From airlines to healthcare, cyber events have exposed vulnerabilities across critical infrastructure. Whether the incident is a targeted cyberattack or non-malicious, network disruption can lead to costly business interruptions and even life-threatening consequences.
The following Q&A explores top transportation and infrastructure cyber risks, the strength of an integrated solution to become cyber resilient, and how to leverage AI to improve cyber risk awareness. I also offer advice for wholesale brokers placing cyber risks in this challenging sector.
Question: What are the major cyber risks for transportation and infrastructure?
Answer: The transportation industry and infrastructure are particularly susceptible to cyber events that disrupt travel and business operations.
Not only are malicious cyber incidents a concern, but the potential for non-malicious disruption is even greater. Several major airlines in the past few years experienced network outages that weren't caused by attacks but software errors, including the CrowdStrike outage of 2024 that had an outsized impact on the transportation industry. Outages have led to hundreds or even thousands of flight cancellations, stranded travelers, and cost the airlines a lot of passenger revenue.
Increasingly, cyber exposures of third-party vendors are becoming a serious vulnerability for transportation and related sectors. For wholesale and retail brokers, cyber risk management requires a close look at not just first-party exposures but also those in clients' supply chains.
Question: How is AI impacting critical infrastructure cyber exposures?
Answer: Artificial intelligence is a double-edged sword on cyber risk. On one edge, AI can be a powerful tool to detect system anomalies and improve cybersecurity. On the other, AI has made it easier for threat actors to launch business email compromise and social engineering exploits or even craft malware. Generative AI can create convincing, but fraudulent, versions of faces and voices of people that victims believe they know and can trust.
To mitigate cyber exposures in critical infrastructure, organizations must harness AI's defensive capabilities and use it to improve cyber risk awareness. Training employees to spot phishing and other social engineering tactics, and exercise good cyber hygiene, is a smart move. It can strengthen front-line defenses in critical infrastructure and all industries.
While training humans to defeat phishing attempts, critical infrastructure providers can also help mitigate a cyber event by focusing on hardening the controls in their operational technology (OT) infrastructure. For example, segmenting the IT and OT networks and enforcing MFA for remote access could reduce the attack surface for critical infrastructure dramatically.
Question: What role can insurance play in mitigating these risks?
Answer: Many of the organizations that are part of critical infrastructure. For example, transportation, healthcare, financial services, food and agriculture, energy are in the private sector. Others are government entities. For both the public and private sector, cyber insurance can play a critical role in mitigating cyber risks and providing a source of recovery against material losses. For example, electricity generators working with cyber-focused providers can obtain affirmative coverage for failures to supply as well as North American Electric Reliability Corporation (NERC) fines, penalties, and spot market pricing.
Insurance offers a strong incentive to modify risky behaviors, through the cost of premiums and self-insured retentions. If a policyholder knows it's going to incur more cost, it's more likely to want to avoid that, if it can, through risk controls.
Above and beyond the cost factors, cyber insurance provides valuable risk mitigation services that can enhance cybersecurity. That combination of cybersecurity and insurance, ideally delivered together in an integrated way, is a powerful risk management tool for critical infrastructure and it can play a crucial role in making those sectors cyber resilient.
Question: How can the cyber-insurance industry be more proactive on infrastructure risks?
Answer: Infrastructure risks by their nature create interdependencies, and the consequences of those risks for the businesses and communities they serve can be enormous. Imagine a network outage that hits multiple hospitals in an urban area, knocking their electronic medical record and financial systems offline. While those systems are down, medical providers cannot access patient data to make care decisions, which might be life-threatening. Also of serious concern is the hospitals' inability to log data and bill for services. Even if the outage only lasted a day, the cost in lives and dollars could be immense.
The cyber insurance industry can help protect infrastructure from risks like these. A proactive way to do that is improve engagement on cyber risks with clients in the infrastructure sectors, understand the critical vulnerabilities and interdependencies, and apply strong risk management and business continuity planning. The ultimate goal here should be to help infrastructure risks become resilient, and that takes a collaborative effort.
Question: What advice do you have for wholesale brokers placing these cyber risks for clients?
Answer: Wholesale specialists play an important role in securing coverage for challenging risks, and cyber is certainly among those. Wholesalers therefore should strive to stay up to date on cyber risk trends and how the insurance marketplace is responding, or is slow to respond, to those trends. Discuss coverage options with cyber underwriters before a retailer urgently needs help at renewal. That would be highly recommended for all wholesalers. Maintain strong relationships with underwriters and gain clarity on the nuances of cyber policies' insuring agreements. Those things are really important, especially as new entrants come into the market. Wholesalers can provide even more value to their retail clients by knowing what differentiates cyber insurers.
Michael Manzo is senior vice president of Underwriting, Critical Infrastructure, at Resilience.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.