When insurance companies first started writing cyber risk insurance, it was unbelievably profitable. They were writing many policies and not processing many claims, so they were very happy.
Over the last few years customers discovered that it did not make any sense to buy insurance and not make a claim when a bad event happened. That started making insurance companies nervous. Events like SolarWinds only makes things worse.
Last fall, as part of the National Defense Authorization Act, the GAO was chartered to survey the cyber insurance landscape.
The GAO interviewed folks at the Treasury, industry trade associations, a large cyber insurance provider and others to understand the landscape and come up with some suggestions on what to do.
The first thing the GAO discovered is that the number of people who decided to be “self insured” has gone down a lot. Their report says that the percentage of insurance clients opting for cyber coverage rose from 26% in 2016 to 47% in 2020. No one likes writing a check for a million dollars out of their own checkbook. That is good because it increases the risk pool.
But cyber is different than many other coverages. It is not local. If there is a fire in one city it does not cause claims in another. But with cyber, attacks are not geographically constrained.
With an increase in claims, insurers responded.
For example, they reduced coverage limits to healthcare and education, two sectors that had finally decided that insurance was not optional. The healthcare sector saw one of the largest increases in demand between 2016 and 2020.
Recently, underwriting capacity has contracted, especially in high risk sectors such as healthcare, education and public entities. Brokers say this is due to the fact that insurers are worried that these sectors are not prepared to repel attacks. As a result, they are declining to write coverage or charging higher premiums.
In fact, the GAO says, underwriters are increasing scrutiny everywhere and for some that could mean that cyber risk coverage may become unaffordable. When underwriters review a company’s cyber risk program, they may decide that it is not strong enough and the risk of providing coverage is too high.
Policies are also becoming more clear about what is covered or, more importantly, what is not covered. That means that customers need to read those policies way more carefully than they have in the past. Insurance underwriters are unlikely to say “although we covered ‘x’ last year, we are not going to cover ‘x’ this year”. It is more like “see if you can figure out what we removed from the policy this time”. And, oh yeah, your premium is going up.
Part of this is due to the insurance underwriters’ inability to predict risk. When it comes to, say, fire insurance, underwriters have a couple hundred years of data to use to predict with and, if anything, buildings are becoming safer. When it comes to cyber, realistically, underwriters have 5-10 years worth of relevant data and the risk factor is anything but safer.
Another factor is the new rule by Treasury that paying ransoms could land you a 20 year all-expenses-paid vacation in a federal “crossbar hotel”. Insurance companies tend to pay the ransom as the least expensive way to fix their problem. If they can’t do that, costs – and risk – go up.
The industry says that they need more incident data. The bad news is that more data will likely show more previously unreported events, making underwriters even more nervous.
What does that mean to you and me? It means that it may be harder to find coverage, the underwriting process may be more invasive, the premiums may be higher and the coverage may be more restrictive. Plan for it.
Finally, if your broker is not an expert in cyber coverage, you may not get the best advice. A broker who writes a couple of policies every now and then is not going to spend the time to learn enough to give you the best advice.
Credit: Health IT Security