Cyber risk and insurance for transportation infrastructure.

While advances in information technology and interconnectivity have improved efficiency for transportation infrastructure, they have also created higher risk associated with cyber systems. The objective of this study is to inform transportation policy and management in the U.S. by identifying barriers to a robust cyber insurance market and improved cyber resilience for transportation infrastructure. This is accomplished through a mixed-methods approach involving analysis of U.S. cyber incident data for transportation systems and a series of interviews with transportation infrastructure managers and insurers. Contributions include new insights into the nature of cyber risk for transportation infrastructure and recommendations on research needs to improve cyber risk management and insurance. Results indicate that the annual number of transport-related companies affected by cyber incidents and the associated costs are on the rise. The most common incidents involve data breaches, while incidents involving privacy violation have the highest average loss per incident. Cyber risk assessment, mitigation and security measures, and insurance are being implemented to varying degrees in transportation infrastructure systems but are generally inadequate. Infrastructure managers do not currently have the tools to rigorously assess and manage cyber risk. Limited data and models also inhibit the accurate modeling of cyber risk for insurance purposes. Even after improved tools and modeling are developed, insurance purchase can be an important risk management strategy to allow transportation infrastructure systems to recover from cyber incidents. • Annual number and cost of cyber incidents are on the rise for transportation systems. • The most common incidents involve data breach. • Unintentional data disclosure incidents have the highest average loss. • Cyber risk assessment, mitigation measures, and insurance are generally lacking. • Further research on cyber risk models, metrics, biases, and insurance is needed. [ABSTRACT FROM AUTHOR]