Take-up of cyber-insurance has almost doubled over the past four years, but premiums surged during 2020 due to more frequent attacks, according to a new congressional report.
Watchdog the Government Accountability Office (GAO) was ordered to study the industry in the National Defense Authorization Act for fiscal year 2021.
Citing data from global insurer Marsh McLennan, the GAO revealed that the percentage of clients opting to take out cyber-specific insurance policies had risen from 26% in 2016 to 47% in 2020.
However, a surge in successful cyber-attacks of late has had two negative consequences: rising premiums and reduced coverage limits for some sectors.
The GAO claimed that, according to a recent survey of insurance brokers, prices had risen 10-30% in late 2020. It also singled out healthcare and education as two sectors where insurers are now offering lower coverage limits.
Although not named in the update, ransomware is a key factor driving these trends. It was the biggest source of insurance claims in the first half of 2020, according to insurer Coalition.
Many have argued that insurers’ continued coverage perpetuates the ransomware problem as it encourages more threat actors to target organizations, knowing that the ransom will be reimbursed by providers.
Axa recently took a stand against this trend in France by resolving to stop reimbursing payments to threat actors, although it will still cover other losses incurred by attacks.
The GAO report explained that providers are also now offering more cyber-specific packages to clients. However, a lack of common terminology, such as what constitutes cyber-terrorism, can lead to inconsistencies in policies and coverage, it warned.
Confectionary giant Mondelez and global legal firm DLA Piper both sued their insurers in 2019 following major losses incurred after NotPetya. Their providers refused to pay-out due to wrangles over policy and definitions of exactly what kind of attack the global malware constituted.