The skyrocketing number of cyberattacks is driving up cyber insurance demand and premiums - but it's also leading to a moment of self-reckoning within the cyber insurance market, as insurers struggle to finetune their policies to keep up with unprecedented cyber risks, according to a recent report from the U.S. Government Accountability Office (GAO).
On the one hand, demand for cyber insurance is at an all-time high. The GAO report found that the number of insurance customers opting for cyber insurance rose from 26 percent in 2016 to 47 percent in 2020, driven by the growing frequency and severity of cyberattacks. This increased demand has also nudged insurer costs higher, with GAO’s survey of insurance brokers revealing that more than half of clients’ insurance premiums rose between 10 and 30 percent in late 2020.
However, the GAO report underscored that a rapidly evolving level of cyber risk is creating uncertainty in how affordable and available cyber insurance policies will be - especially for industries considered more “high-risk,” such as healthcare and education.
“Cyber risk continues to evolve as technology and the methods of cyberattack change, making it difficult for insurers to underwrite coverage,” according to the GAO report, which was provisioned by the National Defense Authorization Act for Fiscal Year 2021. “This makes it difficult to create a reliable predictive model when it is not clear what new objective, strategy, or technique cyber threat actors may deploy.”
Cyber Insurance Challenges
The slew of cyberattacks hitting businesses is posing a number of novice pain points for cyber insurers. Insurance companies typically use historical loss data to set premium rates for insurance products; however when it comes to cybersecurity, insurers do not yet have enough comprehensive data on cyber losses to quantify this risk accurately. This makes it difficult for insurers to estimate and develop policies around potential losses from cyberattacks, which could ultimately mean that current pricing for policies may not accurately reflect the risk.
“The setting of rates is very difficult to do,” said Herbert Lin, senior research scholar at the Center for International Security and Cooperation at Stanford. “Part of the issue is that you don’t know how cyber hard the target is. There’s very little information and there aren’t actuarial statistics to discover the likelihood of attacks.”
For instance, when insurance companies look at the actuarial statistics related to home fires, the number of techniques for burning down a house - from arson to electrical risks in the wall - is relatively small and has set probability rates, Lin said. On the other hand, the number of potential cyberattacks threatening a company, and the potential impact, is widespread. Cybercriminals are also constantly upping their game in launching attacks with new or sophisticated tactics, making risk difficult to quantify.
“If I’m a cyberattacker, the last thing I want to do is be part of a probability distribution - I want to do things that are unlikely,” said Lin.
Dovetailing with this challenge is a lack of clarity around security-related terms and what they mean for cyber insurance policies. For instance, terms such as “cyberterrorism,” “cyberwar” and even ransomware do not have a solid definition within the cyber insurance industry in how they affect companies’ risk and how they can be covered, which could cause misunderstandings between insurers and their clients, according to the GAO report.
“Some industry stakeholders recommended increased clarity and transparency in insurance language, including uniform definitions for key insurance terms,” according to GAO’s report.
The insurance sector has also struggled with how to deal with the ransomware epidemic, as more ransomware victims - such as the University of Utah in an August attack - rely on cyber insurance policies to help shoulder their ransom payouts. The aid in payout by cyber insurance companies has been previously criticized by security researchers who argue that it further incentivizes ransomware attackers to launch attacks; At the same time, the U.S. Department of Treasury has also cracked down on cyber insurance ransomware payouts, in October saying that companies that facilitate the payouts to cybercriminals on behalf of victims may face sanctions. These ransomware challenges recently led one global insurer, AXA, to reportedly stop reimbursing French companies for ransomware payments to cybercriminals.
Keeping Up With Evolving Risk
While cyberattacks are increasing cyber insurance take-up, they are also causing insurers to look more carefully at specific factors - like a company's industry and how a business uses data - when determining the cost and affordability of cyber insurance coverage.
Underwriters are beginning to more carefully scrutinize the security risks facing different companies when it comes to security. The GAO report highlighted how insurers are becoming more selective in extending coverage to industries considered high risk, for instance, and increasing the prices of coverage in order to reduce cyber coverage limits for riskier industry sectors that are often more hard hit by ransomware attacks, such as healthcare and education. These two sectors were also some of the highest in terms of cyber insurance take-up rates between 2016 and 2020 (as well as the hospitality, retail and manufacturing sectors, according to GAO). At the same time, insurers are also tightening policy terms and conditions for cyber-specific coverage.
“These restrictions seek to eliminate coverage of ‘silent’ cyber risks that could damage multiple businesses and result in insurers accumulating significant unforeseen losses that could pose a risk to their solvency,” according to the GAO’s report.
A heightened focus on cyber insurance challenges may lead to future opportunities to help the market overcome some of these hurdles. For instance, a recent report by the U.S. Cyberspace Solarium Commission pointed to Congress establishing an entity to collect data to better understand cyber risk and help the insurance industry create better risk models, said the GAO. However, insurance industry participants are concerned by a lack of understanding by businesses of the cyber risk that they face overall, and the potential costs to their businesses in a cyberattack. The GAO report found that companies (particularly smaller businesses) may underestimate their cyber risks and the cyber coverage needed to mitigate those risks.
With this in mind, “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain,” according to the GAO report. “Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education and for public-sector entities.”