Insurance. It’s a necessary and expensive budget line item that trucking companies must endure to keep their assets on the road. Many technologies, like dash cameras, ADAS and telematics, can help carriers alleviate those costs as more insurers use data from those devices to inform the underwriting of their policies.
But those technologies bring new challenges, increasing costs for carriers in a new area: cyber insurance.
Cyber insurance was a hot topic at this year’s National Motor Freight Traffic Association’s annual conference held in Cleveland, Ohio. While it isn’t a new topic, it’s becoming more prevalent in the trucking industry.
Steve Hankel, vice president of IT at Johanson Transportation, said he deletes at least three emails a day that urge him to sign a contract. He knows those emails are phishing attempts to obtain insider access to his 3PL company’s data. But as carriers implement technology from third-party vendors, bad actors are gaining more potential attack avenues beyond a direct email to a carrier employee.
Carrie Yang, senior vice president of the cyber practice at insurance broker Marsh, said access to a carrier via a third-party vendor is a major concern for insurance underwriters. It’s called a single point of failure – if one vendor is attacked, it impacts the insurance policies of hundreds of other companies and adds up to a huge loss.
And attacks are on the rise.
[RELATED: Trucking industry experts fear AI is an emerging cybersecurity concern]
Because of that, Yang said, she predicts in 2025 that cyber insurance rates will slightly go up.
“That's my own prediction because, right now, 2024 is relatively a buyer-friendly market. The rate is going down, but claims activity is going up,” she said. “Insurance carriers are reactive. It takes a while to adjust the claim. Once they start paying money, they will feel the pain and probably will adjust the rate.”
Cyber insurance pros and cons
Yang said that cost – and the time investment needed from a carrier to fill out what is a very lengthy, complicated and comprehensive cyber insurance questionnaire – is what prevents carriers from buying cyber insurance.
But a cyberattack will ultimately cost them more, potentially even their whole company.
“I think there are five major reasons that a carrier needs to think about cyber insurance,” Yang said. “One is the fundamental financial protection against unexpected incidents or loss. That's the fundamental principle of insurance: to make you whole when you have a loss.”
It's also a way to manage risk, she said, and it provides a free risk assessment. When a carrier fills out the risk assessment, they get feedback from the insurance provider about potential vulnerabilities and weaknesses within their cybersecurity program. It also offers companies access to certain resources like pre-vetted incident response vendors, including forensic investigation vendors, credit monitoring vendors, notification vendors and breach council, to name a few.
The fifth reason – and probably one of the most appealing to carriers – is that it can facilitate business.
“A lot of your clients are requiring the company to purchase cyber insurance. Otherwise, probably they will not sign the contract with you,” Yang said.
Gaps in coverage
Ben Gardiner, senior cybersecurity research engineer at NMFTA, said while cyber insurance can help recoup a loss, it doesn’t help a carrier continue to operate while waiting for that claim payout.
[RELATED: Ransomware remains top cybersecurity concern for trucking industry]
It also doesn’t cover physical attacks on assets like trucks and trailers, which is becoming an increasing concern. Gardiner is worried that as financially motivated attackers stop succeeding so easily with PC-based ransomware, they will start doing mass derates (crippling the truck into 'limp mode').
“I hope I'm ultimately wrong about it, but I do think it's a when, not if, for these things,” Gardiner said.
Yang said that’s where there’s a gap in coverage as the potential of a cyber event affecting the physical world becomes increasingly possible.
“Cyber insurance typically covers intangible assets, which means data. Cyber insurance does not cover physical assets, so property damage,” she said. “If this type of policy is launched, it would not be cheap.”