GAO Report Highlights Uncertainty Around Cyber-Insurance Market

Despite increasing take-up rates for cyber insurance, the extent to which the coverage will continue to be generally available and affordable is uncertain, according to a new report from the US Government Accountability Office (GAO).

Insurers' appetite and capacity for underwriting cyber risk has contracted recently, according to the report, especially in high-risk industries such as health care and education and for public sector agencies, the GAO found.

Citing information from the Council of Insurance Agents and Brokers, Marsh, and A.M. Best, the GAO report, Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market, notes that the cyber-insurance market contraction is the result of increasing losses from cyber attacks, the threat of future attacks, and overall insurance market conditions.

Industry representatives and reports the GAO turned to in researching the report noted that underwriters have become more careful in scrutinizing the risks posed by all entities, regardless of size or sector, which could have an impact on the future availability and affordability of cyber insurance. That underwriting caution has come in response to the increasing frequency, severity, and cost of cyber attacks and uncertainty about the type, scope, and targets of future attacks, the GAO found.

The report noted that demand for cyber-risk insurance has grown as entities better understand the risk. Meanwhile, after holding steady in 2017 and 2018, cyber-insurance premiums increased dramatically in 2020, with more than half of the brokers the GAO surveyed reporting their clients experienced a 10–30 percent increase in cyber-insurance premiums from the third to the fourth quarter of 2020.

The cyber-insurance industry faces multiple challenges, according to the GAO report, including limited historical loss data that can make it difficult for insurers to estimate potential losses and price policies appropriately. The report said some industry participants suggested collaboration among federal and state governments and the industry to collect and share incident data to help assess risks and develop cyber-insurance policies.

In addition, cyber policies lack common definitions, according to the report, leading to a lack of clarity on what's covered.

The National Defense Authorization Act for the fiscal year 2021 included a provision for the GAO to study the US cyber-insurance market. The GAO noted that malicious cyber activity poses a significant risk to the federal government, US businesses, and critical infrastructure and costs the US billions of dollars annually. Meanwhile, threat actors are becoming increasingly capable of carrying out attacks, underscoring the need for a stable cyber-insurance market, the GAO said.