Rising instances of cybersecurity attacks on the nation’s critical infrastructure and organizations have had an effect on cyber insurance, which led to more clients opting for cyber coverage, according to a study by the U.S. Government Accountability Office (GAO). Challenges, including the need for common terminology, abound in the cyber insurance market.
The study conducted from January to May this year found that cyber insurance can help offset the costs of responding to and recovering from cyberattacks. The growing frequency and severity of cyberattacks have led more insurance clients to opt for cyber coverage, increasing from 26 percent in 2016 to 47 percent in 2020, according to a GAO study.
The study was conducted by the GAO as the National Defense Authorization Act for Fiscal Year 2021 includes a provision for the agency to study the U.S. cyber insurance market. To conduct this work, GAO analyzed industry data on cyber insurance policies, reviewed reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry, and interviewed Treasury officials. The GAO also interviewed two industry associations representing cyber insurance providers – an organization providing policy language services to insurers and a large cyber insurance provider.
Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10 to 30 percent in late 2020, according to the report. Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.
Insurers have increasingly offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits, it added.
The audit by the GAO comes in the wake of rising malicious cyber activity, attacking the nation’s businesses and critical infrastructure, as cyber risk continues to evolve as technology and the methods of cyberattack change, making it difficult for insurers to underwrite coverage. Hackers are also becoming increasingly capable of carrying out attacks, highlighting the need for a stable cyber insurance market.
The sophistication of the hackers makes it difficult to create a reliable predictive model when it is not clear what new objective, strategy, or technique cyber attackers may deploy, the GAO study said. In addition, a single cyberattack could damage multiple businesses and result in significant losses.
The cyber insurance industry is faced with numerous challenges, though industry stakeholders have proposed options to help address these challenges. The existence of limited historical data on losses is one such hurdle. Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly.
According to a report by the Deloitte Center for Financial Services, these limitations make it difficult to build the predictive models that help assess the probability of loss from a cyberattack. The report also noted no comprehensive, centralized source of information about cyber events exists for insurers to access. Some industry participants said federal and state governments and industry should collaborate to collect and share incident data to assess risk and develop cyber insurance products.
In addition, a 2020 report by the International Association of Insurance Supervisors revealed that incomplete or inaccurate historical data on cyber incidents decreases the reliability of actuarial models, leading to increases in uncertainty around loss estimates. Without access to such data, some industry participants and researchers are concerned that current prices for cyber policies may not accurately reflect risk.
Support for better data collection dates back several years. During Department of Homeland Security working sessions of the Cyber Incident Data and Analysis Working Group, industry participants suggested that an anonymized cyber incident data repository could foster voluntary data sharing about attacks, data breaches, and business interruptions, the GAO report said. Participants suggested that a repository to share, store, aggregate, and analyze sensitive cyber event data would help promote a greater understanding of the financial and operational effects of cyber events.
Another issue faced by insurers is that cyber policies lack common definitions. Industry stakeholders noted that differing definitions for policy terms, such as ‘cyberterrorism,’ can lead to a lack of clarity on what is covered, the GAO study said. They suggested that federal and state governments and the insurance industry could work collaboratively to advance common definitions.
A report by the Congressional Research Service found a lack of consensus on what defines a cyberattack. Similarly, a report by the Geneva Association noted that neither ‘cyber war’ nor ‘cyberterrorism’ has a common definition in the insurance market, according to the GAO study. It also noted that no global consensus exists on the exact behavior or criteria that define a cyber event as either terrorism or warfare. Finally, representatives from the Council of Insurance Agents and Brokers said that insurers may define ransomware attacks in different ways.
According to the Geneva Association, common terminology could lead to a more sustainable cyber market in which insurers could make informed choices about the levels of coverage and policyholders could understand their insurance protection, the GAO study said. Some industry stakeholders recommended increased clarity and transparency in insurance language, including uniform definitions for key insurance terms.
The GAO study also raises the prospect that the market may be leaving behind smaller businesses that can’t afford coverage. “Small businesses may purchase cyber insurance less often if they perceive their risks to be minimal or policies too costly,” the GAO noted. “The extent to which cyber insurance will continue to be generally available and affordable remains uncertain.”
The agency had in March delivered an update that the federal government needs to move with greater urgency to improve the nation’s cybersecurity, as the country faces grave and rising cybersecurity threats. In its report, the GAO said that the government needs to take 10 critical actions to address four major challenges that the agency identified in 2018, including securing federal systems and protecting critical infrastructure, privacy, and sensitive data.