Post-breach Learnings Lead to Cyber Risk Resilience

A deeper dive into the 2020 AC Transit data breach demonstrates how organizations facing cyberattack can come back stronger, with resilience at the fore.

Among the many news reports of cyberattacks, reporters frequently mention how an attack exploited a weakness and disrupted a business. Much less attention is paid, however, to organizations that use those incidents as turning points to improve their cybersecurity and resilience.

In 2020, the Alameda-Contra Costa Transit District in Oakland, California, known as AC Transit, experienced a data breach that exposed the personal information of employees and customers. Such a breach was significant for AC Transit as the third-largest bus-only transit agency in the United States and the largest public bus-only transit system in California.

AC Transit serves 1.5 million East Bay residents and connects to nine other public and private bus systems, 22 BART stations, seven Amtrak stations and five ferry terminals.

Loss of confidence in the privacy of customer data would be a significant disincentive to citizens using the transit system.

What happened at AC Transit following the breach offers lessons to other organizations. With the right approach internally, and the support of expert risk management partners, public- and private-sector entities can not only mitigate their cyber risks following an incident but also emerge stronger. As AC Transit learned, organizations must keep moving forward if they want to become risk resilient.

Steps to Improve Cyber Risk Management

Months after the breach, the transit system took steps that put the agency on the path to strong cyber risk management. Those steps included:

Implementing a layered approach to security, starting with fundamental security controls. Prioritizing the most urgent security tasks is a practical way to bolster defenses.
Promoting greater internal awareness of cyber risks. Employee training is a critical part of this effort.
Strengthening data governance and protection. Rules on how data is used, stored and protected are essential for all organizations.
Focusing on the longer term. After attending to urgent short-term cybersecurity issues, organizations should take time to assess their long-term needs for managing cyber threats and opportunities for improvement.
Shifting the organization from a reactive to a more proactive stance. This can be done through learning from each incident and incorporating insights to enhance cyber risk practices.

Partnering with Cyber Experts

In 2022, the transit agency partnered with Resilience as its cyber insurer.

Tas Jalali, Head of Cybersecurity, Alameda-Contra Costa Transit District

AC Transit participated in a tabletop exercise that clearly illustrated where the transit agency could further mitigate its cyber exposures and improve its risk response.

That became a turning point that led to the client and their insurer forming a deeper cyber risk management engagement.

Working with Resilience, AC Transit approached its cyber risks as business risks, and translated those threats into financial terms. Out of this partnerships, AC Transit adopted holistic approach to cybersecurity that aligned with its business strategies and hardened its cyber controls.

Because public agencies such as AC Transit may not have the resources of companies in the private sector, proactive and efficient risk management takes on greater importance. As the largest provider of an important public service in its region, AC Transit cannot afford to have downtime.

The transit system’s customers rely on its scheduled service to get where they need to be. Cyber risks that could disrupt transit service would have a wide economic impact across the region. AC Transit recognized that possibility and made the business decision to prioritize improvement of its cyber risk management strategy.

Action After Awareness

One of the benefits of a cyber risk tabletop exercise is that the participating organization sits through a simulated real event and can see the possible gaps in its incident response processes in real time.

Travis Wong, Vice President of Customer Engagement, Resilience

Improvement does not automatically follow the awareness an organization gains from this exercise, however. Organizations need:

Buy-in from leadership.
Willingness to set internal policies to fix weaknesses.
Budgets to make the changes necessary to mitigate their cyber risks.

Not all organizations have an appetite for taking new information about their cybersecurity and using it to shift their culture. AC Transit’s team did – and the results speak for themselves.

The work paid off. Not only did AC Transit successfully recover from its 2020 breach, but it also shifted its culture to improve its cybersecurity. AC Transit continued to fulfill its mission of providing reliable service and in 2023, the district was honored as the Outstanding Public Transportation System of the Year by the American Public Transportation Association.

Not Standing Still

AC Transit’s AI initiatives, formalized through a policy adopted in October 2024, focus on responsibly deploying artificial intelligence to boost operational efficiency, enhance rider experience, and advance sustainable transit solutions while upholding ethical standards and public trust.

Central to these efforts is evaluating the effectiveness of AI-driven bus lane enforcement, which has markedly improved transit operations by ensuring compliance and minimizing delays. This aligns with AC Transit’s commitment to transparency, safety, and community engagement, though changes in rider behavior are due to enhanced enforcement.

AC Transit has good reason to believe that its actions so far have improved its cybersecurity and risk resilience. That’s because they’re working. &

Tas Jalali is Head of Cybersecurity for the Alameda-Contra Costa Transit District, which he joined following its data breach. In addition to overseeing AC Transit’s cybersecurity and cyber risk management operations, he is chair of the Artificial Intelligence subcommittee of the American Public Transportation Association and a member of the CISO council for North American transit agencies. Travis Wong is Vice President of Customer Engagement for Resilience, a San Francisco-based cyber risk company that offers risk quantification software, cybersecurity experts, and A+ insurance in integrated solutions purpose-built for large and middle-market organizations.

Navigating the Evolving Risk Landscape: How E&S Markets Are Addressing Property Exposure Challenges

As catastrophic events increase in both frequency and severity, insurance professionals must adapt their strategies to effectively manage emerging risks while maintaining strong client relationships.

By: Nationwide® | June 2, 2025

The Shifting Terrain of Property Risk

The property insurance landscape has been undergoing a dramatic transformation in the last five years, with catastrophic events occurring with greater frequency and in unexpected locations. This evolution is forcing insurance professionals to reconsider traditional approaches to risk assessment and coverage.

“The nature of property risk has been evolving over the past several years, with an increasing severity and frequency of catastrophe losses. This shift has altered how the marketplace perceives and approaches property insurance,” said Tonya Courtney, senior vice president of Nationwide E&S Brokerage Property.

Recent events highlight this changing dynamic. Hurricane Helene caused severe flooding in Asheville, North Carolina—an area situated more than 250 miles to the coast where such extensive damage would typically not be anticipated in the wake of a windstorm.

“When underwriting hurricane losses, the focus is usually within a 50-mile radius of the coast, where the greatest impact from a named windstorm event is expected. However, Hurricane Helene defied these expectations, causing widespread damage in Asheville and catching everyone by surprise,” Courtney explained.

This pattern of unexpected catastrophes extends beyond hurricanes. What the industry describes as “secondary perils” are now driving significant losses.

“While the E&S market has traditionally focused on named windstorm as the primary peril, convective storms were the primary driver of property losses in 2023,” Courtney noted. “We must also consider the impact of other perils, such as wildfire, which wasn’t a significant issue before the Tubbs Fire in 2017 caused over 5 billion dollars in property losses.

The financial impact of these events is staggering. According to Courtney, catastrophic events have exceeded $100 billion in insured property damage worldwide since 2017 and are expected to worsen.

Evolving Underwriting Practices and Market Shifts

Tonya Courtney, senior vice president of Nationwide E&S Brokerage Property

As risks evolve, so too must underwriting approaches. The Excess and Surplus (E&S) market is seeing increased business flow as standard markets have struggled with the changing risk landscape. The shift gained momentum around 2018 when the standard lines property market hardened considerably as a result of losses from Harvey, Irma, Maria, and California wildfires.

The increasing frequency and severity of losses and increasing valuation of buildings make it difficult for a single carrier to handle such large exposures. “Post-COVID, building materials and labor costs have exploded, further exacerbating the situation. “For example, a hospital valued at $2 billion may be covered with a $750 million loss limit from the standard market, which is a significant exposure for one carrier,” Courtney explained.

The E&S market offers a solution by spreading risk across multiple carriers. “The E&S market can spread the risk by taking smaller portions of the exposure. A $5 million loss is more manageable for a single carrier than a $750 million loss,” Courtney said.

This shift has prompted E&S underwriters to adapt their risk assessment practices. “E&S carriers are becoming more diligent in utilizing data analytics to evaluate and underwrite property exposures. They are not simply offering high limits on every risks without an in-depth and thorough understanding of the risk and potential for loss, “Courtney explained. “Valuation is a key focus, and underwriters are relying on sound valuation tools in lieu of stated values on property applications as accurate valuation is crucial for setting PMLs, determining attachment points, limits, and deductibles. Roof scores have also become an important underwriting requirement, especially for coastal risks.

“Wind loss prevention relies heavily on the roof as a first line of defense,” Courtney noted.

The Critical Role of Relationships and Prevention

In this volatile environment, strong relationships between brokers, carriers, and clients have never been more important. Trust and consistency are the foundation of successful partnerships in the insurance industry.

“In the current landscape, fostering strong partnerships is absolutely essential. Carriers must go beyond pricing risk and position themselves as strategic partners in risk mitigation and portfolio resilience.

For brokers navigating this complex market, Courtney recommends working with carriers that are transparent, collaborate on loss prevention, and have dedicated underwriters that are known in the industry as trusted advisors.

“It’s crucial to work with underwriters who have the expertise and knowledge to provide consistent, strong programs year after year,” she advised. “Anyone can put a policy on the books, but the real value lies in the underwriter’s ability to deliver reliable coverage without sudden changes or surprises.”

This consistency builds trust, which becomes particularly valuable during market fluctuations. ” Courtney said.

This collaborative approach to prevention not only protects policyholders but also contributes to the long-term stability of insurance companies. By working together to identify and address potential hazards before incidents occur, the industry can better navigate the increasingly complex risk landscape.

“To address this, we must evolve our thinking and approach to align with the changing market and global conditions,” Courtney concluded. “Collaboration and innovation within the industry are crucial to tackling these challenges effectively.”

To learn more, visit nationwide.com/experience.

About Nationwide

Standard & Poor’s A+¹ | AM Best Rated A² | Fortune 100 Company
Products underwritten by Nationwide Mutual Insurance Company and Affiliated Companies. Not all Nationwide affiliated companies are mutual companies, and not all Nationwide members are insured by a mutual company. Home Office: One Nationwide Plaza, Columbus, OH. Nationwide, the Nationwide N and Eagle, and other marks displayed on this page are service marks of Nationwide Mutual Insurance Company, unless otherwise disclosed.
¹The fifth highest of 21 ratings. The outlook for this rating is stable. Received: 12/22/08. Affirmed: 05/16/23
²The third highest of 16 ratings. The outlook for this rating is stable. Received: 12/7/23. © 2024 Nationwide Mutual Insurance Company.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.

Nationwide, a Fortune 100 company, is one of the largest and strongest diversified insurance and financial services organizations in the U.S. and is rated A by A.M. Best and A+ by Standard & Poor’s.