- America’s transportation infrastructure not only suffers from insufficient investment, but remains vulnerable to many types of risks, including devastating damage from extreme weather events.
- Given the value of the infrastructure at risk, insurance coverage should serve as an important resilience strategy for transportation infrastructure systems. Yet some critical U.S. transportation infrastructure systems are currently underinsured, while there is an over-reliance on the federal government for assistance following a large scale disaster.
- This issue brief lays out several avenues which, if pursued by policymakers, could lead to improved transportation infrastructure resilience, better insurance products, and increased uptake of coverage, as well as a reduction in reliance on taxpayer-funded government disaster aid.
- These include better and more complete collection and aggregation of actual transportation infrastructure risks and costs; amendment of the 1988 Stafford Relief and Emergency Assistance Act; establishment of government standards specifically for cyber risk management; and increasing access to subsidized loans for infrastructure resilience projects.
These systems are vital to the U.S. economy. Transportation (investments, purchases, employment, etc.) accounts for nine percent of the $13.3 trillion in U.S. GDP, with total transportation assets valued at $7.7 trillion, as measured in 2016. However, investment in transportation infrastructure has lagged. One out of every five miles of highway pavement is in poor condition, most locks and dams on the inland waterway system are well past their 50-year design life, nine percent of bridges are structurally deficient, and transit systems suffer from a $90 billion rehabilitation backlog.
The vulnerability of the U.S. transportation infrastructure is compounded by the fact that it is subject to several types of significant disruptions: terrorist attacks, failure of infrastructure equipment, major accidents that are often caused by human error, and natural disasters. Infrastructure risks are greatest for systems in areas prone to extreme events, located near climate-sensitive environmental features, or already stressed by age or demand. Currently, few transportation systems maintain any substantial level of excess capacity or redundancy.
Meanwhile, rebuilding costs following natural and man-made disasters can be extensive (see Table 1) and are rising due to a huge increase in the value at risk. Public and private outlays to cover the restoration, repair, and losses associated with large-scale disasters are becoming unsustainable. Furthermore, indirect costs to regional economies increase when repairs to damaged infrastructure are postponed.
Insurance coverage is an important resilience strategy for transportation infrastructure systems: insurance protection ensures that funds will be rapidly available, compared to federal disaster relief, which is often delayed for months or years. In addition to providing financial protection against disaster losses, insurance and other alternative risk transfer instruments can serve as a market-based incentive mechanism to encourage investments in mitigation measures in return for reductions in insurance premiums. Despite the benefits of insurance coverage, however, we find that some critical U.S. transportation infrastructure systems are currently underinsured not only because of budget constraints, but also because of the competing concerns that managers face. Most infrastructure managers are judged on their short-term performance, and while infrastructure failure is a worry, other hazards, such as employee-related risks, are more immediate and common, as well as easier and cheaper to plan for.
In this Issue Brief, we discuss several options that are available to policymakers for improving transportation infrastructure resilience by incenting greater uptake of insurance coverage and other risk transfer mechanisms.
The Indispensable Role of Insurance
Insurance plays a particularly important role in the resilience of infrastructure systems by providing funds to enable restoration and recovery following a disruptive event. Many commercial insurance companies (e.g., AIG, Travelers, XL Catlin, FM Global) insure infrastructure systems. The types and amounts of coverage vary for different transportation systems since infrastructure owners require different insurance policies for the various hazards they are facing. Earthquake insurance might be important for a West Coast port whereas wind and flood coverage could be higher priority for a Florida transit system.
On average, only about 30 per cent of catastrophe losses have been covered by insurance over the past 10 years. From the perspective of infrastructure managers, an optimal risk management strategy should rely upon multiple layers of risk transfer. These layers are self-insurance and mitigation, insurance, reinsurance and alternative risk transfer, and lastly, public sector aid or backstops. Recent history, however, reveals an over-reliance on the federal government for assistance following a large scale disaster such as Superstorm Sandy and Hurricanes Harvey, Irma, and Maria. Public assistance for Sandy (projected through FY2018) stands at $17.6 billion, and totaled $7.6 billion for Harvey, Irma, and Maria.
Federal disaster assistance discourages investments that will enhance transportation infrastructure resilience. More specifically, when managers are confident that federal funds will be made available to make them nearly financially whole after a disaster strikes, they have little economic incentive prior to a disaster to expend their own limited resources on mitigation measures, or purchase (sufficient) insurance that would reduce their potential losses and facilitate the recovery process. Contributing further to this insurance gap is the reality that transportation infrastructure managers tend to focus on immediate safety and reliability risks connected to their mission, as opposed to longer-term natural disaster resilience concerns associated with low probability events such as hurricanes and earthquakes.
Our research investigates the role of insurance in providing financial protection against infrastructure damage of transportation facilities and in encouraging investment in loss reduction measures. We used two methods to collect data: (1) review of technical reports and literature relevant to infrastructure resilience, and (2) interviews with managers from the insurance and infrastructure sectors to determine which risk management practices are actually utilized in transportation infrastructure systems. The following policy challenges and opportunities, if addressed, could lead to an improvement in transportation infrastructure resilience, insurance products, and uptake of coverage, and a reduction in reliance on taxpayer-funded government disaster aid.
Opportunities for Policymakers
1. Facilitating Catastrophic Risk Data Collection, Availability, and Analysis
For infrastructure insurance to reach its potential, we need more complete data about costs and risks. Data availability and accessibility are essential for developing new insurance products and evaluating risk management and resilience measures. High quality data are necessary for determining risk-based pricing of insurance and could even facilitate the development of multi-year insurance contracts. Multi-year insurance contracts are desirable for several reasons. They dissuade policyholders from canceling their policies, or letting them lapse, if they suffer no losses in the first year. They also offer stable, annual premiums to managers averse to uncertainty. And they motivate insurers to inspect infrastructure over time to ensure safety and technical compliance. This is something they would not do with annual contracts.
Improved data and associated analysis could also alert insurers to the likelihood of potential losses and enable faster damage assessments and claims processing, more automation, and more personalized insurance products and services. In theory, with real-time data, coverage and costs could be regularly updated. Government could potentially help in this regard by undertaking or funding research and data collection for risk assessment. This data collection is a challenge for individual firms as they are not able to access or aggregate data across an industry due to competition and anti-trust regulations. But a government entity could do it. One example is a data sharing initiative developed through Department of Homeland Security’s (DHS) Executive Order 13691, also known as Promoting Private Sector Cybersecurity Information Sharing. This initiative is an Information Sharing and Analysis Organization (ISAO) that allows groups to share cyber threat information with each other on a voluntary basis. More than 50 ISAOs and other information sharing organizations spanning a range of contexts such as healthcare, transport, and defense have been created.
Data warehousing and aggregation across industries could be an important role for the government agencies such as DHS to play. A government-led data clearinghouse, similar to Verisk ISO products could include a portal for insurers and infrastructure managers to share data on loss events and resilience measures, which could then be used by many insurers and infrastructure managers in their decision-making process. The development of publicly available probabilistic loss models similar to those developed by the state of Florida for personal and commercial property to assess hurricane wind risk (and a new effort focused on flooding) or ongoing open-source catastrophe modeling efforts such as the OASIS Loss Modeling Framework, which provides an open source platform for developing and using catastrophe models such as those for natural disasters, would also be valuable.
2. Amending the Stafford Act
The Robert T. Stafford Disaster Relief and Emergency Assistance Act, passed in 1988, authorizes federal disaster response activities, particularly as they pertain to FEMA programs. The Public Assistance program under the Stafford Act provides assistance to state and local governments for repair or replacement of disaster-damaged facilities, including transportation infrastructure. Managers of publicly owned transit and port systems that we interviewed indicated that they believe that the federal government would provide disaster assistance following a catastrophic event, and that federal support is a primary component of their risk management strategy. A researcher from the Transportation Research Board indicated that resilience improvements are much more common in private infrastructure because they know that they cannot rely on the government as an insurer of last resort.
Under the Stafford Act, in order to be eligible for additional federal funding in the future, an infrastructure system must become insured after receiving disaster relief. However, one infrastructure manager noted that his firm was able to gain a waiver for this requirement at the state level due to the high price and limited availability of insurance. Rather than simply granting such a waiver, though, we should be thinking about alternative ways of reducing risk if the purchasing of insurance is not feasible.
One proposed revision to the Stafford Act (Establishing a Deductible for FEMA’s Public Assistance Program 2017), which was presented for public comment in early 2017, requires that a disaster deductible be met prior to the receipt of recovery funds. This deductible potentially could be met via credit issued for the implementation of mitigation measures prior to a disaster. This legal modification could encourage infrastructure managers to put a renewed focus on resilience. Other proposed revisions allow for catastrophe bonds and risk reduction projects to potentially count towards insurance-coverage compliance requirements (after an infrastructure system receives disaster relief) when the purchase of traditional insurance is infeasible due to high premium costs and budgetary limitations.
3. Improving Cyber Risk Management
The number of reported cyber incidents for transportation systems has sharply increased in recent years (see Figure 1). The highest number of cases is reported in air transportation, followed by support activities for transportation and transit, which includes air traffic control, marine cargo handling, and motor vehicle towing (see Figure 2).
While insurance coverage is available for cyber risk, it is difficult to access high coverage limits and there are limitations in available coverage. For instance, coverage associated with a data breach may not include reputational damage or business interruption. A challenge for insurers of cyber risk is in building a diversified set of policyholders to provide a balanced portfolio of risks that are not highly correlated with respect to future disruptions. There are no geographical boundaries to cyber risk, which means that a single cyber event could impact infrastructure systems around the world. Pivotal cyber events could have far-reaching impacts, and insurance companies do not yet have a high enough confidence level to fully insure infrastructure systems against losses due to cyber risk. Insurers generally manage this correlation in risk through policy limitations and exclusions. For example, insurers are reluctant to offer high limits (above $500 million) due to concern with catastrophic claim payments from a severe cyber attack. If available data and models improve through government facilitation efforts, insurers may better understand and manage correlations in cyber risk.
The cyber-insurance market still needs to mature. Currently, coverage is generally based on what the potential policyholder is willing to pay, or on what other insurers are charging for similar policies. Data scarcity and information asymmetry are also issues, with insurers having limited tools for assessing an infrastructure system’s cyber risk. But insurers are developing empirical models which take advantage of information on past cyber events to more accurately assess cyber risk.
Government could play a role here by setting standards for cyber risk management, which would both improve risk management and increase cyber insurance uptake, as evidenced by the example of the California Data Breach Law of 2003. This law requires state agencies as well as companies and nonprofit organizations, regardless of geographic location, to notify California customers if their personal information maintained in electronic files has been compromised by unauthorized access. Federal agencies, such as the Department of Homeland Security and the National Science Foundation, can support cyber resilience and insurance by continuing to fund research and development for technology to assess cyber risks, such as models and systems for data management and sharing. The U.S. National Institute of Standards and Technology (NIST) has even been suggested as a provider of federal IT security standards, since they have already developed a voluntary Cybersecurity Framework with standards, guidelines, and best practices for managing cybersecurity risk. This framework includes a number of cybersecurity standards under the categories of identify, protect, detect, respond, and recover. As an example, one standard under the “protect” category states, “Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.”
4. Subsidizing Loans for Resilience Projects
Constrained budgets and limited funding inhibit resilience improvements to aging infrastructure systems. Normally, insurance covers replacement after an event but does not cover upgrading damaged facilities. Federal funding or loans are sometimes available for resilience improvements, but one infrastructure manager noted that they typically don’t use this funding because it does not cover 100 percent of their costs, and it is difficult to justify the required spending necessary to cover the remaining expenditures.
Day-to-day operational and maintenance funding is scarce for many infrastructure managers. They thus struggle with how to provide funding for longer-term resilience efforts pre-event. Federally subsidized low interest loans, such as those currently offered by the Federal Emergency Management Agency to owners of private property in hazard-prone areas, if made widely accessible for resilience projects, would help in this regard by enabling infrastructure managers to show a measurable return on investment. While an infrastructure system might not be able to afford a $5 million resilience improvement, with a 30-year loan at a three percent interest rate, their annual cost would be about $250,000, which could be deemed affordable by management. Insurance-linked securities could also fund resilience measures. Affordability could be further enhanced by reduced insurance premiums associated with the resilience measure where applicable.
Reducing the need for taxpayer money for future disaster relief and lessening community disruptions due to disasters should be top priorities for policymakers, particularly given the high damage values associated with recent weather and climate events. Transportation infrastructure damage constitutes a portion of this damage and hinders community recovery following a disruptive event. Both risk-based insurance and physical resilience improvements could be part of a strategy to reduce taxpayer expenditures and disruptions, but there is a need for support from key interested parties including private and public infrastructure managers, insurance companies, and policymakers at the local, state, and federal levels. Proactive steps to improve transportation infrastructure resilience will reduce federal disaster relief spending and enable communities to recover more quickly after future disasters.
About the Authors
Gina Tonn, Phd
Postdoctoral Researcher, Wharton Risk Management and Decision Processes Center
Dr. Tonn’s research involves the application of systems analysis methods in conjunction with water resources and environmental engineering methods to improve the understanding and management of risks associated with natural hazards in a changing climate. Her professional experience in environmental and water resources engineering includes floodplain modeling, mapping, and management, stormwater design, and cost-benefit analysis.
Jeffrey Czajkowski, PhD
Managing Director, Wharton Risk Management and Decision Processes Center
During his tenure with the Risk Center, Dr. Czajkowski has served as the Willis Research Network and Travelers Fellow, conducting research on various economic and risk-related issues of natural hazards, as well as environmental economics, with sponsored funding from the National Science Foundation, U.S. Geological Survey, National Oceanic and Atmospheric Administration, and State of Florida Division of Emergency Management. Previously, he was an Assistant Professor of Economics at Austin College and an Adjunct Assistant Research Professor at the International Hurricane Research Center at Florida International University.
Howard Kunreuther, PhD
Co-Director, Wharton Risk Management and Decision Processes Center
Dr. Kunreuther is the James G. Dinan Professor and Professor of Decision Sciences and Business Economics and Public Policy at the Wharton School. In addition, he is a Fellow of the American Association for the Advancement of Science, and a Distinguished Fellow of the Society for Risk Analysis He served on the Intergovernmental Panel on Climate Change as a Coordinating Lead Author for the chapter on “Integrated Risk and Uncertainty Assessment of Climate Change Response Policies” in the 2014 IPCC report, and currently serves on the NAS/NRC Roundtable on Risk, Resilience, and Extreme Events.
 Ortiz, D. S., Ecola, L., and Willis, H. H. (2009). Freight Transportation Resilience: How a System-Wide Perspective Can Help Metropolitan Planning Organizations and Departments of Transportation. NCHRP Project 8-36.
 Wilbanks T, Fernandez S, Backus G, Garcia P, Jonietz K, Kirshen P, Savonis M, Solecki W, Toole L, and Allen M. (2012). Climate change and infrastructure, urban systems and vulnerabilities. Technical Report for the US Department of Energy in Support of the National Climate Assessment.
 Leavitt, W. M., and Kiefer, J. J. (2006). Infrastructure interdependency and the creation of a normal disaster: the case of Hurricane Katrina and the City of New Orleans. Public works management & policy, 10(4), 306-314.
 Kunreuther, H., and Michel-Kerjan, E. (2011). At War with the Weather: Managing Large-Scale Risks in a New Era of Catastrophes. MIT Press. Paperback edition; and Kunreuther, H., and Michel-Kerjan, E. (2013). Managing the Risk of Catastrophes: Protecting Critical Infrastructure in Urban Areas. Presented to Federal Reserve Bank of New York, November 1, 2013.
 Birkmann, J., Wenzel, F., Greiving, S., Garschagen, M., Vallée, D., Nowak, W., Welle, T., Fina, S., Goris, A., Rilling, B. and Fiedrich, F. (2016). “Extreme Events, Critical Infrastructures, Human Vulnerability and Strategic Planning: Emerging Research Issues.” Journal of Extreme Events, 3(04), p.1650017.
 Kunreuther, H., Michel-Kerjan, E., and Tonn, G. (2016). Insurance, Economic Incentives and other Policy Tools for Strengthening Critical Infrastructure Resilience: 20 Proposals for Action. Wharton Risk Center paper.
 Howard Kunreuther, “Insurance against Extreme Events: Pairing Short-Term Incentives with Long-Term Strategies,” Penn Wharton Public Policy Initiative Issue Brief, Vol. 4, No. 7 (October 2016). Accessed at https://publicpolicy.wharton.upenn.edu/issue-brief/v4n7.php.
 Kesan, J.P. and Hayes, C.M., Strengthening Cybersecurity with Cyber Insurance Markets and Better Risk Assessment (October 10, 2017). Minnesota Law Review, Forthcoming; University of Illinois College of Law Legal Studies Research Paper No. 17-18. Available at SSRN: https://ssrn.com/abstract=2924854.
 See e.g., Beth Givens, “California Security Breach Notification Law Goes into effect July 1, 2003,” Privacy Rights Clearinghouse, June 23, 2003. (“State government agencies as well as companies and nonprofit organizations regardless of geographic location must notify California customers if personal information maintained in computerized data files have been compromised by unauthorized access.”)