Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
Industries
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

Cyber attacks give boost to cyber insurance market, but challenges are many

May 25, 2021
cyber insurance

Rising instances of cybersecurity attacks on the nation’s critical infrastructure and organizations have had an effect on cyber insurance, which led to more clients opting for cyber coverage, according to a study by the U.S. Government Accountability Office (GAO). Challenges, including the need for common terminology, abound in the cyber insurance market. 

The study conducted from January to May this year found that cyber insurance can help offset the costs of responding to and recovering from cyberattacks. The growing frequency and severity of cyberattacks have led more insurance clients to opt for cyber coverage, increasing from 26 percent in 2016 to 47 percent in 2020, according to a GAO study.

The study was conducted by the GAO as the National Defense Authorization Act for Fiscal Year 2021 includes a provision for the agency to study the U.S. cyber insurance market. To conduct this work, GAO analyzed industry data on cyber insurance policies, reviewed reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry, and interviewed Treasury officials. The GAO also interviewed two industry associations representing cyber insurance providers – an organization providing policy language services to insurers and a large cyber insurance provider.

Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10 to 30 percent in late 2020, according to the report. Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.

Insurers have increasingly offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits, it added.

The audit by the GAO comes in the wake of rising malicious cyber activity, attacking the nation’s businesses and critical infrastructure, as cyber risk continues to evolve as technology and the methods of cyberattack change, making it difficult for insurers to underwrite coverage. Hackers are also becoming increasingly capable of carrying out attacks, highlighting the need for a stable cyber insurance market. 

The sophistication of the hackers makes it difficult to create a reliable predictive model when it is not clear what new objective, strategy, or technique cyber attackers may deploy, the GAO study said. In addition, a single cyberattack could damage multiple businesses and result in significant losses.

The cyber insurance industry is faced with numerous challenges, though industry stakeholders have proposed options to help address these challenges. The existence of limited historical data on losses is one such hurdle. Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly. 

According to a report by the Deloitte Center for Financial Services, these limitations make it difficult to build the predictive models that help assess the probability of loss from a cyberattack. The report also noted no comprehensive, centralized source of information about cyber events exists for insurers to access. Some industry participants said federal and state governments and industry should collaborate to collect and share incident data to assess risk and develop cyber insurance products. 

In addition, a 2020 report by the International Association of Insurance Supervisors revealed that incomplete or inaccurate historical data on cyber incidents decreases the reliability of actuarial models, leading to increases in uncertainty around loss estimates. Without access to such data, some industry participants and researchers are concerned that current prices for cyber policies may not accurately reflect risk.

Support for better data collection dates back several years. During Department of Homeland Security working sessions of the Cyber Incident Data and Analysis Working Group, industry participants suggested that an anonymized cyber incident data repository could foster voluntary data sharing about attacks, data breaches, and business interruptions, the GAO report said. Participants suggested that a repository to share, store, aggregate, and analyze sensitive cyber event data would help promote a greater understanding of the financial and operational effects of cyber events.

Another issue faced by insurers is that cyber policies lack common definitions. Industry stakeholders noted that differing definitions for policy terms, such as ‘cyberterrorism,’ can lead to a lack of clarity on what is covered, the GAO study said. They suggested that federal and state governments and the insurance industry could work collaboratively to advance common definitions. 

A report by the Congressional Research Service found a lack of consensus on what defines a cyberattack. Similarly, a report by the Geneva Association noted that neither ‘cyber war’ nor ‘cyberterrorism’ has a common definition in the insurance market, according to the GAO study. It also noted that no global consensus exists on the exact behavior or criteria that define a cyber event as either terrorism or warfare. Finally, representatives from the Council of Insurance Agents and Brokers said that insurers may define ransomware attacks in different ways.

According to the Geneva Association, common terminology could lead to a more sustainable cyber market in which insurers could make informed choices about the levels of coverage and policyholders could understand their insurance protection, the GAO study said. Some industry stakeholders recommended increased clarity and transparency in insurance language, including uniform definitions for key insurance terms.

The GAO study also raises the prospect that the market may be leaving behind smaller businesses that can’t afford coverage. “Small businesses may purchase cyber insurance less often if they perceive their risks to be minimal or policies too costly,” the GAO noted. “The extent to which cyber insurance will continue to be generally available and affordable remains uncertain.”

The agency had in March delivered an update that the federal government needs to move with greater urgency to improve the nation’s cybersecurity, as the country faces grave and rising cybersecurity threats. In its report, the GAO said that the government needs to take 10 critical actions to address four major challenges that the agency identified in 2018, including securing federal systems and protecting critical infrastructure, privacy, and sensitive data.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations