Page 14 GAO-21-477 Cyber Security Insurance
that help assess the probability of loss from a cyberattack.
25
That report
also noted no comprehensive, centralized source of information about
cyber events exists for insurers to access.
26
In addition, a 2020 report by
the International Association of Insurance Supervisors noted that
incomplete or inaccurate historical data on cyber incidents decreases the
reliability of actuarial models, leading to increases in uncertainty around
loss estimates.
27
Without access to such data, some industry participants
and researchers are concerned that current prices for cyber policies may
not accurately reflect risk. According to NAIC, if a product is priced too
low, an insurer may not have the financial means to pay claims to the
policyholder, which could lead to insolvency. If priced too high, few
businesses and consumers might be able to afford the coverage.
Opportunities exist for improving the nation’s capacity for collecting cyber
event and loss data and for coordinating industry-wide efforts to collect
and share that information. According to a recent report by the U.S.
Cyberspace Solarium Commission, Congress could establish an entity to
collect data to better understand cyber risk and help the insurance
industry create better risk models.
28
The commission also suggested that
a public-private working group could be established at the Department of
25
Deloitte Center for Financial Services, Demystifying Cyber Insurance Coverage:
Clearing Obstacles in a Problematic but Promising Growth Market (Deloitte University
Press, 2017).
26
Historical loss data are used to build predictive models about expected costs, which are
part of the ratemaking process. These models are partly based on what the estimated loss
will be from specific events, such as data breaches or ransomware attacks. According to
Marsh McLennan, because there is no precedent for insurable cyber catastrophic events,
the insurance industry has drawn parallels or made assumptions based on lessons
learned from other lines of business and “near misses” in the cyber line of business, or
both. Deloitte and the U.S. Cyberspace Solarium Commission suggest that access to data
on cyber events would facilitate decision-making for insurers as it relates to modeling and
pricing.
27
International Association of Insurance Supervisors, Cyber Risk Underwriting: Identified
Challenges and Supervisory Considerations for Sustainable Market Development (Basel,
Switzerland: December 2020).
28
The commission’s report also includes recommendations to enact a national cyber
incident reporting law requiring critical infrastructure agencies to report cyber incidents to
the federal government, where the data would be anonymized and shared with a new
entity charged with collecting and providing cybersecurity data to inform policymaking and
government programs. The report recommends that the data entity act as a statistical
agency that collects, processes, analyzes, and disseminates essential data on
cybersecurity and cyber incidents to the public, Congress, federal agencies, state and
local government, and the private sector.