New research reveals that a record number of organizations are buying cyber insurance policies as a means of protecting themselves against cyber risk.
However, the cost for those policies is rising dramatically as cyber insurance premiums soar up to 30% versus the previous year.
We know about these trends because of a report from the United States Government Accountability Office (GAO).
The National Defense Authorization Act for Fiscal Year 2021 includes a provision for the GAO to study the U.S. cyber insurance market, and the results are in.
Current trends in the U.S. cyber insurance market
The chart below shows how one major insurance broker has seen a dramatic increase in the percentage of its clients purchasing cyber-specific insurance policies. In the industry, they call these take-up rates, and these rates nearly doubled between 2016 and 2020.
The GAO report discusses four key trends in the current cyber insurance landscape:
- "Increasing take-up. Data from a global insurance broker indicate its clients' take-up rate (proportion of existing clients electing coverage) for cyber insurance rose from 26 percent in 2016 to 47 percent in 2020 (see figure).
- Price increases. Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents' clients saw prices go up 10–30 percent in late 2020.
- Lower coverage limits. Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.
- Cyber-specific policies. Insurers increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits."
The report continues on to discuss two major challenges the industry is facing and what can be done.
The first challenge is there is limited historical data on losses. Meaning that without comprehensive, high-quality data, it will be difficult to estimate potential losses and corresponding policy pricing.
The second is that cyber policies lack common definitions. This can lead to a lack of understanding of what is actually covered in the policy.
Industry experts weigh in on cyber insurance
Combing through data and reports can provide valuable insights, but we all know it takes a lot more than that to craft effective policies.
What do professionals who work in the space actually think?
Here is what Andrew Barratt, Managing Principal of Solutions and Investigations at Coalfire, believes:
"Cyber insurance is increasingly seen as a useful part of risk mitigation planning. With a diverse array of policies there is still often confusion over what type is appropriate or really covers an assured's needs. There are now mature hyper-focused policies that cover physical damage from a cyber-attack, acknowledging the progress and movement in the IoT world.
However, a lot of commodity Cyber cover has moved away from covering penalties associated with data loss—without a more clear evaluation of the policy. The growing trend is that cyber insurers provide a platform of services to their assured base and can help facilitate the right activity in the event of a breach. There has been some backlash to this however as it creates a closed marketplace with concerns about pricing and independence."
And here are some thoughts from Jack Kudale, Founder and CEO at Cowbell Cyber:
"Current pressures in the cyber insurance market foster innovation. Next-generation cyber insurers already go beyond coverage and claim response. They partner with policyholders and offer proactive risk management resources while also applying a more rigorous technology-driven review of applicants that enables precise risk selection and underwriting.
As the cyber insurance market matures, there is an increased need for standardization—from applications, to risk assessment and coverages. Unlike car insurance for which drivers are asked to pass a test valid for years, cyber risks are constantly evolving. Because of the recent wave of ransomware attacks, cyber-crimes and other threats, policyholders should expect to be asked more questions at renewal.
At the same time, cyber insurers are taking steps to clarify their coverage and remove ambiguity policy terms. The rise of standalone cyber insurance brings much needed clarification."
And according to the General Accounting Office, the U.S. also needs a stable cyber insurance market that organizations can rely upon.
"Malicious cyber activity poses a significant risk to the federal
government and the nation's businesses and critical infrastructure,
and it costs the U.S. billions of dollars each year. Threat actors are becoming increasingly capable of carrying out attacks, highlighting the need for a stable cyber insurance market."