GAO Fast Facts
Cyber insurance can help offset the costs of responding to and recovering from cyberattacks. The growing frequency and severity of cyberattacks have led more insurance clients to opt for cyber coverage—up from 26% in 2016 to 47% in 2020.
Other key trends in cyber insurance include lower coverage limits in high-risk sectors and rising premiums.
Both insurers and clients face challenges. For example:
- Developing cyber insurance products can be hard because insurers don’t have much historical data on cyberattack-related costs
- Determining what’s covered can be hard for clients because key terms like “cyberterrorism” don’t have standard definitions
Change in Cyber Insurance Premiums, 2017-2020
What GAO Found
Key trends in the current market for cyber insurance include the following:
- Increasing take-up. Data from a global insurance broker indicate its clients’ take-up rate (proportion of existing clients electing coverage) for cyber insurance rose from 26 percent in 2016 to 47 percent in 2020 (see figure).
- Price increases. Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10–30 percent in late 2020.
- Lower coverage limits . Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.
- Cyber-specific policies . Insurers increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits.
Cyber Insurance Take-up Rates for a Selected Large Broker’s Clients, 2016–2020
The cyber insurance industry faces multiple challenges; industry stakeholders have proposed options to help address these challenges.
- Limited historical data on losses. Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly. Some industry participants said federal and state governments and industry could collaborate to collect and share incident data to assess risk and develop cyber insurance products.
- Cyber policies lack common definitions. Industry stakeholders noted that differing definitions for policy terms, such as “cyberterrorism,” can lead to a lack of clarity on what is covered. They suggested that federal and state governments and the insurance industry could work collaboratively to advance common definitions.
Why GAO Did This Study
Malicious cyber activity poses significant risk to the federal government and the nation’s businesses and critical infrastructure, and it costs the U.S. billions of dollars each year. Threat actors are becoming increasingly capable of carrying out attacks, highlighting the need for a stable cyber insurance market.
The National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to study the U.S. cyber insurance market. This report describes (1) key trends in the current market for cyber insurance, and (2) identified challenges faced by the cyber insurance market and options to address them.
To conduct this work, GAO analyzed industry data on cyber insurance policies; reviewed reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry; and interviewed Treasury officials. GAO also interviewed two industry associations representing cyber insurance providers, an organization providing policy language services to insurers, and one large cyber insurance provider.