The continued availability and affordability of cyber insurance is "still uncertain," the U.S. Government Accountability Office said in a report released Thursday.
Citing industry figures, the report says that the demand for cyber insurance and its costs have increased, with more industry participants in a concentrated market.
However, the increasing frequency and severity of cyberattacks, particularly ransomware attacks, have led insurers to reduce cybercrime limits for certain more risky industrial sectors, such as healthcare and education, and to introduce stricter conditions and exemptions. , according to the report, which was sent to the President of the House and the Senate Committee on Armed Services.
The report states that key challenges facing the market include the limited availability of historical data on losses and cyber incidents, limited awareness of corporate cyber security risks and the risk of aggregate losses from a cyber attack.
Terms used in cyber policies "are not defined, the report says, and many entities, especially smaller companies," may underestimate their cyber risks and the cyber coverage needed to mitigate those risks. "
The report states that there is also uncertainty about the likelihood of the U.S. Treasury Department certifying cyberattacks as terrorist acts, "because the department has never certified any incident under TRIA and cyberattack characteristics may not easily meet its certification requirements."
It stands for the Treasury to certify an act of terrorism under the TRIA, the act "must be violent or endanger human life, property or infrastructure", and generally lead to losses in the United States, among other provisions. However, cyber attacks cannot be violent or they can cause losses to computer servers outside the United States, the report says.
The report also says that some industry participants are worried that an extremely large cyber attack, such as to the electricity grid, would exceed the TRIA ceiling of 1
They are also concerned about "the level of risk borne by private insurance companies", it says.
"Cyber-risk continues to evolve as the technology and methods of cyber-attack change, making it difficult for insurers to guarantee coverage," the report says.