Cyber Insurance: Higher Premiums, Limited CoverageGAO Report Summarizes Market Trends
The increasing number of cyberthreats, especially ransomware attacks, is leading some cyber insurers to raise premiums and limit some coverage in hard-hit sectors, such as healthcare and education, according to a report from the Government Accountability Office.
A GAO survey of cyber insurance brokers found that in 2020, about half of respondents reported premiums increased 10% to 30% for their clients. Plus, some insurers reduced the amount of coverage they provided in sectors seeing a surge in attacks, the GAO reports.
The GAO report also found that the percentage of organizations eligible for cyber insurance coverage that have actually purchased it grew to 47% in 2020, up from 26% in 2016.
In particular, more companies in the hospitality and retail sectors, which are increasingly collecting more of their customers' payment card data, sought cyber insurance, the report notes. Demand also grew in the manufacturing sector as a result of risk management efforts, the GAO found.
"Underwriters have been more carefully scrutinizing the risks posed by all entities, regardless of size or sector, which could affect future cyber insurance availability and affordability," according to the GAO. "They noted that insurers have become more selective in extending coverage to high-risk entities and industries and increasing prices of coverage they offer. This caution has been in response to the increasing frequency, severity and cost of cyberattacks and uncertainty about the type, scope and targets of future attacks."
Hefty Ransom Payments
Earlier this month, CNA Financial reportedly paid a $40 million ransom after a ransomware attack, and the CEO of Colonial Pipeline Co. admitted that his firm paid $4.4 million to a criminal gang after a ransomware attack led the company to shut down its 5,500 mile-long pipeline for nearly a week. A Congressional hearing on that attack has been scheduled for June (see: Colonial Pipeline CEO to Testify at Congressional Hearing).
It's not clear whether Colonial Pipeline and CNA are seeking reimbursement from their insurance companies for the ransoms paid.
Meanwhile, global insurer AXA reportedly told its French clients that it would no longer reimburse them for the expense of paying ransoms to cybercriminal groups.
Some insurance companies are getting involved in negotiating with crime gangs about the size of ransom payments, says John Pescatore, director for emerging security trends at the SANS Institute (see: How Risky Is Cyber Insurance?).
"The insurers are heavily involved in - for example - negotiations when there are ransomware demands and they want to know a lot of things in advance," Pescatore recently told Information Security Media Group. "For organizations that have said one thing when they have tried to obtain cybersecurity insurance and then it comes out that you have handled things differently when you try and make a claim - that's grounds for them denying the claim. So it really does have a lot of impact."
A Lack of Data
The GAO conducted its cyber insurance study to fulfill a requirement of the National Defense Authorization Act for 2021.
The GAO study found that the insurance industry still lacks the data necessary to better understand market trends and how incidents such as ransomware attacks can affect organizations.
"Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly," the GAO survey notes.
Andrew Barratt, the managing principal for solutions and investigations at security consulting firm Coalfire, says that despite the advances made in the cyber insurance market over the last several years, insurers are still playing catch-up when it comes to understanding the risk organizations face.
"The insurance space has invested significantly in getting a good understanding of cyberthreats - but they’re in a near persistent state of catch-up," Barratt says. "Couple this with the lack of relevant risk-based data - and a threat that operates very differently to the way actuarial data manages other risks - makes it challenging for them to have coverage that covers adversarial threats without applying it to a large volume of assureds and using exclusions to manage out aggregate risks to their whole portfolio."
The GAO report also notes that due to increases in premiums, smaller businesses are in danger of being priced out of this market.
"A combination of factors likely contributed to lower take-up rates for small and mid-size entities: underestimation of cyber risks, difficulty understanding coverages, belief that current coverage is adequate, and affordability concerns," the GAO notes.
A Call for Standardization
Jack Kudale, founder and CEO of Cowbell Cyber, a Pleasanton, California-based cyber insurance provider, notes that as the market evolves, more standardization is needed to ensure that companies can get access to policies that they need.
"Unlike car insurance, for which drivers are asked to pass a test valid for years, cyber risks are constantly evolving," Kudale says. "Because of the recent wave of ransomware attacks, cybercrimes and other threats, policyholders should expect to be asked more questions at renewal. At the same time, cyber insurers are taking steps to clarify their coverage and remove ambiguous policy terms. The rise of standalone cyber insurance brings much-needed clarification."