ON THE RIGHT TRACK

Managing Cyber Risks in the Railway Industry

In Brief

Rail operators are embracing new technologies to boost efficiency and enhance the passenger experience. However, these advancements also increase the potential for cyber attacks. Adopting secure-by-design principles and implementing adaptive risk management strategies are essential to staying ahead of these threats.

Traditional property and casualty insurance policies often exclude cyber-related incidents. Modern cyber insurance addresses these gaps by offering tailored coverage and proactive services, such as incident response.

Identifying vulnerabilities across IT (information technology) and OT (operational technology) systems, as well as conducting risk quantification, enables operators to prioritise investments and align insurance coverage with actual risks.

The railway industry, once largely analogue, is undergoing a sweeping digital transformation. Internet of Things (IoT) devices, automation, cloud platforms and AI-driven analytics are redefining rail operations by enabling predictive maintenance, streamlining processes like signalling and ticketing and providing real-time data access across systems. These technologies improve efficiency, safety and passenger experience through optimised operations and personalised services. However, this interconnected ecosystem also introduces new threats and vulnerabilities, making cybersecurity and risk management a critical priority.

Cyberthreats are no longer hypothetical across the rail industry. Ransomware attacks, where hackers seize and encrypt valuable data, demanding payment to release it and sophisticated system breaches have disrupted rail operations worldwide, exposing weaknesses in both information technology (IT) and operational technology (OT) environments.

A successful cyber attack can do more than compromise data. It can halt train operations, disable safety systems and erode public trust. Such attacks can lead to financial losses, privacy litigation, regulatory proceedings, reputational impacts and even physical damage.

“The more educated and aware the rail industry is about existing and emerging risks, the better prepared it will be to respond to potential cyber attacks,” says Kevin Woods, managing director of the Rail Transportation practice at Gallagher.

This whitepaper examines the evolving threat landscape and offers practical strategies for resilience. It offers a starting point for rail operators seeking to better understand risks and prioritise cybersecurity improvements and investments to move forward with confidence.

“The more educated and aware the rail industry is about existing and emerging risks, the better prepared it will be to respond to potential cyber attacks.”

Kevin Woods Managing Director of Rail Transportation practice Gallagher

Understanding Cyberthreats to the Railway Industry

As rail operations today rely on a complex web of digital systems, hacking into the invisible infrastructure that supports them is a top concern for operators.

A breach in OT technology could compromise signalling systems, passenger information platforms, traffic management systems or, in extreme cases, train control systems. While large-scale attacks on Positive Train Control (PTC) systems have not yet occurred, the possibility of such an event keeps rail operators on high alert.

On the IT side, common exposures include locked internal systems, blocked dispatch operations, and ransomware attacks targeting sensitive customer or employee data, including biometric data. However, rail operators must remain knowledgeable about regulations like the Biometric Information Privacy Act (BIPA), which have led to an increase in privacy claims.

At the same time, outdated infrastructure and human error amplify these risks, while growing interconnectivity broadens the attack surface.

Most pressing cybersecurity challenges for commuter/passenger rail

  • Incident response
  • Privacy liability and privacy regulation
  • Cyber extortion
  • Business interruption
  • Dependent business interruption

Most pressing cybersecurity challenges for freight and cargo rail

  • Incident response
  • Cyber extortion
  • Business interruption
  • Impact on the operational technology environment (Centralised Traffic Control — CTC, Positive Train Control — PTC, Supervisory Control and Data Acquisition — SCADA systems)
  • Physical damage events
  • Business interruption arising from physical damage events

A sector in transition

The current migration in the US rail industry from Global System for Mobile Communications - Railway (GSM-R) to the Future Railway Mobile Communication System (FRMCS) represents significant progress. However, many systems still depend on outdated OT infrastructure and IT platforms that lack modern cybersecurity safeguards.

“This is not an overnight fix. Many organisations are lacking proper infrastructure and are significantly behind where they need to be in terms of cybersecurity, sometimes without knowing,” explains Brad Burtram, Executive Director for Rail at Gallagher. “The problem is that bad actors are incredibly advanced and almost always a step or two ahead, which means we’re constantly trying to play catch-up.”

"Many organisations are lacking proper infrastructure and are significantly behind where they need to be in terms of cybersecurity, sometimes without knowing. The problem is that bad actors are incredibly advanced and almost always a step or two ahead, which means we’re constantly trying to play catch-up."

Brad Burtram Executive Director for Rail, Gallagher

The IT-OT Convergence Challenge

The increasing use of technology has strengthened the connectivity between IT and OT systems, creating a more integrated interface. This convergence enhances efficiency and enables real-time decision-making in rail operations, but it also amplifies risk.

As these systems become more interconnected, such as through IoT sensors, a breach in one area can rapidly spread across the entire network. Furthermore, the traditional approach to cyber risk, which primarily focused on data privacy and “air gapping” OT systems to prevent hacker access, is no longer adequate.

“Any type of technology being used, whether it’s for buying tickets, monitoring train locations or anything else, is exploitable because much of it is always connected,” explains Stephanie Snyder Frenier, Senior Vice President for Cyber Liability at Gallagher. “This creates an entirely new layer of potential liability.”

Emerging Threat Vectors

Risks also stem from less obvious sources. Website tracking technologies, for instance, can expose rail operators to litigation as these tools collect data that is subject to privacy and compliance regulations.

“We are seeing now more cases where websites have embedded videos, pixel tracking technologies or chat functionalities which can lead to significant litigation and potentially trigger cyber policies,” explains Snyder Frenier.

"Any type of technology being used, whether it’s for buying tickets, monitoring train locations or anything else, is exploitable because much of it is always connected. This creates an entirely new layer of potential liability."

Stephanie Snyder Frenier Senior Vice President for Cyber Liability, Gallagher

Supply Chain and Geopolitical Vulnerabilities

The digital supply chain presents both opportunities and vulnerabilities for operators aiming to enhance their cybersecurity. The rail industry’s increasing reliance on third- and fourth-party vendors for security and operational software introduces additional layers of exposure.

“Organisations need to gain visibility into their technology suppliers and establish communication protocols for cyber incidents,” advises Nick Gwynne-Robinson, Consultant for Crisis and Security Strategy at Another Day, a Gallagher company.

Large rail operators are increasingly requiring suppliers to carry cyber insurance as a prerequisite for doing business, recognising the shared responsibility in securing the ecosystem.

Global geopolitical events can also influence cyber risk. Rail, as part of the critical infrastructure that drives the global economy, is often a target in this unstable environment. By 2025, 60% of global organisations identified geopolitical tensions as a driver for changes in their cybersecurity strategy, and 45% of cyber leaders cited operations and business disruption as their top concern.1

Timeline of Cyber Attacks on Rail Operators

  • US 2023 A ransomware attack resulted in the exfiltration of approximately 80 GB of data.
  • Poland 2023 Emergency stoppage of around 20 trains occurred due to compromised railway radio frequencies, which triggered the train emergency stop function.
  • New Zealand 2023 A ransomware attack disrupted ticketing and customer service systems. This was followed by a Distributed Denial of Service (DDoS) attack, allegedly in retaliation for not paying the ransom.
  • UK 2024 A cyber attack exposed customer information, necessitated employee password resets, and disrupted operations, including live arrival information and payment processing.
  • UK 2024 Hacking of Wi-Fi at railway stations led to terror messages being displayed on passengers’ devices.
  • France 2024 A ransomware attack disrupted ticketing and scheduling systems for a major commuter rail operator.
  • US 2024 A ransomware attack left operators unable to track the location of railcars for nearly four hours.

What Can Cyber Insurance Do for Rail Operators?

Despite the rail industry’s awareness of the need for robust cybersecurity controls as it adopts new technologies, underinsurance remains a significant challenge. Budget constraints, worsened by reduced commuter traffic and revenue declines since the pandemic, have further limited investment in cybersecurity and insurance.

“Rail organisations are embracing enhanced internal cybersecurity controls to address these technological changes, but many do not have adequate coverage to protect against loss,” explains Stephanie Snyder Frenier, Senior Vice President for Cyber Liability at Gallagher.

Beyond Coverage: Added Value

Traditional property and casualty (P&C) insurance policies often fail to address cyber-specific risks, leaving rail operators vulnerable to financial, operational, and reputational harm. Cyber insurance bridges these gaps by offering specialised coverage for digital threats, including:

  • Breach response costs (legal, public relations, and crisis management)
  • Security and privacy liability
  • Data breach notifications and privacy regulatory proceedings
  • Business interruption and dependent business interruption
  • Cyber extortion and ransom
  • Reputational harm
  • Computer hardware replacement

“Carriers aim to help organisations prevent claims in the first place. They provide access to and indemnification for a variety of value-added services beyond just the financial protection,” says Snyder.

These expert resources and proactive risk management services can include:

  • Incident response support and legal counsel
  • Data forensics and credit monitoring
  • Complimentary or discounted services, such as tabletop exercises, dark web monitoring, penetration testing, and vulnerability scans

“Insurance carriers providing cyber coverage understand the complexity of this industry. For operators with small IT teams, these external support services can be essential,” describes Kevin Woods, Managing Director of the Rail Transportation practice at Gallagher.

In the event of a cyber incident, timing is critical. Specialist advisors can assess the situation, guide recovery efforts, and provide additional support in legal, public relations, and crisis management to minimise damage and expedite recovery.

Falling Short with Traditional Cyber Insurance

Traditional insurance policies often have significant gaps in coverage for cyber exposures and frequently include broad exclusions that leave organisations vulnerable. Customised programmes are essential to safeguarding your business against both the traditional and non-traditional impacts that a cyber crisis can have on your operations.

Potential Cyber Limitations in Traditional P&C Policies

Property & Casualty (P&C) insurance policies have traditionally been a cornerstone of risk management for rail operators, covering physical damage and third-party liability. However, these policies often fail to address the evolving nature of cyberthreats.

Why Addressing Silent Cyber Left Gaps in Traditional Policies

Prior to 2019, most P&C insurance policies provided coverage for damage caused by cyber-related events, such as fires, explosions, or machinery breakdowns resulting from a cyber attack.

However, starting in 2020, the Lloyd’s of London insurance market mandated that insurers explicitly state whether cyber risks were covered or excluded in their policies. This was an effort to address the issue of "silent cyber" — a term referring to potential cyber exposures that were neither explicitly included nor excluded in traditional insurance policies.

As a result, many insurance carriers introduced cyber exclusions in their P&C policies. This left some businesses without coverage for damages caused by cyber incidents, whether malicious (e.g., hacking) or non-malicious (e.g., system errors), even when these incidents resulted in tangible physical damage.

Why Rail Operators Are Exposed to Cyber-Physical and Non-Damage Business Interruption

The rail industry, which heavily relies on OT systems, is particularly vulnerable to cyberthreats that can cause direct physical harm. These threats may lead to equipment destruction, system failures, and safety hazards, potentially resulting in bodily injury.

To address these exclusions, the insurance market introduced "buyback" solutions, allowing operators to purchase additional coverage to fill the gaps. Examples include:

  • Affirmative Basis: Fully buying back cyber exclusions, whether related to malicious or non-malicious events, such as property damage or bodily injury.
  • Non-Affirmative Basis: Selectively buying back specific exclusions under the policy, tailored to address the insured’s primary concerns.

“These buyback options allow rail operators to address specific exclusions and close critical gaps in their P&C coverage,” explains Joe Stubbings, Director for Large Corporate Cyber Practice at Gallagher.

The Role of Education and Advisory

Many operators mistakenly assume their P&C policies provide comprehensive protection, only to uncover exclusions after an incident occurs. This highlights the importance of stress testing how policies might respond by conducting scenario planning exercises with the support of risk and insurance partners. Brokers play a crucial role in clarifying these details and helping organisations make informed decisions.

“It takes a knowledgeable broker to truly understand what carriers are offering, as there may be exclusions built into the policies that need to be carefully reviewed,” says Kevin Woods, Managing Director of the Rail Transportation practice at Gallagher.

“Cyber insurance goes beyond providing indemnity; it helps rail operators mitigate impacts and recover from an event more effectively. We help clients by providing clarity over their policies and the exclusions that may exist and ensure coverage aligns with actual risk,” adds Joe Stubbings, Director for Large Corporate Cyber Practice at Gallagher.

By proactively identifying gaps and exploring tailored solutions, rail operators can establish a more resilient risk management framework that addresses the realities of today’s cyberthreat landscape.

"Cyber insurance goes beyond providing indemnity; it helps rail operators mitigate impacts and recover from an event more effectively. We help clients have clarity over their policies and the exclusions that may exist and ensure coverage aligns with actual risk."

Joe Stubbings Director for Large Corporate Cyber Practice, Gallagher

Assess, Quantify and Protect

Effectively managing cyber risk begins with understanding it. For railway operators, this involves taking a comprehensive view of their digital ecosystem and identifying critical points of exposure.

1. Mapping Exposure

A proactive first step is assessing exposure across both IT and OT environments. This includes ticketing systems, passenger data platforms, signalling infrastructure, and train control systems. Understanding how these systems interact helps prioritise cybersecurity investments and align insurance coverage.

2. Quantifying Risk to Inform Strategy

Risk quantification is a vital tool in this process. By analysing the potential financial impact of cyber incidents — such as business interruption, ransomware attacks, or data breaches — organisations can better understand the scale of their exposure and determine whether current policy limits are sufficient. Aligning insurance policies with identified risks ensures that both first-party and third-party exposures are adequately addressed.

3. Designing Fit-for-Purpose Risk Management Strategies

Once risks are identified and quantified, rail operators can implement layered defences and operational plans.

Defence layers for IT systems include technical controls such as:

  • Multi-factor authentication (MFA)
  • Endpoint detection and response (EDR)
  • Secure backup protocols to address IT system vulnerabilities

Operational planning improvements can include:

  • Incident response plans
  • Ransomware readiness assessments
  • Business continuity strategies

These measures reduce the likelihood and impact of cyber incidents while strengthening the organisation’s insurability and preparedness. If the worst happens, disruption is minimised. Underwriters expect best-in-class practices, which demonstrate cybersecurity maturity and business resilience.

Future Trends in the Rail Industry

To ensure progress stays on track, cybersecurity must be integrated into every layer of digital transformation.

IoT and Edge Technology

Internet of Things (IoT) devices and edge computing are revolutionising rail operations by enabling real-time data collection, processing, and analysis. These technologies enhance traffic monitoring, predictive maintenance, and passenger experience.

However, each sensor, monitoring system, and connected device increases the potential entry points for attackers. “The rail industry needs to respond with a ‘secure by design’ approach. This means embedding cybersecurity into the architecture of new systems to mitigate risks from the outset,” advises Nick Gwynne-Robinson, Consultant for Crisis and Security Strategy at Another Day, a Gallagher company.

AI: An Arms Race Between Companies and Cybercriminals

Artificial Intelligence (AI) offers opportunities for optimised cargo tracking, traffic flow management, and even autonomous train concepts. However, the same technology is empowering cybercriminals, enabling them to create sophisticated malware and automated attacks.

“With AI, not only are attacks growing in sophistication, but also low-skilled cybercriminals are now able to create malicious software and malware to attack rail operators,” explains Robinson.

As AI becomes more integrated into operations, prioritising guidelines for responsible implementation, governance, and ethical use will be essential to safeguard systems and mitigate misuse.

Autonomous Rail Developments

Autonomous rail technology, though still in the testing phase, is poised to transform commuter and freight operations. Pilot programmes are already underway, with broader adoption anticipated in the near future.

As this technology evolves, underwriters and insurance providers will refine their models to address liability and emerging risks. Flexible, forward-looking insurance solutions will be essential to keep pace with these advancements.

"The rail industry needs to respond to emerging technologies with a ‘secure by design’ approach. This means embedding cybersecurity into the architecture of new systems to mitigate risks from the outset."

Nick Gwynne-Robinson

Consultant for Crisis and Security Strategy at Another Day, a Gallagher company

Building Resilience Through Partnership

The railway industry’s digital transformation is undoubtedly ushering in a new era of efficiency and innovation. However, it also introduces a more complex and interconnected digital risk landscape.

For rail operators navigating this transformative phase, success lies in finding the right partners and expertise to maximise opportunities while enhancing cyber resilience to mitigate potential risks.

With Gallagher, you can confidently embrace the digital future, safeguarding your assets, your people, and your reputation. Contact us to learn how we can help you build a cyber-resilient rail operation.

Let's talk

Joe Stubbings

Director, Cyber

joe_stubbings@ajg.com

Back to Home

Share on social

The Walbrook Building 25 Walbrook London, EC4N 8AW

Legal & Regulatory

Privacy Policy - Do Not Sell or Share My Personal Information (U.S. Residents Only)

Cookie policy

Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.

The information contained herein is offered as insurance Industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer financial, tax, legal or client-specific insurance or risk management advice. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis. Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third-party websites and resources.