Cyber insurance premiums, take-up rates surge, says GAO

Cyber insurance premiums have surged amid more frequent cyberattacks and are likely to surge in 2021, according to a General Accountability Office report.

The National Defense Authorization Act for Fiscal Year 2021 included a provision for GAO to study the US cyber insurance market. GAO analyzed industry data on policies, cyber risk and insurance research and interviewed Treasury officials.

• Best cyber insurance 2021
• Cyber insurance roundtable: Why cyber insurance has a supply issue
• What is cyber insurance? Everything you need to know about what it covers and how it works

According to the GAO, cyber insurance adoption is picking up. The GAO found that the take-up rate for cyber insurance rose from 26% in 2016 to 47% in 2020.

Take-up rates also vary by industry. According to Marsh McLennan, among its clients, the industry sectors with the highest take-up rates in 2016–2020 included education and health care, which collect, maintain, and use significant amounts of personally identifiable information or protected health information. Sectors experiencing significant growth in take-up in that period included the hospitality and retail sectors, which commonly collect payment card information. The manufacturing sector's take-up rate also grew significantly, as that industry became increasingly aware of potential cyberattack risks, according to industry sources.

Along with that adoption, insurance brokers said that more frequent and severe cyberattacks have led to premium increases. The GAO said more than half of the respondents in its report saw prices go up 10% to 30% in late 2020.

• Asia division of cyber insurance company AXA hit with ransomware attack
• US insurance giant CNA Financial paid $40 million ransom to regain control of systems: report
• Corvus Insurance raises $100 million, aims to broaden business, cyber insurance reach, AI platform
• Cowbell Cyber raises $20 million, aims to build out its AI-drive cyber insurance platform

GAO noted in its report:

One broker told us that minimum premiums for high-risk industries with revenues up to $5 million can range from $2,000 to $3,500 per million of limit, while other brokers said premiums on policies that target mid-size entities with revenues from less than $100 million to $250 million can average from about $5,000 to more than $10,000 per million of limit. In addition to entity and industry risk factors, premiums can differ based on the amount of a deductible or other self-insured amount, which the brokers told us had minimums from $1,000 to $5,000 for policies with a $1 million total limit. These same risk factors also can result in lower coverage limits for certain perils, such as $250,000 for social engineering and wire transfer attacks on a policy with a $1 million total limit.

In addition, cyberattacks have led insurers to reduce coverage limits for some sectors including healthcare and education.

The GAO report found that the cyber insurance industry faces multiple challenges such as limited historical data on losses, lack of common definitions for terms like cyberterrorism as well as differences among industries. Another issue for the industry is that businesses have limited awareness of what's in their policies as well as limits.