Cyber insurance’s continued availability and affordability “remains uncertain,” says the U.S. Government Accountability Office in a report issued Thursday.

Citing industry figures, the report says the demand for cyber insurance and its cost have increased, with more industry participants in a concentrated market.

However, the increased frequency and severity of cyberattack, especially ransomware attacks, have led insurers to reduce cyber coverage limits for certain riskier industry sectors, such as health care and education, and introduce tighter terms and exclusions, according to the report, which was sent to chairmen of the House and Senate’s Committee on Armed Services.

The report says key challenges facing the market include the limited availability of historical loss and cyber event data, limited awareness of cybersecurity risks by businesses, and the risk of aggregate losses from a cyberattack.

Terms used in cyber policies “are not consistently defined,” the report says, and many entities, particularly smaller businesses “may underestimate their cyber risks and the cyber coverage needed to mitigate those risks.”

The report says there is also uncertainty about the likelihood of the U.S. Department of the Treasury certifying cyberattacks as acts of terrorism, “because the department has never certified any event under TRIA and cyberattack characteristics may not readily meet its certification requirements.”  

It says for Treasury to certify an act of terrorism under TRIA, the act “must be violent or dangers to human life, property or infrastructure,” and generally result in losses in the U.S., among other provisions. However, cyberattacks may not be violent or they may cause losses to computer servers located outside the United States, the report says.

The report also says some industry participants are concerned that an extremely large cyberattack, such as to the electrical grid, would exceed the $100 billion TRIA cap, leave losses above the cap uninsured.

They’re also concerned “about the level of risk borne by private-sector insurers,” it says.

“Cyber risk continues to evolve as technology and the methods of cyberattack change, making difficult for insurers to underwrite coverage,” the report says.