From the U.S. Government Accountability Office, www.gao.gov

Transcript for: The Evolving Cyber Insurance Market

Description: Malicious cyberattacks have resulted in billions of dollars
in damages each year for US businesses.  As more cyber threats emerged,
there has been increasing demand for insurance policy against cyber
related damages.  What are the trends in this market and what is the
federal role in overseeing it?  We talk with GAO’s John Pendleton to
learn more.  

Related GAO Work: GAO-21-477, Cyber Insurance: Insurers and
Policyholders Face Challenges in an Evolving Market

Released: May 2021

[Intro Music]

[John Pendleton:] Cyber risks are rising rapidly and the insurance
market is trying to sort out what the potential costs and risk are.  

[Holly Hobbs:] Hi and welcome to GAO’s Watchdog Report, your source for
news and information from the U.S. Government Accountability
Office—celebrating 100 years of fact-based, nonpartisan government
oversight. I'm Holly Hobbs. Malicious cyberattacks have resulted in
billions of dollars in damages each year for U.S. businesses. The recent
attacks on Colonial Pipeline and SolarWinds have highlighted the growing
frequency and scale of these attacks. As the threats increase, so has
demand for insurance policies against cyber-related damages. What are
the other trends in this market, and what is the federal role in
overseeing it? 
Today, we’ll talk with John Pendleton, a director in our Financial
Markets and Community Investment team, who has a new report out about
the trends in cyber insurance. Thank you for joining us, John.  

[John Pendleton:] Thanks for having me, Holly.  

[Holly Hobbs:] So John, who's buying cyber insurance and why?  

[John Pendleton:] Well, lots of different kinds of businesses need cyber
insurance. Educational institutions and health care need it because they
have our protected personal information. Hospitality and retail
businesses have our credit card information. Manufacturing and other
businesses face risk as well, such as ransomware--where their computer
systems and data are held hostage until a ransom is paid.  

[Holly Hobbs:] And what kind of things does cyber insurance cover?  

[John Pendleton:] It depends on the policy, and it's not completely
sorted out. Cyber coverage is often been packaged as part of broader
policies. But in recent years, the demand for specific cyber coverage
has been growing to cover losses of data, but mostly just to better
define exactly what is covered.  

[Holly Hobbs:] And what can you tell us about the number of companies or
entities that pay for coverage and how that's changed?

[John Pendleton:] The take-up rates—which is an industry term for the
percentage of companies that elect cyber coverage—has nearly doubled
since 2016. When you look industry by industry, some of the biggest
growth in cyber coverage has been in education and hospitality. But we
saw growth across all the ten industries that we reviewed.  

[Holly Hobbs:] And do we know how a cyberattack—like the one on Colonial
Pipeline-might affect insurance trends? 

[John Pendleton:] In a survey of agents and brokers in late 2020, about
three-quarters of them said they were seeing increasing demand for cyber
coverage. I can't predict the future Holly, but it seems likely that we
will see continued increasing demand given the cyberattacks we're seeing
in the news almost every day.  

[Holly Hobbs:] So let me ask this, if the demand for coverage has
increased, is that reducing the cost for coverage—helping spread the
risk across more people?  

[John Pendleton:] You might think so, but that's not what's happening so
far. Cyber premium costs have actually stayed pretty stable until
mid-2019. But they have increased markedly since.  Now more insurers are
getting into the business, but this doesn't seem to be decreasing
premium prices, at least not so far.  

[Holly Hobbs:] Do we know why prices have increased or how insurance
companies are measuring risk when developing insurance rates?  

[John Pendleton:] Put simply, I think just the perceived risk is
increasing, so insurers need to charge more to cover the risk. The
problem is that the insurers don't really have historical data on cyber
events and the costs associated with them. So, it's difficult to predict
what the losses will be.  

[Holly Hobbs:] So when you insure a car, for example, you would estimate
the value of the car and what damages could be--and that sets your policy
price. How are damages from cyberattacks estimated, and how are those
policy prices set?  

[John Pendleton:] That's actually a great comparison because it
illustrates the difference in a market where you have really good data.
We know how much cars cost, and we know that there's thousands of fender
benders and wrecks and such. You have good historical data there. 
That's not the case with cyberattacks. Insurers are trying to build
predictive models based on estimated losses from the things they know
now, like data breaches or ransomware. But insurers have little data for
several reasons. The big one is that -- organizations are reluctant to
share it publicly the details when they get attacked, there's no
centrally managed, consistent data on this.  

[Music:] 

[Holly Hobbs:] So it sounds like the demand for cyber insurance policies
has increased along with the threat of cyberattacks, and that these
increases have highlighted some of the challenges in the
market—including how losses from attacks are estimated and how policies
are priced.  John, what's the federal government's role in monitoring
this industry to make sure there's common policies and practices?

[John Pendleton:] There are a couple of areas where the federal
government might get involved.  First, there was a federally chartered
commission that made several recommendations--one of which was enacting a
national cyber incident reporting system to kind of help with this
historical data problem. The data would be anonymized to encourage
reporting. The other wrinkle here, and it's a big one, is what the
federal role in liability would be if a cyberattack is determined to be
an act of terror. Let's say a large scale cyberattack hit the country's
critical infrastructure--say the energy sector. This could trigger a
special terrorism risk insurance provision that was stood up after 9/11.
But even if that fund is triggered, it could be used up very quickly
given the massive potential scale of the damage caused by a cyberattack.
And there's a lot of questions remaining about whether the Terrorism
Risk Fund is even appropriate for cyber.  We have following work now
underway to examine that question.  

[Holly Hobbs:] And last question, what's the bottom line of this report?  

[John Pendleton:] Cyber risks are rising rapidly and the insurance
market is trying to sort out what the potential costs and risk are. So
demand for insurance coverage is growing rapidly, but the lack of
historical data about cyber incidents makes it difficult to assess risk
and set premium prices. The federal role could well be to help gather
that information. But a big and honestly kind of scary scenario is, if a
cyber event is deemed an act of terror and the losses are so substantial
that the insurance market cannot cover it.  Unfortunately, it's becoming
clearer by the day that this is not a theoretical or highly improbable
risk.  

[Holly Hobbs:] That was John Pendleton talking about GAO's recent review
of cyber insurance market.  Thank you for your time, John.  

[John Pendleton:] Thank you, Holly.  

[Holly Hobbs:] And thank you for listening to the watchdog report. To
hear more podcasts, subscribe to us on Apple Podcasts, Stitcher, Google
Podcasts, and more. And make sure you leave a rating and review to let
others know about the work we're doing.  For more from the congressional
watchdog -- the U.S. Government Accountability Office -- visit us at
GAO.gov.