Avoiding Risk

Advancements in technology have made the transportation industry more vulnerable to cyberattacks.

By Adam Cottini

In October 2017, Sweden’s train transportation network was the victim of a distributed denial of service (DDoS) cyberattack. The attack led to a failure of the IT system that monitors train locations as well the organization’s email system.

Just six months later, Danske Statsbaner, a large Danish train operation company, suffered another DDoS attack, with a hack that led to passengers being unable to buy tickets through the company’s app or at ticket machines.

The events in Sweden demonstrate on a small scale the damages and disruption that a cyberattack can have upon the transportation industry. From over-the-road trucking and moving and storage companies to rail transport organizations, advancements in transportation technology the past two decades have delivered marked improvements in areas such as planning, tracking, route optimization and driver safety.

Yet, the same technological factors that have created great advancements in the industry, have also brought greater exposure to cyberattacks. According to Cisco’s 2017 Security Capabilities Benchmark Study, transportation is the third most vulnerable industry to a cyberattack, only trailing the healthcare and pharmaceutical sectors.

While transportation has always faced the threat of attacks, whether from financially motivated piracy to politically driven acts of vandalism and destruction, those acts had required a physical proximity to the transportation system.

Although interconnected systems, such as navigation or shipment routing, have proven invaluable to the growth and modernization of the transportation industry, those same improvements have opened the door to a new form of attacker; criminals who are adept at using malware, ransomware and outright hacking measures to disrupt transportation systems from anywhere in the world.

Infrastructure At Risk

In a connected, critical infrastructure environment, these attacks are perpetrated on vulnerable operational technology (OT), such as industrial control systems and items within the Internet of Things (IoT).

The vulnerabilities in an OT system can leave critical infrastructure in the transportation sector at risk for business interruption, destruction of data, bodily injury, property damage and invasion of privacy.

While it seems that most in the transportation industry understand the real possibility of loss from cyberattacks, many downplay the chances of an actual attack happening to their own business. Yet, the reality is, cyber hackers do not have to specifically target a company to cause damage, as most cyber incidents are the result of human error.

According to a 2017 NetDiligence Cyber Claims Study, 39 percent of cyberattacks are caused by either staff mistakes, a lost or stolen device, rogue employees, or paper records that are lost or stolen. Only 27 percent of all attacks are directly due to hackers.

Furthermore, the mythology surrounding cybercrimes is that they are perpetrated by elite hackers using ultra-sophisticated tools. However, the truth is that most intrusions or attacks involve basic human deception and software tools that are widely available on the Internet.

For example, as reported by Verizon’s 2017 Data Breach Investigations Report, 81 percent of hacking-related breaches leveraged either stolen and or/weak passwords. It is imperative that the organizations educate their employees about different methods and approaches that hackers use to prey upon basic human appeals.

Often, cyberattacks in the media are focused on large companies like Home Depot. Yet, 43 percent of cyberattacks target small and medium-sized businesses, according to Symantec. While larger organizations may be able to recover from an attack, cyber incidents can be crippling to smaller businesses, as the National Cyber Security Alliance found that 60 percent of small businesses are out of business within six months of a breach.

Businesses often struggle in the aftermath of cyberattacks because of the sheer cost of data breaches. According to The Ponemon Institute’s 2017 Cost of Data Breach Study: Global Review, it costs $141 U.S. dollars per record stolen when accounting for response costs, defense and damages. In sum, the average total cost per breach for an average company is $3.62 million.

All of these numbers and statistics lead to the same conclusion: it is essential that organizations have cyber insurance in place. While network security and privacy losses related to viruses, hacking, digital defamation and intellectual property infringement are becoming commonplace, it is unlikely that new risks are covered under existing insurance policies.

New coverage examples include Network Security Liability, which provides coverage in the event an insured’s computer system fails to prevent a security breach or a privacy breach. There is also Cyber Extortion, which provides protection in the event that payments are made to a party as a result of a threat to breach or the actual breach of an insured’s computer system. Business Interruption is also essential, as it provides first-party loss for lost income stemming from an interruption to a computer system as a result of a failure of security or a system failure.

It is imperative for transportation organizations to have cyber insurance, as any breach of a businesses’ confidential systems can damage a company’s reputation in addition to financial costs. Furthermore, the financial repercussions of a breach often extend far beyond direct impacts.

For example, beyond the cost of business interruption, cyberattacks can evolve into litigation resulting from further impacts on suppliers or customers.

Understanding the consequences of a cyber event and which insurance policy will adequately provide coverage is the future of cyber insurance risk management. As transportation companies are often targets, it is essential that organizations perform a gap analysis in order to understand their individual risks. In a world that continues to evolve as the result of technological advancements, being protected from a cyber risk standpoint is critical.

Adam Cottini is area vice president for Arthur J. Gallagher Risk Management Services Inc. He manages a diverse book of professional liability accounts consisting of Directors & Officers Liability, Employment Practices, Fiduciary Liability, Professional Errors & Omissions, Cyber Risk and Media Liability.