Meeting_Body
FINANCE, BUDGET, AND AUDIT COMMITTEE
JULY 17, 2025
Subject
SUBJECT: CYBERSECURITY LIABILITY INSURANCE PROGRAM
Action
ACTION: APPROVE RECOMMENDATION
Heading
RECOMMENDATION
Title
AUTHORIZE the Chief Executive Officer to negotiate and purchase a cybersecurity liability insurance policy with up to $50 million in limits at a not-to-exceed premium of $3.104 million for the 12-month period effective September 1, 2025, to September 1, 2026.
Issue
ISSUE
Metro’s cybersecurity liability insurance policy will expire on September 1, 2025. Insurance underwriters will not commit to final pricing until three weeks before the current program expires. Consequently, we are requesting a not-to-exceed amount for this renewal pending final pricing. Metro purchases an insurance policy to cover cybersecurity liability exposures. Cybersecurity is the practice of being protected against criminal or unauthorized use of systems and electronic data. These exposures include, but are not limited to:
• Unavailability of IT systems and networks
• Physical asset damage and associated loss of use
• Loss or deletion of data
• Data corruption or loss of data integrity
• Data breach leading to compromise of third-party confidential/personal data
• Cyber espionage resulting in the release of confidential/sensitive information
• Extortion demands to cease a cyber-attack
• Direct financial loss due to theft
• Damage to reputation
• Bodily injury/property damage to third parties
Without this insurance, Metro is subject to unlimited liability for claims resulting from a cyber-attack or data breach event.
Background
BACKGROUND
For this current renewal, Marsh USA, LLC (Marsh), the insurance broker for Metro, was requested to market Metro’s cybersecurity liability insurance program to qualified insurance carriers. Marsh, through its partnership with Howden, a London broker, has received quotes from the incumbent carrier, which has A.M. Best ratings indicative of acceptable financial soundness and ability to pay claims. The premium indications provided are based on current market expectations and expire on September 1, 2025.
Marsh’s not-to-exceed premium serves three functions. First, it provides an amount to cover the recommended premium and contingency that Risk Management can bring to the CEO and Board to obtain approval for the binding of the program. Second, the number allows our broker ample time to continue negotiating with underwriters to ensure Metro obtains the most competitive pricing. And third, the not-to-exceed amount allows Metro to secure the quoted premium during the board cycle process prior to quote expiration.
Discussion
DISCUSSION
Public entities continue to be targeted for cyber-attacks as the cyber risk environment evolves. According to The State of Ransomware in the U.S., at least 50 local governments in the U.S. experienced ransomware attacks in the first half of 2024. Marsh observed a 16% increase in the number of cyber notifications from 2023 to 2024, underscoring the growing complexity of cyber risks. The frequency of cyber events and claim notifications in 2024 is primarily driven by third-party events, such as the CrowdStrike outage (July, 2024).
A new concern is the use of Generative AI and its ability to amplify existing cyber risks, leading to potential consequences, including business interruptions from AI system failures and inadvertent copyright infringements. The unpredictability of third-party events and the evolving cyber risk environment highlights the need for strong cybersecurity controls and effective insurance.
In Q1 of 2025, cyber insurance clients' rates decreased by 4% on average, marking the eighth consecutive quarter of reductions. This favorable environment has led clients to utilize premium savings to purchase higher limits, reduce retentions, shorten waiting periods, and broaden coverage.
Public entities with strong cyber risk controls have the greatest advantage in the current marketplace. Adhering to guidelines set forth by agencies such as the Federal Transit Administration (FTA) and the Cybersecurity and Infrastructure Security Agency (CISA) is critical for public entities like Metro. These organizations provide cybersecurity frameworks, risk assessments, and audits for public entities to comply with.
Metro has completed the Marsh Cyber Self-Assessment, which provides a review of cybersecurity controls. Marsh’s analytics suggest purchasing between $40 million and $85 million. The proposed program, from carrier BRIT Re, a Lloyd's of London consortium, provides up to $50 million in excess coverage on a claims-made basis with a $10 million self-insured retention (SIR). Attachment A summarizes the premium options, and Attachment B summarizes the coverages. The proposal was reviewed by Risk Management and Information Technology Services (ITS) team members, who agree that the proposed coverage will help mitigate Metro’s financial and reputational risk should the agency experience a cyber-attack event.
Determination_Of_Safety_Impact
DETERMINATION OF SAFETY IMPACT
Approval of this action positively impacts the safety of Metro’s patrons and employees. Cyber Liability insurance carriers will review cybersecurity procedures to mitigate potential risks or hazards and provide an overall risk assessment of Metro’s practices and assets as they underwrite the program. Carriers may provide best-practice guidance to enhance Metro’s risk profile, and the policy will limit Metro’s liability for claims resulting from a cyber-attack or data breach event. Additionally, the policy will aid Metro’s recovery and moderate financial losses, as well as harm to Metro’s reputation resulting from cyber events and incidents.
Financial_Impact
FINANCIAL IMPACT
The FY26 Budget includes $3.01 million for this action in cost center 0531, Non-Departmental - Ops Risk Management, under projects 100001 - General Overhead, 300022 - Rail Operations - A Line, 300033 - Rail Operations - C Line, 300044 - Rail Operations - B Line, 300066 - Rail Operations - E Line, 300077 - K Line, 301012 - G Line, 306001 - Operations Transportation, 306002 - Operations Maintenance, 320011 - Union Station and 610061 - Owned Property.
Metro’s insurance premiums are amortized and span two fiscal years. The cost center manager and the Interim Chief Transit Safety Officer will be accountable for budgeting in FY27 costs not included in the FY26 budget.
Impact to Budget
The sources of funding for this action will come from federal, state, and local resources that are eligible for bus and rail operations.
Equity_Platform
EQUITY PLATFORM
The proposed action supports Metro’s ability to safely serve the communities and customers who rely on Metro’s transportation services and assets by providing insurance coverage that will allow Metro to more quickly resume operations in the event of a cybersecurity breach.
Vehicle_Miles_Traveled _Outcome
VEHICLE MILES TRAVELED OUTCOME
VMT and VMT per capita in Los Angeles County are lower than national averages, the lowest in the SCAG region, and on the lower end of VMT per capita statewide, with these declining VMT trends due in part to Metro’s significant investment in rail and bus transit.* Metro’s Board-adopted VMT reduction targets align with California’s statewide climate goals, including achieving carbon neutrality by 2045. To ensure continued progress, all Board items are assessed for their potential impact on VMT.
While this item does not directly encourage taking transit, sharing a ride, or using active transportation, it is a vital part of Metro operations, as it provides cybersecurity liability coverage for Metro’s assets. Because the Metro Board has adopted an agency-wide VMT Reduction Target, and this item supports the agency's overall function, it is consistent with the goals of reducing VMT.
*Based on population estimates from the United States Census and VMT estimates from Caltrans’ Highway Performance Monitoring System (HPMS) data between 2001-2019.
Implementation_of_Strategic_Plan_Goals
IMPLEMENTATION OF STRATEGIC PLAN GOALS
The recommendation supports strategic plan goal # 5, “Provide responsive, accountable and trustworthy governance within the LA Metro organization.” The responsible administration of Metro’s risk management programs includes the use of insurance to mitigate large financial risks resulting from cybersecurity events.
Alternatives_Considered
ALTERNATIVES CONSIDERED
Various limits of coverage were considered, as outlined in Attachment A, for the cybersecurity liability program. All options include an SIR of $10 million for the same program. Option A, Metro’s current limit, provides $50 million in coverage, Option B provides $75 million in coverage, and Option C provides $100 million in coverage.
Option A, which is within Marsh’s analytics limits range, is recommended as the best value option while retaining a reasonable amount of risk over the coverage limit.
Next_Steps
NEXT STEPS
Upon Board approval of this action, staff will advise Marsh to proceed with the placement of the cybersecurity liability insurance program outlined herein, effective September 1, 2025.
Attachments
ATTACHMENTS
Attachment A - Coverage Options and Premiums
Attachment B - Coverage Description
Prepared_by
Prepared by: William Douglas, Senior Manager, Risk Financing, (213) 922-2105
Claudia Castillo del Muro, Executive Officer, Risk Management, (213) 922-4518
Bryan Sastokas, Deputy Chief Information Technology Officer, (213) 922-5510
Reviewed_By
Reviewed by: Kenneth Hernandez, Interim Chief Risk, Corporate Safety, and Asset Management Officer, (213) 922-2990
