average loss of $0.33 million per incident. Privacy-related incidents also have a very high occurrence frequency. These incidents involve contacting, collecting data from, and distributing information of clients without permission, and they account for 23.1% (43/186) of the incidents with an average loss of $1.54 million per incident. Among all the incident types, unintentional disclosure of data has the highest average loss at $3.17 million per incident. Incidents in this category typically result from a company not complying with information disclosure regulations. For example, the costliest cyber incident in this industry was caused by an airline company disclosing customers’ credit card information on receipts in an inappropriate way which violated the Fair and Accurate Credit Transactions Act (FACTA) amendment to the Fair Credit Reporting Act (FCRA). This incident cost the company $7.5 million to settle the complaint (Acker 2015). Both privacy violations and unintentional data disclosures take place at the perceptual layer and application layer of a cyber system, which allow the system to interact with the environment and clients. As suggested by Suo et al. (2012), these risks can be mitigated by implementing privacy protection and promoting security education and management. Cyber fraud and extortion are incidents wherein attackers trick victims into transferring money to fraudulent recipients, such as phishing scams, or coerce them into paying ransom in order to recover compromised data or systems. For example, in 2016, Yellow Cab of Los Angeles was hit by a ransomware attack and lost access to its primary phone lines (Dave 2016). On top of the ransom that the company was asked to pay to resume its normal operation, there was also a business interruption cost for failing to fulfill customer requests. Like most malicious data breaches, attackers exploit vulnerabilities to get into cyber systems, but instead of stealing information, they make data systems unavailable to the owner until ransom is paid. By controlling the support layer, attackers can thereby manipulate other layers as well. In the Yellow Cab ransomware incident, the attackers disabled the application layer and caused the entire cyber system to malfunction. Moreover, in some cases, attackers do not recover the encrypted data or locked systems as promised after they receive the payment, and this further leads to the disruption of information technology systems and/or industrial control systems (O'Gorman and McDonald 2012). Therefore, beyond improving cybersecurity, backup plans are vital to reducing business interruption costs in these types of incidents. Information Technology (IT) errors occur when companies make configuration changes to infrastructure or implement new systems. Usually they are the result of inadequate planning or preparation. For example, San Francisco Bay Area Rapid Transit (BART) experienced a computer glitch in 2013 after an infrastructure upgrade, and the communication between servers was affected. This incident caused its services to be shut down for hours (Wildermuth and Fagan 2013). In this incident, the network layer was impacted. However, IT errors can also take place at other layers to influence the performance of a cyber system.

14

Figure 4: Frequency and Severity by Incident Type

Figure 5: Type of Data Breach and Source of Breach

Our analysis of historical data suggest that both the incident frequency and the potential loss severity of cyber incidents are on the rise in the transportation infrastructure sector. Companies are more likely to be hit by at least one cyber incident in a year, and the maximum amount of loss is continuously increasing. The limitations of data make it difficult for us to construct more precise models for prediction other than pointing out these overall trends in a descriptive way. Nevertheless, we can still learn from individual incidents about specific risks and how they should be addressed. 5 Cyber risk, perception, and insurance for transportation infrastructure

Infrastructure managers and insurers were asked about cyber risk and insurance in informal, semi-structured interviews about risk and insurance for transportation infrastructure. Infrastructure

0 0.5 1 1.5 2 2.5 3 3.5

0 10 20 30 40 50 60 70 80 90

DisruptionIT Error

Fraud/ExtortionUnintentional Data Disclosure

Privacy ViolationData Breach

Average Loss Amount

$ Millions

Number of Incidents

Inci

dent

Typ

e

Incident Number Average Loss

0 5 10 15 20 25

Point of Sale (POS)CD-ROM

Thumb DriveDesktop

Hard Drive (portable)EmailTape

WebsitePrinted Records

LaptopServer

Printed RecordsHard Drive (portable)

LaptopServer

Website

PFI

PII

Number of Incidents

Type

of B

reac

hed

Data

&

Sour

ce o

f Bre

ach

15

managers expressed concern about cyber risk, and called out concerns about the uncertainty in the risk and the unknown component of the risk. Insurers are offering cyber insurance products, but noted that there are constraints on policy limits associated with the emerging and unknown nature of the risk. Models are in development to simulate and estimate cyber risk and potential damage, but until models are further developed, insurance is market-priced, and limits are constrained. Because cyber risk is still considered new and poorly understood, infrastructure managers desire cyber policies with a broad range of coverage including breach reporting expenses, forensic expenses, penalties for credit card issues, ransomware, and business interruption due to hacking---areas that may be difficult for insurers to currently provide coverage. At least 20 insurers currently sell cyber insurance, offering first-party coverage for losses directly incurred and third-party coverage for liabilities of others and for issues such as damage to others’ IT systems and fines associated with data breaches of personal information. Just as insurance has played a role in the development of standards and codes for other insured risks (e.g. fire), insurers could promote standards and information sharing for cyber risk (Fauntleroy et al. 2015). Three infrastructure managers interviewed indicated that their systems are insured for cyber risk and one noted that they do not have cyber coverage. The three that had coverage noted that coverage is limited, and that they feel that available models of cyber risk are inaccurate. The infrastructure manager for the system that does not have coverage is currently assessing the need for cyber insurance. Insurers noted a number of concerns as they work to develop models of cyber risk and to broaden their cyber insurance offerings. These concerns include a lack of data which inhibits risk-based pricing, insufficient mitigation of risk by clients who hope that the government will address concerns outside of their reach, and the challenge of building a balanced portfolio in the area of cyber insurance. There are no geographical boundaries to cyber risk, so a single cyber event could have global impacts. A key challenge for cyber insurers is building up a diversified set of cyber insurance clients to provide a balanced portfolio of risks that are not highly correlated with respect to future disruptions. This balanced portfolio of risk is needed to position cyber risk as an insurable risk (Kesan and Hayes 2017). Pivotal cyber events could have far-reaching impacts, and insurance companies do not yet have a high enough confidence level to fully insure infrastructure systems against losses due to cyber risk. Both insurers and infrastructure managers that were interviewed expressed the need for improvements in the modeling of cyber risks. Data collection, sharing, and availability were noted as important components of modeling cyber risk. Due to the emerging nature of the risk, data is limited, and this hinders effective modeling of the risk. Lack of data sharing amongst utilities and insurers further compounds the issue of accumulating sufficient data to effectively model transportation cyber risk. In addition to the need for models and data, metrics are needed so that cyber risk can be effectively quantified and measured, and so that benefits of cyber risk reduction measures can be quantified. One insurer indicated that they are undertaking vulnerability modeling for cyber risk and are developing a plan with infrastructure managers for managing this risk. This insurer indicated that there tend to be many relatively easy or inexpensive improvements in cyber security that

16

infrastructure managers can be made aware of in the short-term before addressing issues that require complex models. As both infrastructure managers and insurers work to better understand and model cyber risk, these simpler improvements in cyber security can lower risk while more comprehensive measures are identified and evaluated.

As is prevalent with other types of risks, infrastructure managers interviewed exhibited differing perceptions and somewhat biased views of cyber risk. Understanding and addressing these varied perceptions and views is needed to encourage a robust cyber insurance market. A study by deSmidt and Botzen (2018) found that awareness about cyber risk and perceived probability of cyber incidents is high, but expected impacts of a cyber incident are often underestimated. This potentially impacts the uptake of cyber insurance. Further study on the role of behavioral biases in the management of cyber risk, including the purchase of cyber insurance, is needed along with advancements in modeling, data, and metrics in order to facilitate a robust cyber insurance market for infrastructure systems. In Section 2.1, we highlighted a number of issues noted in the literature related to the difficulties of establishing a robust insurance market for cyber insurance. Our interviews provided further insight into these issues for the transportation infrastructure sector. Infrastructure managers noted that available cyber insurance coverage tends to be limited in scope and not as broad as the managers would like. Both insurers and infrastructure managers highlighted the challenges in modeling cyber risk including limitations in data availability and modeling methods. These challenges lead to difficulty for insurers in setting risk-based premiums. While those interviewed did not specifically discuss moral hazard and adverse selection issues, addressing those issues along with risk perception and behavioral biases are crucial in developing a robust cyber insurance market for transportation infrastructure. 6 Conclusions and Research Needs Air, rail, transit, and marine transportation infrastructure systems are all subject to a variety of cyber risks that have the potential to impact system operations and data privacy. Cyber incidents cause disruptions to transportation infrastructure systems and threaten the security of system and customer data. A review of transportation related cyber incident data indicates that the annual number of cyber incidents and associated losses are on the rise. The most common incidents involve data breach, while incidents involving unintentional data disclosure have the highest average loss per incident. Cyber risk assessment, mitigation measures, and insurance are being implemented to varying degrees in transportation infrastructure systems, but are generally lacking. Infrastructure managers do not currently have the tools to rigorously assess and manage cyber risk. Likewise, limited data and models inhibit the accurate modeling of cyber risk that insurance companies need to offer wider coverage and risk-based rates. Even after improved tools and modeling are developed, residual cyber risk will be significant, and insurance purchase is an important risk management strategy to allow transportation infrastructure systems to recover from cyber events. Further research into the nature and management of cyber risk is needed to support policies and management strategies that address this increasing risk to transportation systems.

17

We have identified four primary research needs to advance cyber risk assessment, mitigation, management, and insurance for transportation infrastructure systems. The first is the need for cyber incident data and models. The emerging nature of the risk means that historic cyber incident data is limited. The documentation and sharing of cyber incident data is needed to enable better characterization and modeling of the risk. Along with improvements in data documentation and availability, risk models are needed to enable infrastructure managers to understand and target sources of risk and to allow insurers to quantify and rate cyber risks to infrastructure systems. Secondly, cyber risk metrics are needed to encourage, incentivize, and quantify benefits associated with risk management strategies and mitigation measures. Metrics can assist with the quantification and tracking of risks, and when used as a regular evaluation tool can promote policies, practices, and decisions that enhance the resilience of infrastructure systems to cyber risks. Effective metrics should measure both operational and technical components of the infrastructure system as they pertain to cyber risk, and should also measure outcomes associated with infrastructure system performance during and after a cyber incident. There is significant literature suggesting that cognitive biases routinely result in the underestimation of risk exposure. The role of cyber risk perceptions and cognitive biases in decision-making about management of cyber risk for transportation infrastructure systems is another research need. Understanding perceived probabilities and impacts of cyber-attacks along with experiences and perceptions of mitigation measures and insurance needs can facilitate the design of strategies to overcome these biases and improve the preparedness of infrastructure organizations for cyber-attacks. Lastly, research is needed on cyber insurance for transportation infrastructure systems, to support new and more robust cyber insurance products that meet the evolving needs and demands of infrastructure systems. This research should draw from the previously mentioned research needs on metrics and modeling of cyber risk for insurance rating purposes and on cognitive biases and risk perceptions. Research can lead to creative insurance solutions to encourage the purchase of cyber insurance and the adoption of technically effective and cost-effective cyber risk mitigation strategies by transportation infrastructure managers. Our future research aims to address some of these research needs through further analysis of cyber loss data and a survey of cyber risk perceptions to be administered to corporate risk professionals. The frequency and severity of cyber loss data will be analyzed to lend insights into cyber risk management and insurance. The assessment of perceptions of cyber risk will expand upon the work of deSmidt and Botzen (2018) and the interviews performed in this study. This joint analysis of cyber loss data and cyber risk perceptions will allow for a comparison of subjective versus objective cyber risk. References Acker, J. V. (2015). Spirit Airlines Pays $7.5M To Settle FACTA Class Action. Retrieved from Law360: https://www.law360.com/articles/719400/spirit-airlines-pays-7-5m-to-settle-facta-class-action

18

Alvarez, M. (2016). Security Trends in the Transportation Industry. IBM Report. Available at: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03097USEN Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610-613. Aon. (2015). Global Insurance Market Opportunities – Insurance Risk Study. 10th edition. Available at: http://thoughtleadership.aonbenfield.com/Pages/Home.aspx?ReportYear=2015 Aon. (2018). 2018 Cybersecurity Predictions – A Shift to Managing Cyber as an Enterprise Risk. Available at: https://ir.aon.com/about-aon/investor-relations/investor-news/news-release-details/2018/Aons-Cybersecurity-2018-Predictions-Companies-Will-Make-Major-Enterprise-Wide-Changes-to-Address-Cyber-Risk/default.aspx Bandyopadhyay, T., Mookerjee, V.S., & Rao, R.C. (2009). Why IT managers don't go for cyber-insurance products. Communications of the ACM, 52(11), 68-73. Chen, B., Schmittner, C., Ma, Z., Temple, W. G., Dong, X., Jones, D. L., & Sanders, W. H. (2014). Security analysis of urban railway systems: the need for a cyber-physical perspective. In International Conference on Computer Safety, Reliability, and Security (pp. 277-290). Springer, Cham. Clark, R. M., & Hakim, S. (Eds.). (2016). Cyber-Physical Security: Protecting Critical Infrastructure at the State and Local Level (Vol. 3). Springer. Council of Insurance Agents & Brokers (2018). Cyber Insurance Market Watch Survey. July 2018. Accessed at: https://www.ciab.com/download/15077/ Cox, A., Prager, F., & Rose, A. (2011). Transportation security and the role of resilience: A foundation for operational metrics. Transport policy, 18(2), 307-317. Dave, P. (2016). L.A. Yellow Cab's phone lines tied up in hacker attack and ransom demanded, firm says. Los Angeles Times. Accessed on August 22, 2018 from http://www.latimes.com/business/technology/la-fi-tn-yellow-cab-cyberattack-20160226-story.html# deSmidt, G., and Botzen, W.J.W. (2018). Perceptions of Corporate Cyber Risks and Insurance Decision-Making. The Geneva Papers on Risk and Insurance – Issues and Practice, 43(2). Eling, M. and Wirfs, J. (2018). What are the actual costs of cyber risk events? European Journal of Operational Research, https://doi.org/10.1016/j.ejor.2018.07.021 Ezell, B. C., Robinson, R. M., Foytik, P., Jordan, C., & Flanagan, D. (2013). Cyber risk to transportation, industrial control systems, and traffic signal controllers. Environment Systems and Decisions, 33(4), 508-516.

19

Fauntleroy, J.C., Wagner, R.R., & Odell, L.A. (2015). Cyber Insurance-Managing Cyber Risk (No. IDA-NS-D-5481). Institute for Defense Analyses, Alexandria, VA. Franke, U. (2017). The cyber insurance market in Sweden. Computers & Security, 68, 130-144. Frydenlund, E., Collins, A.J., Jordan, C.A., Foytik, P.B., & Robinson, R.M. (2016). When the money runs dry: a system dynamics approach to critical infrastructure investment. In Proceedings of the 49th Annual Simulation Symposium (p. 8). Society for Computer Simulation International. Gisladottir, V., Ganin, A.A., Keisler, J.M., Kepner, J., & Linkov, I. (2017). Resilience of Cyber Systems with Over‐and Underregulation. Risk Analysis, 37(9), 1644-1651. Global Maritime Forum (2018). Global Maritime Issues Monitor. IoD (2016). Cyber Security: Underpinning the digital economy. Available at: https://www.iod.com/Portals/0/Badges/PDF's/News%20and%20Campaigns/Infrastructure/Cyber%20security%20underpinning%20the%20digital%20economy.pdf?ver=2016-04-14-101230-913 Kesan, J.P., Majuca, R.P., & Yurcik, W.J. (2004). The economic case for cyberinsurance. University of Illinois Law and Economics Working Papers. Kesan, J.P., & Hayes, C.M. (2017). Strengthening Cybersecurity with Cyberinsurance Markets and Better Risk Assessment. Minn. L. Rev., 102, 191. KHOU (2017). Used government computers bought at auction filled with personal information. KHOU. Accessed on August 22, 2018 from: https://www.khou.com/article/news/investigations/used-government-computers-bought-at-auction-filled-with-personal-information/396008520 Marotta, A., Martinelli, F., Nanni, S., Orlando, A., & Yautsiukhin, A. (2017). Cyber-insurance survey. Computer Science Review, 24, 35-61. Marsh & McLennon. (2018). Cyber: The Stakes have Changed for the C-Suite. Available at: https://www.marsh.com/us/insights/research/cyber-risk-the-stakes-have-changed-for-the-csuite.html Masson, É., & Gransart, C. (2017). Cyber Security for Railways–A Huge Challenge–Shift2Rail Perspective. In International Workshop on Communication Technologies for Vehicles (pp. 97-104). Springer, Cham. Maynard, T., and Ng, G. (2017). Counting the cost: Cyber exposure decoded. Lloyd’s Emerging Risks Report 2017. Available at: https://www.lloyds.com/news-and-risk-insight/risk-reports/library/technology/countingthecost

20

National Academies of Sciences, Engineering, and Medicine. (2016). Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. https://doi.org/10.17226/23520. NIST (2018). Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. National Institute of Standards and Technology. Nogal, M., & O’Connor, A. (2017). Cyber-Transportation Resilience. Context and Methodological Framework. In Resilience and Risk (pp. 415-426). Springer, Dordrecht. O'Gorman, G., & McDonald, G. (2012). Ransomware: A growing menace. Symantec Corporation. Available at: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf OTA (2017). 2017 Cyber Incident & Breach Readiness Guide. Available at: https://otalliance.org/resources/cyber-incident-breach-response Paté‐Cornell, M., Kuypers, M., Smith, M., & Keller, P. (2017). Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies. Risk Analysis. Pesch-Cronin, K.A., & Marion, N.E. (2017). Critical Infrastructure Protection, Risk Management, and Resilience: A Policy Perspective. Taylor & Francis Group. Ponemon Institute (2018). 2018 Cost of a Data Breach Study: Global Overview. IBM Security. Available at: https://www.ibm.com/security/data-breach PwC (2016). Aviation Perspectives, 2016 special report series: Cybersecurity and the airline industry. Available at: https://www.pwc.com/us/en/industries/industrial-products/library/airline-industry-perspectives-cybersecurity.html Rinaldi, S.M., Peerenboom, J.P., & Kelly, T.K. (2001). Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems, 21(6), 11-25. Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2016, 1–15. Sampigethaya, K., & Poovendran, R. (2013). Aviation cyber–physical systems: Foundations for future aircraft and air transport. Proceedings of the IEEE, 101(8), 1834-1855. Shackelford, S., & Brady, A. (2018). Is it Time for a National Cybersecurity Safety Board? Examining the Policy Implications and Political Pushback. Albany Law Journal of Science and Technology, 2018; Kelley School of Business Research Paper No. 18-34. Available at SSRN: https://ssrn.com/abstract=3100962

21

Suo H., Wan J., Zou C., & Liu J. (2012). Security in the internet of things: a review. In Computer science and electronics engineering (ICCSEE), 2012 international conference on (Vol. 3, pp 648–651). IEEE Tonn, G., Czajkowski, J., & Kunreuther, H. (2018). Improving U.S. Transportation Infrastructure Resilience through Insurance and Incentives. Wharton Risk Center Working Paper 2018-03. Toregas, C., & Zahn, N. (2014). Insurance for cyber attacks: The issue of setting premiums in context. George Washington University. Wildermuth. J., & Fagan, K. (2013). BART foul-up traced to botched computer upgrade. Accessed on August 22, 2018 from https://www.sfgate.com/bayarea/article/BART-foul-up-traced-to-botched-computer-upgrade-5001191.php Young, D., Lopez Jr, J., Rice, M., Ramsey, B., & McTasney, R. (2016). A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection, 14, 43-57.