BOW VALLEY – A new cost faced by organizations and governments across the world was added to Roam transit’s expenses.
The Bow Valley Regional Transit Services Commission approved purchasing an extra $1 million for its insurance policy to specifically protect the transit service in the case of a cyber attack.
The plan, which the commission approved for a cost to not surpass $17,000, is intended to safeguard against the growing number of cyberattacks seen across the globe.
“It’s to be additionally cautious with the increase in cybercrime and phishing attempts. The board felt it was prudent to add that to our insurance profile,” said Roam CEO Martin Bean.
He said Roam had been looking at it for the past year and commissioned a consultant last summer to evaluate its systems. It resulted in recommendations for education as well as to have specific insurance.
The existing policy for Roam transit has “small coverages for cybercrime,” according to a staff report, but the enhanced service would add greater protection.
The report noted a small or moderate attack could cost the transit authority between $500,000 to $1 million, but also bring service disruption and impact Roam's reputation.
A study by the Ponemon Institute indicated the average cost of a data breach last year was $5 million.
“There’s a services side and a financial side,” Bean said. “The cyber insurance may not mitigate everything, but it’s. safeguard in place and the other part is due diligence and education on behalf of all our staff.”
The report stated Roam transit pays $11,500 for general liability insurance and about $185,000 for fleet insurance.
A specific quotation was unable to be made until a full application was submitted, but the estimated cost was an extra $10,000 to $15,000 a year through AIG Insurance Company of Canada.
Bean said the transit authority has continued to do cyber education for staff and the potential risks are if an organization were attacked.
Cyberattacks have been growing in frequency for the past 10 years.
In late 2015 and early 2016, Banff Centre had an employee compromise its computer network and IT systems.
The Town of Banff was hit in 2022, leading to information on past and present Town employees, current and former Banff residents and property owners, business owners, municipal program participants and holders of municipal permits and licences and people from out-of-town who interacted with the Town via service requests and parking infractions being accessed.
Roughly 130 gigabytes were accessed, though the Town was not locked out or stopped from using its information as is often seen in cyberattacks. However, municipal enforcement was unable to hand out tickets for about a month after the attack.
The cyber attack cost the Town more than $656,000, but an additional $220,000 was also requested at 2023 service review for new IT staff, a cybersecurity audit, insurance and hardware and software. Legal fees were also $246,000 more than budgeted and contracted services were $403,000 higher.
Transit authorities have also not been immune with the Toronto Transit Commission having information on up to 25,000 past and present staff accessed, the Metropolitan Transportation Authority being cyberattacked several times in recent years and TransLink and MetroVancouver being cyberattacked in 2020.
Alberta Municipalities – the former Alberta Urban Municipalities Association – hired the Ontario-based Stratejm to complete a report on best cybersecurity practices for its municipal members.
The report highlighted municipal governments often are slow to implement security controls when connecting to a computer network or the internet.
“In effect, lack of adequate security protocols results in weak municipal systems that hackers can easily exploit to take control of systems, knock out public services, and steal confidential information,” stated the Stratejm report.