GAO: Insurers Limiting Coverage in Attack-Laden Sectors, Like Healthcare

May 25, 2021 - A recent Government Accountability Office report shows that industries experiencing an onslaught of cyberattacks, like healthcare, may face another concerning challenge: Some cyber insurers are limiting coverage and increasing premiums in embattled sectors.

Under the National Defense Authorization Act for FY 2021, the GAO was provisioned to study the US cyber insurance market. For its report, GAO assessed industry data on cyber insurance policies and reviewed cyber risk and cyber insurance reports from think tanks, researchers, and the insurance industry. 

Agency officials also interviewed officials from the Department of the Treasury, industry associations, a large cyber insurer, and an entity that provides policy language services to insurers. The report outlines key trends within the cyber insurance market and its challenges, as well as recommendations for addressing those hurdles.

The GAO found the rise in attack frequency and severity has led more insurance clients to opt for coverage, from 26 percent in 2016 to 47 percent in 2020, driven by awareness of cyber risks.

The report showed there was a 60 percent increase in the number of cyber insurance policies from 2016 to 2019, from 2.2 million policies to over 3.6 million. The rise is supported by previous data that showed ransomware was behind one-quarter of all cyber insurance claims in 2017.

Meanwhile, the cost increases and reduced coverage spurred the rise of demand and higher insurer costs.

Specifically, industry insurance representatives told GAO auditors that the increased number of attacks on the healthcare and education sectors has directly caused insurers to reduce coverage limits.

It’s concerning as healthcare had one of the highest take-up rates from 2016 and 2020, given the attack risks to the troves of data collected, maintained, and used by care organizations.

“Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education and for public-sector entities,” the report attributed to the Council of Insurance Agents and Brokers, Marsh McLennan, and AM Best.

“These sources noted the contraction has resulted from factors that include increasing losses from cyberattacks, the threat of future attacks, and overall insurance market conditions,” it added. “Insurers have become more selective in extending coverage to high-risk entities and industries and increasing prices of coverage they offer.” 

In fact, underwriters have increased scrutiny of risks posed by all entities within every industry, despite the size. The GAO explained this may impact the future availability and affordability of cyber insurance.

Those sources tied these changes to the increased costs, frequency, and impact of cyberattacks, as well as the uncertainty of how the threat landscape will be shaped in the future, in terms of attack types, targets, and overall scope.

The evolving risks have also increased the demand for coverage, while driving up the cost of premiums, creating more restrictive policy terms, and reducing coverage limits.

Further, there’s an increasing number of insurers offering policies specific to cyber risk, rather than adding cyber risk to existing or newly created coverage packages. GAO officials explained the shift is likely tied to a need for more clarity on what’s covered and for higher coverage limits in cyber-specific policies.

Industry stakeholders have repeatedly warned that these changes would occur, especially with the rise in data extortion and ransomware attacks. The costs could also be associated with the number of victim entities paying the threat actors, despite the majority of regulating agencies warning against those payments.

The Department of Treasury previously warned that some ransomware payment facilitations by insurers could be at risk of sanctions.

While concerning, the report explained that the cyber insurance industry has challenges of its own, including limited historical data on losses and a lack of common definitions in cyber policies.

Without the data on historical losses, insurers are finding it difficult to estimate potential losses caused by successful cyberattacks and, thus, many struggle to properly price policies.

Respondents to GAO that there’s a need for states and industries to collaborate on collecting and sharing incident data to better assess risk and develop cyber insurance products.

“Industry stakeholders noted that differing definitions for policy terms, such as ‘cyberterrorism,’ can lead to a lack of clarity on what is covered,” according to the report. “Federal and state governments and the insurance industry could work collaboratively to advance common definitions.”