Dive Brief:

• For more than half of insurance brokers, corporate cyber insurance premiums rose 10% to 30% between Q3 and Q4 for clients, according to a report by the Government Accountability Office (GAO) based on data and responses from global insurance brokers. The report was published Thursday. 
• Fifteen-percent of the brokers said they had no increase in premium price in the same time period. Cyber-related premiums were "holding relatively steady" between 2017 and 2018, according to the report, but increased in 2020. 
• Not only are insurers increasing premiums, they are lowering coverage limits "for certain perils," according to the GAO. For example, for cyberattacks involving a social engineering or wire transfer, insurance companies would offer $250,000 "on a policy with a $1 million total limit."

Dive Insight:

The increase in cyber insurance adoption and premium prices coincides with a changing — and more challenging — threat landscape. Insurance companies are protecting themselves from too many payouts. 

Insurance companies might impose more coverage limits on certain industries, such as healthcare or education. Cyberattacks on healthcare increased 45% between November and January, coinciding with another wave of COVID-19 infections, according to Check Point. Other industries experienced a 22% increase in attacks. 

Insurance companies adjust premium prices based on the size of a company, its industry, and its cybersecurity maturity, according to the report. Cyber-specific insurance brokers have an average premium range from $1,000 to about $3,000 "per million of limit for small entities that have strong cyber controls and are in low-risk industries." 

If a company is in a riskier industry, the premium can "be many times that amount," the GAO said. In cases where revenue reaches $5 million, premiums can range between $2,000 to $3,000 per million of limit, for example. 

The number of cyber-specific policies increased from 2.2 million to more than 3.6 million, between 2016 and 2019, which the GAO determined using data from S&P Market Intelligence and National Association of Insurance Commissioners (NAIC). Companies adopted policies in response to cyberattacks or from learning about recovery expenses from other companies. 

While the increase in adoption might signal a reduction in insurance costs, the increase is likely due to perceived risk, said John Pendleton, director of financial markets & community investment at the GAO, in a podcast. 

"Insurers need to charge more to cover the risk. The problem is that the insurers don't really have historical data on cyber events and the costs associated with them. So, it's difficult to predict what the losses will be," he said.  

The cost of cyber incidents isn't documented well enough for brokers to pull from yet, partially due to an informal or insufficient reporting system. "There's no centrally managed, consistent data on this," said Pendleton. 

Costs can range between 0.1% to almost 100 times an organization's revenue, according to Cyentia's Information Risk Insights Study, published in November. As the range fluctuates depending on the severity or type of attack — data breach, ransomware, supply chain compromise — organizations might look to the federal government for pricing guidance. 

The possibility of a large-scale attack where "losses are so substantial that the insurance market cannot cover it" is becoming more of a reality, said Pendleton.