From the U.S. Government Accountability Office, www.gao.gov Transcript for: The Evolving Cyber Insurance Market Description: Malicious cyberattacks have resulted in billions of dollars in damages each year for US businesses. As more cyber threats emerged, there has been increasing demand for insurance policy against cyber related damages. What are the trends in this market and what is the federal role in overseeing it? We talk with GAO’s John Pendleton to learn more. Related GAO Work: GAO-21-477, Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market Released: May 2021 [Intro Music] [John Pendleton:] Cyber risks are rising rapidly and the insurance market is trying to sort out what the potential costs and risk are. [Holly Hobbs:] Hi and welcome to GAO’s Watchdog Report, your source for news and information from the U.S. Government Accountability Office—celebrating 100 years of fact-based, nonpartisan government oversight. I'm Holly Hobbs. Malicious cyberattacks have resulted in billions of dollars in damages each year for U.S. businesses. The recent attacks on Colonial Pipeline and SolarWinds have highlighted the growing frequency and scale of these attacks. As the threats increase, so has demand for insurance policies against cyber-related damages. What are the other trends in this market, and what is the federal role in overseeing it? Today, we’ll talk with John Pendleton, a director in our Financial Markets and Community Investment team, who has a new report out about the trends in cyber insurance. Thank you for joining us, John. [John Pendleton:] Thanks for having me, Holly. [Holly Hobbs:] So John, who's buying cyber insurance and why? [John Pendleton:] Well, lots of different kinds of businesses need cyber insurance. Educational institutions and health care need it because they have our protected personal information. Hospitality and retail businesses have our credit card information. Manufacturing and other businesses face risk as well, such as ransomware--where their computer systems and data are held hostage until a ransom is paid. [Holly Hobbs:] And what kind of things does cyber insurance cover? [John Pendleton:] It depends on the policy, and it's not completely sorted out. Cyber coverage is often been packaged as part of broader policies. But in recent years, the demand for specific cyber coverage has been growing to cover losses of data, but mostly just to better define exactly what is covered. [Holly Hobbs:] And what can you tell us about the number of companies or entities that pay for coverage and how that's changed? [John Pendleton:] The take-up rates—which is an industry term for the percentage of companies that elect cyber coverage—has nearly doubled since 2016. When you look industry by industry, some of the biggest growth in cyber coverage has been in education and hospitality. But we saw growth across all the ten industries that we reviewed. [Holly Hobbs:] And do we know how a cyberattack—like the one on Colonial Pipeline-might affect insurance trends? [John Pendleton:] In a survey of agents and brokers in late 2020, about three-quarters of them said they were seeing increasing demand for cyber coverage. I can't predict the future Holly, but it seems likely that we will see continued increasing demand given the cyberattacks we're seeing in the news almost every day. [Holly Hobbs:] So let me ask this, if the demand for coverage has increased, is that reducing the cost for coverage—helping spread the risk across more people? [John Pendleton:] You might think so, but that's not what's happening so far. Cyber premium costs have actually stayed pretty stable until mid-2019. But they have increased markedly since. Now more insurers are getting into the business, but this doesn't seem to be decreasing premium prices, at least not so far. [Holly Hobbs:] Do we know why prices have increased or how insurance companies are measuring risk when developing insurance rates? [John Pendleton:] Put simply, I think just the perceived risk is increasing, so insurers need to charge more to cover the risk. The problem is that the insurers don't really have historical data on cyber events and the costs associated with them. So, it's difficult to predict what the losses will be. [Holly Hobbs:] So when you insure a car, for example, you would estimate the value of the car and what damages could be--and that sets your policy price. How are damages from cyberattacks estimated, and how are those policy prices set? [John Pendleton:] That's actually a great comparison because it illustrates the difference in a market where you have really good data. We know how much cars cost, and we know that there's thousands of fender benders and wrecks and such. You have good historical data there. That's not the case with cyberattacks. Insurers are trying to build predictive models based on estimated losses from the things they know now, like data breaches or ransomware. But insurers have little data for several reasons. The big one is that -- organizations are reluctant to share it publicly the details when they get attacked, there's no centrally managed, consistent data on this. [Music:] [Holly Hobbs:] So it sounds like the demand for cyber insurance policies has increased along with the threat of cyberattacks, and that these increases have highlighted some of the challenges in the market—including how losses from attacks are estimated and how policies are priced. John, what's the federal government's role in monitoring this industry to make sure there's common policies and practices? [John Pendleton:] There are a couple of areas where the federal government might get involved. First, there was a federally chartered commission that made several recommendations--one of which was enacting a national cyber incident reporting system to kind of help with this historical data problem. The data would be anonymized to encourage reporting. The other wrinkle here, and it's a big one, is what the federal role in liability would be if a cyberattack is determined to be an act of terror. Let's say a large scale cyberattack hit the country's critical infrastructure--say the energy sector. This could trigger a special terrorism risk insurance provision that was stood up after 9/11. But even if that fund is triggered, it could be used up very quickly given the massive potential scale of the damage caused by a cyberattack. And there's a lot of questions remaining about whether the Terrorism Risk Fund is even appropriate for cyber. We have following work now underway to examine that question. [Holly Hobbs:] And last question, what's the bottom line of this report? [John Pendleton:] Cyber risks are rising rapidly and the insurance market is trying to sort out what the potential costs and risk are. So demand for insurance coverage is growing rapidly, but the lack of historical data about cyber incidents makes it difficult to assess risk and set premium prices. The federal role could well be to help gather that information. But a big and honestly kind of scary scenario is, if a cyber event is deemed an act of terror and the losses are so substantial that the insurance market cannot cover it. Unfortunately, it's becoming clearer by the day that this is not a theoretical or highly improbable risk. [Holly Hobbs:] That was John Pendleton talking about GAO's recent review of cyber insurance market. Thank you for your time, John. [John Pendleton:] Thank you, Holly. [Holly Hobbs:] And thank you for listening to the watchdog report. To hear more podcasts, subscribe to us on Apple Podcasts, Stitcher, Google Podcasts, and more. And make sure you leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog -- the U.S. Government Accountability Office -- visit us at GAO.gov.