GAO: Cyber premiums rise as insurers struggle to assess risk

The increase in cyber insurance adoption and premium prices coincides with a changing — and more challenging — threat landscape, this according to a new GAO report on cyber insurance.

Malicious cyber activity poses a significant risk to the federal government and the nation's businesses and critical infrastructure, costing the U.S. billions of dollars each year. Threat actors are becoming increasingly capable of carrying out attacks, highlighting the need for a stable cyber insurance market, says GAO.

The report describes key trends in the current market for cyber insurance, and identified challenges faced by the cyber insurance market and options to address them. To conduct the study, GAO analyzed industry data on cyber insurance policies; reviewed reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry; and interviewed Treasury officials. GAO also interviewed two industry associations representing cyber insurance providers, an organization providing policy language services to insurers and one large cyber insurance provider.

Key trends in the current market for cyber insurance include the following:

Increasing take-up. Data from a global insurance broker indicate its clients’ take-up rate (proportion of existing clients electing coverage) for cyber insurance rose from 26 percent in 2016 to 47 percent in 2020 (see figure).
Price increases. Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10–30 percent in late 2020.
Lower coverage limits. Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.
Cyber-specific policies. Insurers increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits.

The cyber insurance industry faces multiple challenges; industry stakeholders have proposed options to help address these challenges.

Limited historical data on losses. Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly. Some industry participants said federal and state governments and industry could collaborate to collect and share incident data to assess risk and develop cyber insurance products.
Cyber policies lack common definitions. Industry stakeholders noted that differing definitions for policy terms, such as “cyberterrorism,” can lead to a lack of clarity on what is covered. They suggested that federal and state governments and the insurance industry could work collaboratively to advance common definitions.

Jack Kudale, founder and CEO of Cowbell Cyber, explains, "Current pressures in the cyber insurance market foster innovation. Next-generation cyber insurers already go beyond coverage and claim response. They partner with policyholders and offer proactive risk management resources while also applying a more rigorous technology-driven review of applicants that enables precise risk selection and underwriting."

Kudale adds, "As the cyber insurance market matures, there is an increased need for standardization - from applications, to risk assessment and coverages. Unlike car insurance for which drivers are asked to pass a test valid for years, cyber risks are constantly evolving. Because of the recent wave of ransomware attacks, cyber-crimes and other threats, policyholders should expect to be asked more questions at renewal. At the same time, cyber insurers are taking steps to clarify their coverage and remove ambiguity policy terms. The rise of standalone cyber insurance brings much needed clarification."

He says, "Moving forward, the role of the insurers must go beyond response and recovery to include education and prevention. For example, organizations need cyber policies which are bundled with complementary cybersecurity training for all insured’s employees. This will eradicate one of the basic root causes of many attacks: an employee clicking on a phishing email. Organizations must increase employees awareness on cybersecurity so that they can be the first line of defense and recognize malicious activities."

"Cyber insurance is increasingly seen as a useful part of risk mitigation planning. With a diverse array of policies there is still often confusion over what type is appropriate or really covers an assured’s needs. There are now mature hyper-focused policies that cover physical damage from a cyber-attack, acknowledging the progress and movement in the IOT world. However, a lot of commodity Cyber cover has moved away from covering penalties associated with data loss – without a more clear evaluation of the policy. The growing trend is that cyber insurers provide a platform of services to their assured base and can help facilitate the right activity in the event of a breach. There has been some backlash to this however as it creates a closed market place with concerns about pricing and independence," says Andrew Barratt, Managing Principal, Solutions and Investigations at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services.

Barratt says, "The insurance space has invested significantly in getting a good understanding of cyber threats – but they’re in a near persistent state of catch up except for a subset that also operate cyber security consulting/assurance businesses. Couple this with the lack of relevant risk based data, and a threat that operates very differently to the way actuarial data manages other risks makes it challenging for them to have cover that covers adversarial threats without applying it to a large volume of assureds and using exclusions to manage out aggregate risks to their whole portfolio."

Situational awareness should be at the forefront of your security program. It can mean the difference between life and death in a workplace emergency.

Security’s digital transformation is now entering stage 5. Complex security technologies are connected to HR systems, global security operations centers, and other building technologies in a world where employees now work in two places: home and the corporate office.