Government Accountability Office highlights rising cost of cyber insurance

The agency finds also that insurers are offering lower coverage limits and have limited historical loss data.
The facade of the GAO building in downtown Washington, D.C. (Cory Doctorow/Flickr)

The U.S. Government Accountability Office (GAO) highlighted the rising cost of cyber insurance in a new report assessing challenges faced by the private market in mitigating cyberattacks.

In its study published Thursday, the agency said that according to industry sources, rates have surged. It also cited a recent insurance broker survey, which found that premiums for more than half of clients rose by 20% to 30% in late 2020.

“After holding relatively steady in 2017 and 2018, cyber insurance premiums increased markedly in 2020,” the agency said in its report. “Higher prices for cyber insurance have coincided with increased demand for the product and higher insurer losses from increasingly frequent and severe cyberattacks (particularly ransomware attacks that block users from accessing systems or data until a ransom is paid).”

GAO has studied the private cyber insurance market in response to new requirements included in the National Defense Authorization Act for the fiscal year 2021.


Most publicly listed companies purchase standalone cyber coverage as part of their risk management operations, as do some public sector entities such as state governments and agencies.

The report found also that insurers are offering lower coverage limits, and noted that insurance companies have limited historical data on most losses.

Insurance companies are offering lower coverage limits and increasingly encouraging clients to purchase specific, standalone cyber policies. Previously, many insurers have offered cyber coverage as an optional add-on to other types of policies, such as property insurance.

This has created aggregation risk for the insurance market, which is known as “silent cyber.”

According to GAO, the language used in cyber policies also often lacks common definitions.


Cyber insurance companies’ appetite for writing policies for public sector entities has declined substantially in recent months, following a slew of high-profile attacks, including attacks against Texas’ Department of Transportation and state court system.

John Hewitt Jones

Written by John Hewitt Jones

John is the managing editor of FedScoop, and was previously a reporter at Institutional Investor in New York City. He has a master’s degree in social policy from the London School of Economics and his writing has appeared in The Scotsman and The Sunday Times of London newspapers.

Latest Podcasts