GAO-21-477, CYBER INSURANCE: Insurers and Policyholders Face Challenges ...

May 2021

United States Government Accountability Office

Report to Congressional Committees

CYBER INSURANCE

Insurers and Policyholders Face Challenges in an Evolving Market

GAO-21-477

Highlights of GAO-21-477, a report to congressional committees

May 2021

CYBER INSURANCE

Insurers and Policyholders Face Challenges in an Evolving Market

Why GAO Did This Study

Malicious cyber activity poses significant risk to the federal government and the nation's businesses and critical infrastructure, and it costs the U.S. billions of dollars each year. Threat actors are becoming increasingly capable of carrying out attacks, highlighting the need for a stable cyber insurance market.

The National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to study the U.S. cyber insurance market. This report describes (1) key trends in the current market for cyber insurance, and (2) identified challenges faced by the cyber insurance market and options to address them.

To conduct this work, GAO analyzed industry data on cyber insurance policies; reviewed reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry; and interviewed Treasury officials. GAO also interviewed two industry associations representing cyber insurance providers, an organization providing policy language services to insurers, and one large cyber insurance provider.

What GAO Found

Key trends in the current market for cyber insurance include the following:

? Increasing take-up. Data from a global insurance broker indicate its clients' take-up rate (proportion of existing clients electing coverage) for cyber insurance rose from 26 percent in 2016 to 47 percent in 2020 (see figure).

? Price increases. Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents' clients saw prices go up 10?30 percent in late 2020.

? Lower coverage limits. Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.

? Cyber-specific policies. Insurers increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits.

Cyber Insurance Take-up Rates for a Selected Large Broker's Clients, 2016?2020

View GAO-21-477. For more information, contact John Pendleton at (202) 512-8678 or pendletonj@.

The cyber insurance industry faces multiple challenges; industry stakeholders have proposed options to help address these challenges.

? Limited historical data on losses. Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly. Some industry participants said federal and state governments and industry could collaborate to collect and share incident data to assess risk and develop cyber insurance products.

? Cyber policies lack common definitions. Industry stakeholders noted that differing definitions for policy terms, such as "cyberterrorism," can lead to a lack of clarity on what is covered. They suggested that federal and state governments and the insurance industry could work collaboratively to advance common definitions.

United States Government Accountability Office

Contents

Letter

Appendix I Figures

1

Background

3

Cyber Insurance Coverage Varies by Industry and Entity Size, but

Growing Cyber Risk Creates Uncertainty in Evolving Market

5

Cyber Insurance Industry Faces Multiple Challenges, but Options

Have Been Proposed to Address Them

13

Agency Comments

20

GAO Contact and Staff Acknowledgments

21

Figure 1: Cyber Insurance Take-up Rates for a Selected Large

Broker's Clients, 2016?2020

5

Figure 2: Cyber Insurance Take-up Rates for a Selected Large

Broker's Clients, by Industry, 2016?2020

7

Figure 3: Direct Written Premiums and Policies in Force for Cyber

Insurance, 2016?2019

9

Figure 4: Change in Cyber Insurance Premiums, 2017?2020

11

Page i

GAO-21-477 Cyber Security Insurance

Abbreviations

NAIC Treasury TRIA TRIP

National Association of Insurance Commissioners Department of the Treasury Terrorism Risk Insurance Act Terrorism Risk Insurance Program

This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

Page ii

GAO-21-477 Cyber Security Insurance

441 G St. N.W. Washington, DC 20548

Letter

May 20, 2021

The Honorable Jack Reed Chairman The Honorable James M. Inhofe Ranking Member Committee on Armed Services United States Senate

The Honorable Adam Smith Chairman The Honorable Mike Rogers Ranking Member Committee on Armed Services House of Representatives

The cost of malicious cyber activity to the U.S. economy was between $57 billion and $109 billion in 2016, according to the White House Council of Economic Advisers.1 Since 1997, we have designated cybersecurity as a government-wide high-risk area, and U.S. businesses and other entities continue to face significant cybersecurity risks with the potential for large losses.2 Some members of Congress and others have raised questions about the availability, affordability, and stability of the cyber insurance market. Cyber insurance is a broad term for policies that cover liability and property losses from events adversely affecting electronic activities and systems.3

The National Defense Authorization Act for Fiscal Year 2021 includes a provision for us to review the state and availability of insurance coverage in the United States for cybersecurity risks.4 This report addresses (1) the

1Council of Economic Advisers, The Cost of Malicious Cyber Activity to the U.S. Economy (Washington, D.C.: February 2018).

2GAO, High Risk Series: Dedicated Leadership Needed to Address Limited Progress in Most High-Risk Areas, GAO-21-119SP (Washington, D.C: Mar. 2, 2021).

3More specifically, cyber insurance generally refers to policies that address first-party losses to a policyholder and third-party losses to a policyholder's client or customer as a result of an event that jeopardizes the confidentiality, integrity, and availability of an

information system.

4William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 116-283, ? 9005, 134 Stat. 3388, 4777 (2021).

Page 1

GAO-21-477 Cyber Security Insurance

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download