![[article image]](https://cacm.acm.org/system/assets/0004/4892/022023_CACMpg41_A-Turning-Point.large.jpg?1676660690&1676660690 "colored umbrellas in flight")
Insuring against the consequences of cybersecurity seems too good to be true given the underlying problem has perplexed researchers and practitioners for going on 50 years. Since the 2000s, firms could purchase a cyber-insurance policy with coverage items including data breach litigation, crisis management services, data restoration and, controversially, ransom payments. The National Association of Insurance Commissioners (NAIC) estimated the number of policies in the U.S. grew from 2.1 million in 2016 to 4 million in 2020 with policyholders paying $2.75 billion in premiums.6
Recent years have seen cyber insurers struggle. The NAIC reports a 400% increase in ransomware incidents and that three of the top four cyber insurers had unprofitable loss ratios—claims paid out as a percentage of premiums collected.6 The industry is responding by reducing coverage limits and hiking premiums, with increases of more than 100% year-on-year by the end of 2021.a