Healthcare Organizations Facing Higher Cyber Insurance Costs for Less Coverage

The number of cyberattacks now being reported is higher than ever before. A couple of years ago, healthcare cyberattacks were being reported at a rate of one per day, but in 2021, there have been months where attacks have been reported at twice that rate.

The severity of cyberattacks has also increased and the cost of responding to and recovering from cyberattacks is now much higher. The likelihood of a serious cyberattack occurring and the high costs of remediating such an attack have prompted many healthcare organizations to take out a cyber insurance policy to cover the cost.

The Government Accountability Office (GAO) has recently published a study of the cyber insurance market as required by the National Defense Authorization Act for Fiscal Year 2021. GAO conducted the study of the cyber insurance market to identify key trends and the challenges faced by insurers and the options available to address them.

GAO studied cyber insurance policies, reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry, and interviews were conducted with treasury officials and two industry associations representing cyber insurance providers, an organization providing policy language services to insurers, and one large cyber insurance provider.

GAO found the number of insurance clients that hold a cyber insurance policy has increased from 26% in 2016 to 47% in 2020 – an increase of more than 60%. As demand for cyber insurance has increased, so too have insurance premiums. The increase in attack frequency and severity has seen insurance premiums increase dramatically. According to the study, more than half of cyber insurance clients saw their insurance premiums increase by between 10% and 30% in late 2020.

Insurance costs have increased, but coverage has decreased. In certain industry sectors, including healthcare and education, insurers have reduced coverage limits, meaning victims of cyberattacks often have to cover part of the cost themselves.

Many insurers have stopped including coverage for cyberattacks within their existing policies and instead now offer policies specific to cyber risk, but there have been several challenges in creating these policies. Without access to comprehensive, high quality data on losses due to cyberattacks, the insurance industry has found it difficult to price policies appropriately. Industry stakeholders have suggested federal and state governments and industries should collect and share data on incident response, which will help the insurance industry develop better insurance products and price them accordingly.

There have also been problems with the definitions used and what exactly is covered by a cyber insurance policy. For instance, many policies cover cyberterrorism, but it is unclear exactly what cyberterrorism includes. Industry stakeholders have called for better definitions of cyberattacks to be developed to help both insurers and their clients understand exactly what is covered by insurance policies.

GAO found that many businesses, especially smaller businesses, are underestimating their cyber risks and the amount of insurance coverage they need. Researchers also identified many businesses that have failed to take out a policy as they have not understood the magnitude of risks they face, and do not see the value in cyber insurance as they do not believe it will cover the cost of a cyberattack because there are too many exclusions. Better definitions of cyberattacks and exactly what is covered could help these businesses take out the coverage they need.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.