A federal watchdog agency found that while the cybersecurity insurance market boomed in recent years, rising premiums and struggles by some insurers to quantify the costs and losses that stem from cyber incidents remain some of the biggest obstacles to further adoption.
In a report released May 20, the Government Accountability Office looked at how the private cybersecurity insurance market has developed over the past five years, its growing use in different industrial sectors and how the market is changing in response to years of devastating and expensive cyberattacks.
Data from at least one insurance broker tracked a near doubling of clients who were opting in for cyber-specific insurance from 26% in 2016 to 47% in 2020. Overall, insurance companies seem to be responding to increased demand from clients for cyber-specific insurance, and one survey found that the two things most likely to spur a purchase of cyber insurance are when a business experiences a cyber attack and when they hear about other companies being hit by a cyber attack.
Small and mid-sized businesses tended to lag behind larger enterprises, something auditors think is being driven by a broader underestimation of cyber risks, trouble understanding the nuances of coverage, concerns about cost and a prevailing attitude that their current coverage is sufficient to cover their needs. Other data sources indicated that industry type and how a business chooses to use its data also impacted the cost and affordability of coverage.
Not surprisingly education and healthcare (two sectors pummeled in recent years by ransomware actors) had the highest “take up” rates of cyber insurance between 2016 and 2020, while hospitality and retail – two sectors that were forced to undergo some of the most drastic changes to their IT operations in the wake of the coronavirus pandemic – saw the most rapid growth. The figures suggest the sectors that bore the full brunt of some of the worst cyber attacks of the pandemic were the most likely to see the value of insuring specifically around cyber threats.
“I think companies are finally realizing that just because they are a small mom and pop or a couple-million-dollar company doesn’t mean that they’re not at risk,” said Catherine Lyle, head of claims at cyber insurer Coalition, in an interview. “And we’ve seen all of that, I’ve seen everything from one to two person companies to thousand employee companies being hit.”
However, auditors argue there is growing evidence that mounting financial losses from years of payouts to ransomware actors or companies in the wake of a data breach may be taking their toll on insurers’ pocketbooks, leading them to reevaluate their coverage models. Despite the upward trend in companies opting for cyber insurance auditors concluded that “insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education and for public-sector entities.”
Data from multiple sources indicated the contraction stems from “increasing losses from cyberattacks, the threat of future attacks, and overall insurance market conditions,” the report states. This reticence could be behind a substantial increase in cyber insurance premiums observed in recent years, with many plans shooting up 10-30% in costs during the second half of 2020. Lyle said the same rush of companies to shift some of their financial risks around cybersecurity to insurance also likely contributed to those increases.
"That of course then increases the price, that's how you get a hardening of a market," said Lyle. "Within Coalition we are not lowering coverage limits...what we're focusing on is better underwriting [and] using what we have in our technology tool belt to provide better products to the client."
The report concluded that some insurers may be struggling to develop cyber-specific coverage because they lack enough historical data to accurately estimate the costs of the plans they offer. Benjamin Wright, an attorney who teaches data security and investigations law at the SANS Institute, posited that the 2017 NotPetya ransomware attacks were so devastating to the insurance market – costing upwards of $2.7 billion in damages – that it caused a broader reevaluation of cyber risk by the industry.
John Pescatore, director of emerging security trends at the SANS Institute, said last week that this lack of data is causing the market costs of cyber insurance to be more sensitive and yo-yo in response to short-term conditions or developments.
“If you ever go to a restaurant and felt like having a nice lobster dinner, you probably saw the menu say ‘market priced’, because who knows how many lobsters they caught that day, or that time a month or that year? The pricing is really variable in what lobsters cost on a day-to-day basis, it can fluctuate wildly," said Pescatore during a 2021 RSA Conference panel on cyber insurance on May 18. "That’s sort of what the case is [today] for cyber insurance, it’s essentially market price.”
In fact, GAO analysts believe that the federal government might even be obligated to cover some of the financial losses of insurers. For instance, the Terrorism Risk Insurance Program (TRIP) in the Department of Treasury requires the government to share some of the losses that private insurers incur in the event of a “a certified act of terrorism.” Auditors said they plan to explore the extent that TRIP and the 2002 Terrorism Risk Insurance Act are structured to address cyberattacks or cyberterrorism in a future report.
“Losses from cyberattacks might be reimbursed under TRIP if the attacks met certain certification criteria specified by the program,” the authors wrote.
Lyle pushed back against some of the GAO’s findings, saying some of the conclusions appear more suited to what she called “traditional” insurance carriers more broadly, rather than cybersecurity-specific insurers like Coalition. Wright noted that such companies often offer add on services like incident response or ransomware negotiation services that are customized to the cybersecurity world.
For instance, on the lack historical data on cyberattack-related costs, Lyle said that while such data are typically what underpins insurance coverage costs in other areas, cyber insurers rely on it less and are able to get insight into a client’s specific cybersecurity risks in different ways. Coalition uses sans of the organization’s internet-facing IT assets and utilizes other in-house technology tools to gather information on an organization’s hygiene and other digital weaknesses. Often times, that information is used to help develop more specific phrases or wording related to coverage.
“When you look at putting these products together, I think you have to look at it from different perspectives and you have to change,” said Lyle. “With cyber, you have to change the way that you underwrite and the way that you think about the product itself.”