Cyber insurance has been around for about 20 years. These insurance policies cover common cyber-related losses, such as those associated with data breaches and ransomware attacks that result in loss of business or disruptions.
But while more companies may be looking for insurance against attacks, stability in premium rates and access to policies are changing. Large-scale attacks—such as last year’s Colonial Pipeline ransomware attack, which led to short-lived gasoline shortages in the Southeastern U.S.—have highlighted the potential for catastrophic financial damages. As a result, insurers are starting to take steps to limit their exposure to these losses.
Today’s WatchBlog post looks at how the insurance market is reacting to increased cyberthreats, as well as the potential federal role in this market.
You can also learn more by listening to our podcast with GAO’s Dan Garcia-Diaz, who led work on our latest cyber insurance report.
Increased demand and risks challenge pricing and coverage
In our 2021 report, we found that more insurance clients are opting-in for cyber coverage—up from 26% in 2016 to 47% in 2020. At the same time, U.S. insurance entities saw the costs of cyberattacks nearly double between 2016 and 2019. And as a result, insurance premiums also saw major increases.
As demand for cyber insurance has increased, so has uncertainty about the market. It’s become more challenging to price cyber risk and to make this coverage available.
The cost of cyber insurance is based in part on the frequency, severity, and cost of cyberattacks, all of which have been increasing. The uncertainty about future threats also plays a role, and insurers have become more selective about who and what gets covered. In our 2021 report, we found that a number of insurers reduced coverage limits or increased premiums for higher-risk organizations and industries, such as academic institutions or the health care and public sectors.
Insurers have also tightened policy terms and conditions to reduce unexpected losses from cyberattacks. Traditionally, commercial property and casualty policies could include limited cyber coverage. But now, carriers are becoming less likely to include it, and are instead offering cyber coverage separately. For policyholders, these changes translate into fewer coverage options, stricter standards, and more exclusions.
The potential federal role
The effects of a cyberattack on large companies or critical infrastructure (for example, pipelines or water treatment facilities) can have broader, lasting impacts on the U.S. economy and national security.
The federal Terrorism Risk Insurance Program (TRIP) was established after the September 11, 2001 attacks and can cover terrorism losses on eligible cyber policies. However, in our new report, we found that cyberattacks don't tend to meet the criteria to qualify for TRIP coverage. Covered terrorist attacks must be violent or coercive in nature.
Federal entities—such as the Federal Insurance Office (within Treasury) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)—have taken steps to understand the financial implications of growing cybersecurity risks. But, we found they haven’t assessed what the federal role should be in the event of a catastrophic cyber incident.
Completing such an assessment will help Congress in considering whether a federal insurance response is warranted. We recommended that both the Federal Insurance Office and CISA take these important steps.
- Comments on GAO’s WatchBlog? Contact firstname.lastname@example.org.