Growing cyber risk for the rail industry

11 January 2018

There is no lack of general commentary on this topic but solutions are highly bespoke. Our key recommendation would be to ensure you keep your risks constantly under review and you fully understand your cyber cover gap analysis.

  • Has your risk exposure changed?
  • Even if your operational procedures haven’t changed has the financial exposure increased?
  • What insurance cover do you have?
  • What cover do you actually need?

Railways grew up in the industrial revolution and still rely heavily on physical assets and mechanical technology. Whilst many companies in the communications, technology and media sector now value cyber cover as strategically important as traditional fire and perils cover, most rail operators continue with conventional insurance programmes.  This may continue to be the most appropriate solution but with a fast evolving risk like cyber it requires ongoing attention.

Business interruption

The rail industry has stations, tracks and rolling stock. To help these traditional assets work more efficiently, big innovations are coming through technology. With the rollout of the European Train Control System’s (ETCS) standard signalling we are seeing movement from solid state interlocking systems to in-cab signalling. We are also seeing a higher dependency on computers to automatically set train paths and clearances.  Even where there are safety mechanisms to physically prevent trains colliding, a system failure could cause massive disruption. One example of disruption would be if busy routes had to operate temporarily with a degraded manual system. Behind the scenes infrastructure operators can now organise their repair and maintenance regimes around electronically recorded track geometry data, again an area where the dependency moves from man to machine.

The risks range from an unintentional error or system failure, malicious acts by disgruntled employees, free-lance computer hackers through to terrorist or state sponsored cyber-attacks. Disrupting a major transportation network will always be a prime target for cyber attackers.

Data breach

Passenger service operators hold large volumes of passenger data. Even if billing information is outsourced to a third party supplier, the operator is still likely to hold significant amounts of personal data which is subject to Data Protection legislation.

This is where rail operators, many of whom physically operate within national boundaries, extend their risk exposure on a global basis.

There are countless stories where organisations have had their customer accounts raided by hackers. In Europe, the regulatory legal regime will become significantly more challenging from May 2018 with the introduction of the General Data Protection Regulation (GDPR). The cap on regulatory fines has been significantly increased, in the UK from GBP 500,000 to 4% of global turnover or EUR 20 million (whichever is the higher figure). The GDPR also imposes a compulsory obligation to notify data subjects within 72 hours, or “without undue delay” where the breach presents a high risk of harm to those affected.

What insurance do you have?

There is an ongoing disconnect between how insured’s view cyber risks and how insurers wish to provide (or exclude) coverage. Insured’s see risks as first party (damage to property and business interruption) and third party (claims and actions by other parties). They have insurance policies for both. The insurance market prefers to deal with cyber as a stand-alone risk. In reality there is a mix between the two. Some policyholders have quite generous cover extensions under their property and liability policies where as others have had exclusions imposed over recent years which severely restrict cover.

Whether this is resolved by the see-saw tipping in the insured’s or insurers favour remains to be seen. If the situation remains, ‘some good, some bad, some indifferent’, then the onus is upon the insureds to understand their risk and seek the best solution available from the market.

What cover do you need?

The starting point is to understand what risks you are exposed to, the mitigations in force (physical protections, back-ups, business continuity plans and contractual remedies) and the potential cost. In cyberspace the answers are probably more elusive than evaluating the costs of a more traditional peril such as a premises fire. Traditional risks don’t have a tendency to “go viral”. Nevertheless, cyber risk is a consequence of doing business in the modern world. A disciplined approach engaging with commercial, operational, legal and IT functions of the business can provide some answers. Where appropriate you can involve external consultants to assist.

Armed with knowledge of what your catastrophe cyber exposures are you can stress test how your insurance policies would respond. If they fall short, there are options to negotiate extensions with your property & casualty insurers or consider a specific cyber insurance product.

A recent positive development has been the announcement by Pool Re to extend its scheme to include cyber terrorism. Precise details have yet to be published but the intent is to include material damage and business interruption flowing from an event at the insured’s premises. Pool Re won’t cover intangible assets such as money or data and geographically they are restricted to Great Britain.

For further information, please contact Ian Thompson, Head of JLT's Global Rail Practice on +44 (0)20 7558 3497 or email ian_thompson@jltgroup.com

contact Ian Thompson
Head of JLT’s Global Rail Practice