Meeting_Body
FINANCE, BUDGET, AND AUDIT COMMITTEE
JULY 19, 2023
Subject
SUBJECT: CYBERSECURITY LIABILITY INSURANCE PROGRAM
Action
ACTION: APPROVE RECOMMENDATION
Heading
RECOMMENDATION
Title
AUTHORIZE the Chief Executive Officer to negotiate and purchase a cybersecurity liability insurance policy with up to $50 million in limits at a cost not to exceed $4 million for the 12-month period effective September 1, 2023, to September 1, 2024.
Issue
ISSUE
Metro’s cybersecurity liability insurance policy expires on September 1, 2023. Insurance underwriters will not commit to final pricing until three weeks before the current program expires. Consequently, staff requests a not-to-exceed amount for this renewal pending final pricing. Metro purchases an insurance policy to cover cybersecurity liability exposures. Cybersecurity is the practice of being protected against criminal or unauthorized use of systems and electronic data. These exposures include but are not limited to:
• Unavailability of IT systems and networks
• Physical asset damage and associated loss of use
• Loss or deletion of data
• Data corruption or loss of data integrity
• Data breach leading to compromise of third-party confidential/personal data
• Cyber espionage resulting in the release of confidential/sensitive information
• Extortion demands to cease a cyber-attack
• Direct financial loss due to theft
• Damage to reputation
• Bodily injury/property damage to third parties
Without this insurance, Metro is subject to unlimited liability for claims resulting from a cyber-attack or data breach event.
Background
BACKGROUND
FY23 was the first year Metro purchased cybersecurity liability coverage for $2,663,634.73. For the first renewal, Metro’s insurance broker, USI Insurance Services (“USI”), was requested to market Metro’s cybersecurity liability insurance program to qualified insurance carriers. Through its partnership with Howden, a London broker, USI has received quotes from the incumbent carrier, which has A.M. Best ratings indicative of acceptable financial soundness and ability to pay claims. The premium indications below are based on current market expectations. The quotes expire on September 1, 2023.
USI provides a not-to-exceed number that serves three functions. First, the number provides an amount to cover the recommended premium and contingency that Risk Management can bring to the CEO and Board to obtain approval for the binding of the program. Second, the number allows our broker ample time to continue negotiating with underwriters to ensure Metro obtains the most competitive pricing. And third, the not-to-exceed amount allows Metro to secure the quoted premium during the board cycle process prior to quote expiration.
Discussion
DISCUSSION
Public entities are increasingly coming under cyber-attacks. A robust cybersecurity insurance program could help reduce the number of successful cyber-attacks and financial risks associated with doing business online by 1) promoting the adoption of preventative measures in return for more coverage; and 2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
The cyber insurance market has matured somewhat with increased discipline in underwriting and reduced deployment of capacity where controls and security protocols are perceived to be ineffective at adapting to security threats. Those that have implemented stronger cybersecurity measures will see a more mature market with softer price hikes for those clients that can demonstrate strong protocols throughout their systems.
There have been changes in the regulatory environment around cybersecurity, specifically for public transit organizations. In February of 2023, the Federal Transit Administration published a cybersecurity assessment tool for transit agencies to help guide them in identifying and mitigating risk. FTA continues to guide cybersecurity activities and supports the U.S. Department of Homeland Security (DHS) in promoting enhanced security for transit agencies. Additionally, as a condition under 49 U.S.C. 5323(v), rail transit operators must certify that they have a process to develop, maintain, and execute a plan for identifying and reducing cybersecurity risks. The general guidance is built around the National Institute of Standards and Technology (NIST) Cyber Security Framework. With Metro’s vast network of third-party service providers, this is a major exposure area that needs to be continually monitored on an ongoing basis.
Multiple questionnaires and interviews are required by Metro’s information security and Supervisory Control and Data Acquisition (SCADA) team’s experts on the systems and network controls. A proposal of coverage for cybersecurity liability insurance based on the findings and the insurance carrier’s knowledge of Metro’s internal controls is provided. The proposed program, from carrier BRIT Re, a Lloyds of London consortium, provides up to $50 million in excess coverage on a claims-made basis with a $10 million self-insured retention (SIR). Attachment A summarizes the premium options, and Attachment B summarizes the coverages. Risk Management and Information Technology Services (ITS) team members reviewed the proposal and agree that the proposed coverage will help mitigate Metro’s financial and reputational risks should the agency experience a cyber-attack event.
Determination_Of_Safety_Impact
DETERMINATION OF SAFETY IMPACT
Approval of this recommendation to purchase a cybersecurity liability insurance policy will not directly impact the safety of Metro's patrons or employees. The policy will limit Metro’s liability for claims resulting from a cyber-attack or data breach event. Additionally, the policy will aid in Metro’s recovery and moderate financial losses as well as harm to Metro’s reputation resulting from cyber events and incidents.
Financial_Impact
FINANCIAL IMPACT
Funding for ten months, or $3,333,333, for this action is included in the FY24 Budget in cost center 0531, Risk Management -- Non-Departmental Costs, under projects 100001 - General Overhead, 300022 - Rail Operations - Blue Line, 300033 - Rail Operations - Green Line, 300044 - Rail Operations - Red Line, 300066 - Rail Operations - Expo Line, 300077 - Crenshaw Line, 301012 - Metro Orange Line, 306001 - Operations Transportation, 306002 - Operations Maintenance, 320011 - Union Station and 610061 - Owned Property in account 50699 (Ins Prem For Other Ins). Additional funding to cover premium costs beyond FY24 budgeted amounts will be addressed by fund reallocations during the year.
The remaining two months of premium will be requested during the FY25 Budget development cycle, cost center 0531, Risk Management -- Non-Departmental Costs, under projects 100001 - General Overhead, 300022 - Rail Operations - Blue Line, 300033 - Rail Operations - Green Line, 300044 - Rail Operations - Red Line, 300066 - Rail Operations - Expo Line, 300077 - Crenshaw Line, 301012 - Metro Orange Line, 306001 - Operations Transportation, 306002 - Operations Maintenance, 320011 - Union Station and 610061 - Owned Property in account 50699 (Ins Prem For Other Ins).
Impact to Budget
The current fiscal year funding for this action will come from the Enterprise, General, and Internal Service funds, paralleling funding for the actual benefiting projects charged. These funds are eligible for bus and rail operating and capital expenses.
Equity_Platform
EQUITY PLATFORM
The proposed action supports Metro’s ability to safely serve the communities and customers who rely on Metro’s transportation services and assets by providing insurance coverage that will allow Metro to more quickly resume operations in the event of a cybersecurity breach.
Implementation_of_Strategic_Plan_Goals
IMPLEMENTATION OF STRATEGIC PLAN GOALS
The recommendation supports strategic plan goal # 5 “Provide responsive, accountable, and trustworthy governance within the LA Metro organization.” The responsible administration of Metro’s risk management programs includes the use of insurance to mitigate large financial risks resulting from cybersecurity events.
Alternatives_Considered
ALTERNATIVES CONSIDERED
Various limits of coverage were considered, as outlined in Attachment A for the cybersecurity liability insurance program. All options include a SIR of $10 million for the same program. Option A, Metro’s current limit, provides $50 million in coverage, Option B provides $75 million, and Option C provides $100 million in coverage.
Option A is recommended as the best value option while retaining a reasonable amount of risk over the coverage limit.
Next_Steps
NEXT STEPS
Upon Board approval of this action, staff will advise USI to proceed with the placement of the cybersecurity liability insurance program outlined herein, effective September 1, 2023.
Attachments
ATTACHMENTS
Attachment A - Coverage Options and Premiums
Attachment B - Coverage Description
Prepared_by
Prepared by: Claudia Castillo del Muro, Executive Officer, Risk Management, (213) 922-4518
Kenneth Hernandez, Deputy Chief Risk, Safety, and Asset Management Officer, (213) 922-2990
Bryan Sastokas, Deputy Chief Information Technology Officer, (213) 922-5510
Reviewed_By
Reviewed by: Gina L. Osborn, Chief Safety Officer, (213) 922-3055
