(GAO) Large-scale cyberattacks—like those on Colonial Pipeline earlier this month and SolarWinds in September—have highlighted the growing threats these hacks pose to U.S. businesses. As threats grow, so do the number of businesses turning to cyber insurance for protection from financial losses.
Similar to auto or homeowners insurance, cyber insurance protects businesses from loses caused by an event covered under the user’s policy. What’s covered, the costs of that coverage, and the terms of a policy can vary, but cyber insurance can help businesses manage cyber risks and recover from losses associated with attacks, including disruptions in business and legal expenses.
Today’s WatchBlog post explores our work on the increased demand for cyber insurance and the questions highlighted by this market’s growth. Also, tune in to our podcast with GAO’s John Pendleton about trends in the cyber insurance market.
The Evolving Cyber Insurance Market
Increase in demand
Between 2016 and 2019, the costs of cyberattacks to U.S. insurers almost doubled. During this same time period, the number of cyber policies increased by about 60%. Similarly, the number of insurers offering cyber insurance increased by about 35% between 2016 and 2019.
Growing pains in the cyber insurance market
As demand and supply for cyber insurance has increased, so has uncertainty about the market. For example, it’s become more challenging to price cyber risk and to make this coverage available. Just like the cost of car insurance is in part based on the number of accidents that a driver has been in, the cost of cyber insurance is based in part on the frequency, severity, and cost of cyberattacks, all of which have been increasing. The uncertainty about future threats also plays a role, and insurers have become more selective about who gets covered and what gets covered. Recently, a number of insurers reduced coverage limits or increased premiums for higher-risk organizations and industries, such as academic institutions or the health care and public sectors.
Insurers have also tightened policy terms and conditions to reduce unexpected losses from cyberattacks. Traditionally, commercial property and casualty policies could include limited cyber coverage, but now, carriers are becoming less likely to include it, and are instead offering cyber coverage separately. For policyholders, these changes translate into fewer coverage options, stricter standards, and more exclusions. For insurers, this translates to less exposure to risk and lower likelihood of having to pay claims.
Challenges in measuring risk and the costs of cyberattacks
In the insurance industry, incorrect pricing can lead to losses that carriers may not be able to cover, which could lead to insolvency. Cyber insurance companies face a number of challenges when trying to estimate the costs and risks of cyberattacks, and when creating policy prices.
First, insurance companies rely on data to forecast risks and determine policy rates for coverage. However, because the cyber insurance market is fairly new, there isn’t a lot of data available. Without good data, insurers struggle to create accurate policy cost estimates. As a result, current prices for cyber policies may not accurately reflect the risk the insurers are taking on, or the potential losses that they are covering.
In addition, cyberthreats are constantly evolving, which means the risks organizations face also evolve. This makes it difficult for the insurance market to keep up with trends in cyber risks and for insurers to underwrite cyber policies.
Finally, cyberattacks have the potential to quickly escalate from one business to many businesses, which can translate into unpredictable losses. For example, in 2017, Russian hackers unleashed a cyberattack against Ukraine, which spread globally within hours. U.S. companies came to a halt as a result of this attack, which ultimately cost the companies billions of dollars.
To learn more about trends in the cyber insurance market and the challenges facing this market, check out our new report.
Questions on the content of this post?
Contact John Pendleton at PendletonJ@gao.gov.
Comments on GAO’s WatchBlog? Contact email@example.com.