Metro - File #: 2023-0384

• File #: 2023-0384
• Type: Program
• Status: Passed
• File created: 5/22/2023
• In control: Finance, Budget and Audit Committee
• On agenda: 7/19/2023
• Final action: 7/27/2023
• Title: AUTHORIZE the Chief Executive Officer to negotiate and purchase a cybersecurity liability insurance policy with up to $50 million in limits at a cost not to exceed $4 million for the 12-month period effective September 1, 2023, to September 1, 2024.
• Sponsors: Finance, Budget and Audit Committee
• Indexes: Budget, Budgeting, Expo Line Operating Project (Project), Federal Transit Administration, General Overhead (Project), Insurance, Los Angeles Union Station, Maintenance practices, Metro Rail A Line, Metro Rail B Line, Metro Rail C Line, Metro Rail E Line, Operations and Maintenance, Operations Maintenance (Project), Operations Transportation (Project), Owned Property (Project), Policy, Program, Project management, Purchasing, Rail Operations - Blue Line (Project), Rail Operations - Green Line (Project), Rail Operations - Red Line (Project), Rail Operations Control Center, Rail Operations-Crenshaw Line (Project), Safety and security, Security, Station operations, Supervisory Control And Data Acquisition, Union Station Property Management (Project)
• Related files: 2023-0608

Date	Action By	Action	Result
7/27/2023	Board of Directors - Regular Board Meeting

Meeting_Body
FINANCE, BUDGET, AND AUDIT COMMITTEE
JULY 19, 2023

Subject
SUBJECT: CYBERSECURITY LIABILITY INSURANCE PROGRAM

Action
ACTION: APPROVE RECOMMENDATION

Heading
RECOMMENDATION

Title
AUTHORIZE the Chief Executive Officer to negotiate and purchase a cybersecurity liability insurance policy with up to $50 million in limits at a cost not to exceed $4 million for the 12-month period effective September 1, 2023, to September 1, 2024.

Issue
ISSUE

Metro's cybersecurity liability insurance policy expires on September 1, 2023. Insurance underwriters will not commit to final pricing until three weeks before the current program expires. Consequently, staff requests a not-to-exceed amount for this renewal pending final pricing. Metro purchases an insurance policy to cover cybersecurity liability exposures. Cybersecurity is the practice of being protected against criminal or unauthorized use of systems and electronic data. These exposures include but are not limited to:

? Unavailability of IT systems and networks
? Physical asset damage and associated loss of use
? Loss or deletion of data
? Data corruption or loss of data integrity
? Data breach leading to compromise of third-party confidential/personal data
? Cyber espionage resulting in the release of confidential/sensitive information
? Extortion demands to cease a cyber-attack
? Direct financial loss due to theft
? Damage to reputation
? Bodily injury/property damage to third parties

Without this insurance, Metro is subject to unlimited liability for claims resulting from a cyber-attack or data breach event.

Background
BACKGROUND

FY23 was the first year Metro purchased cybersecurity liability coverage for $2,663,634.73. For the first renewal, Metro's insurance broker, USI Insurance Services ("USI"), was requested to market Metro's cybersecurity liability insurance program to qualified insurance carriers. Through its partnership with Howden, a London broker, USI has received quotes from ...