A growing number of cybersecurity incidents has led many insurers to raise premiums and some to limit coverage in especially risky areas, such as health care and education, according to new findings from a U.S. government watchdog.
“[T]he continually increasing frequency and severity of cyberattacks, especially ransomware attacks, have led insurers to reduce cyber coverage limits for certain riskier industry sectors … and for public entities and to add specific limits on ransomware coverage,” the Government Accountability Office said in a report Thursday, which cited surveys of insurance executives.
More than half of the brokers surveyed by an industry group said that their clients saw premiums increase between 10% and 30% in late 2020, the report noted.
The findings come amid a period of unprecedented scrutiny for the cyber insurance industry, as multimillion-dollar ransoms come to light and cybercriminals appear to target insurers for a list of their clients to extort.
CNA, a major U.S. insurer, paid its digital extortionists $40 million in what some analysts described as a record ransom, Bloomberg News reported Thursday. Meanwhile, Colonial Pipeline, the main artery for delivering fuel to the East Coast, paid hackers $4.4 million for decryption keys.
It was unclear in those cases whether the victims had coverage, but many packages cover recovering from ransomware attacks and, in some cases, the ransom payments themselves.
For example, Benchmark Electronics, an Arizona-based manufacturer of medical and aerospace equipment services, had, as of May 2021, collected $10 million in insurance payments stemming from a 2019 ransomware attack on its systems, according to Securities and Exchange Commission filings. The incident cost the firm $12.7 million in legal, IT forensics and other fees.
The GAO study also raises the prospect that the market may be leaving behind smaller businesses that can’t afford coverage. “Small businesses may purchase cyber insurance less often if they perceive their risks to be minimal or policies too costly,” the GAO noted.
Overall, though, the popularity of cyber insurance has grown as firms hedge against the likelihood that they will be targeted by hackers. The number of policies in effect grew by 60% from 2016 to 2019, according to a GAO review of market data.
Despite greater attention, the industry still suffers from a lack of data in some cases, according to the GAO.
“Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly,” the report concludes. “Some industry participants [surveyed by the GAO] said federal and state governments and industry could collaborate to collect and share incident data to assess risk and develop cyber insurance products.”
Cyber insurance packages cover much more than ransomware-related risk, including the costs of recovering from other data breaches. Proponents say the investment is an important check against cyber risks that are increasingly part of the cost of doing business.
Nonetheless, ransom payments have prompted at least one major provider to change its policies.
Earlier this month, French insurer AXA indicated that it would no longer write new policies covering ransom payments to cybercriminals. Some cybersecurity experts hope other insurers will follow suit. AXA subsidiaries suffered a ransomware attack days later, though one source familiar with the incident said there was no connection between AXA’s decision on insurance coverage and the hack.