Abstract
This work analyzes and extends insurance dynamics in the context of cyber risk. Cyber insurance contracts, when used as a means to manage residual cyber risk, could behave differently from other traditional (e.g., property) insurance. One important difference arises from the complexity involved in the post-breach decision of whether and how a firm should optimally plan to claim indemnity in the event of a cyber breach. We define different types of cyber breaches leading to different claiming scenarios, whose roots lie in the impact of secondary loss caused by certain but not all types of breaches. We build a model to capture the impact of secondary loss in structuring the use of cyber insurance and then combine the backward analysis of myriad breach scenarios to derive the overall optimal decision to purchase cyber insurance. We demonstrate that the optimal purchase decision depends on the mix of the types of cyber breaches that a firm faces. Numerical experiments corroborate market observation of limited use of cyber insurance after 20 years from when these products became available.
Similar content being viewed by others
Notes
For some recent cyber insurance contract pricings (albeit without the deductibles, which are equally determining of the premium structure), please see the pertinent webpage of Data Breach Insurance Inc., USA (https://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/)
It is an understandable posture of the managers. For example, in the 2014 third quarter filing, Home Depot has shown a $15 million cyber insurance receivable (McLeod 2015), which obviously depicts that a severe breach was realized. Had the case been a non-required disclosure breach, the balance sheet or flow statement would have made it apparent to the stakeholders of the event of a breach.
Raviv extends Arrow”s work and shows that risk preferences do not necessarily determine the forms of an optimal insurance contract and that an optimal contract may feature both deductible and coinsurance. In this research we restrict ourselves with a simple, general deductible based cyber insurance contract
The Great Debate, ISSA journal 2008, available at http://cdn.coverstand.com/1336/3515/ISSA_0408_bt.pdf
In practice, cyber insurance providers employ interviews, questionnaires and other instruments as well as technical audits to appraise themselves of the state of residual risk after the technological controls are in place. The insured firm must agree to these inquisitions before a cyber insurance contract is written by the insurer.
For example see www.aig.com, www.chubb.com etc. by visiting their cyber insurance product pages
While the other expressions including the premiums and the profit functions remain same as those in CARA, the utility function for the CRRA function is U = qpLn(W − P − x1) + q(1 − p)Ln(W − P − a) + (1 − q)pLn(W − P).
Cavusoglu et al. (2004) estimate secondary losses somewhat below 4% for the firms in their dataset.
Cyber insurance providers routinely assess the security health of a prospective firm before offering a contract.
More of the perpetrators of current computer crime are motivated by money, not bragging rights (CSI survey, 2007).
for some small scale analysis of indemnity payout in cyber insurance, please refer to the 2011 and 2012 reports from Netdiligence Inc. at http://netdiligence.com/files/CyberLiability-0711sh.pdf and http://www.resultstechnology.com/files/2013/05/2012-10-Cyber-Claims-Study.pdf
Based on our private communications on the value of cyber insurance with CIOs/CISOs.
References
2008 Annual Study: Cost of a Date Breach - Understanding Financial Impact, Customer Turnover and Preventive Solutions. Ponemon Institute, LLC.
Anderson, R., & Moore, T. (2007). The economics of information security: A survey and open questions. Proceedings of the Fourth bi-annual Conference on the Economics of the Software and Internet Industries. France: Toulouse.
Arrow, K. J. (1971). Essays in the theory of risk bearing. Chicago, IL: Markham Publishing Co.
Baer, W. S. (2004). Private sector incentives for managing security. In E. O. Goldman (Ed.), National Security in the information age. Routledge.
Baer, W. S., & Parkinson, A. (2007). Cyber insurance in IT security management. IEEE Security and Privacy, 5(3), 50–56.
Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why IT managers don't go for cyber-insurance products. Communications of the ACM, 52(11), 68–73.
Berinato, S. 2008. Data Breach Notification Laws, State By State. Available at http://www.csoonline.com/article/2122493/compliance/cso-disclosure-series---data-breach-notification-laws--state-bystate.html.
Bohme, R. (2005). Cyber insurance revisited. Boston, USA: Proceedings of the Workshop on the Economics of Information Security.
Bohme, R., & Kataria, G. (2006). Models and measures for correlation in cyber insurance. Boston USA: Proceedings of the Workshop on the Economics of Information Security.
Bohme, R., & Schwartz, G. (2010). Modeling cyber-insurance: Towards a unifying framework. Cambridge USA: Proceedings of the Workshop on the Economics of Information Security.
Borch, K. (1960). The safety loading of reinsurance premiums. Skandinavisk Aktuarietidtidskrift, 43, 163–184.
Bowers, N. L., Gerber, H. U., Hickman, J. C., Jones, D. A., & Nesbit, C. J. (1997). Actuarial mathematics (2nd ed.). Schaumburg, IL: Society of Actuaries.
Calandro, J., Matrejek, E., Pollard, N. (2014). Managing cyber risks with insurance: Key factors to consider when evaluating how cyber insurance can enhance your security program. Price Water House Publication number BS-14-0534-A.0614. Available at (http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-managing-cyber-risks-with-insurance.pdf).
Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. The Journal of Computer Security, 11(3), 431–448.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcement on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 70–104.
Ernesto, V. d. S. (2009). Mininova Hit By Massive DDoS Attack. Available at https://torrentfreak.com/mininova-hit-bymassive-ddos-attack-090307/.
Evers, J. (2007). T.J. Maxx hack exposes consumer data. C-Net news, available at https://www.cnet.com/news/t-j-maxxhack-exposes-consumer-data/.
Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16(3), 399–416.
Floresca, L. 2014. Cyber Insurance 101: The basics of cyber coverage. Available at https://wsandco.com/cyber-liability/cyber-basics/.
Fourth Annual US Cost of Data Breach Study. (2008). Ponemon Institute LLC.
Global Cyber Impact Report. (2015). Ponemon LLC. Available at (http://www.aon.com/attachments/riskservices/2015-Global-Cyber-Impact-Report-Final.pdf).
Global Information Security Survey. (2008). Ernst and Young LCC. Available at (http://www.ey.com/Global/assets.nsf/UK/Global_Information_Security_Survey_2008/$file/EY_Global_Information_Security_Survey_2008.pdf).
Gollier, C. (1996). Optimal insurance of approximate losses. The Journal of Risk and Insurance, 63(3), 369–380.
Gollier, C., & Pratt, J. W. (1996). Risk vulnerability and the tempering effect of background risk. Econometrica, 64(5), 1109–1123.
Gordon, L. A., Loeb, P. M., & Sohail, T. (2003). A framework for using insurance for cyber risk management. Communications of the ACM, 46(3), 81–85.
Hartwig, R. P., & Wilkinson, C. (2014). Cyber risks, the growing threat. USA: Insurance Information Institute.
Johnson, T. A. (2014). Cybersecurity: Protecting critical infrastructures from cyber attack and cyber warfare. USA: CRC Press.
Kovacs, P., Markham, M., Sweeting, R. (2004). Cyber incident risk in Canada and the role of cyber insurance. Institute for Catastrophic Loss Reduction. ICLR Research Paper Series - No. 38.
Mader, B. 2002. Cyber insurance's higher rates make it a long-term sell. (Available at http://sanjose.bizjournals.com/sanjose/stories/2002/11/04/focus2.html).
Majuca, R. P., Yurcik, W., Kesan, J. P. (2006). The Evolution of cyber insurance. (Available at http://arxiv.org/ftp/cs/papers/0601/0601020.pdf).
McLeod, D. 2015. Increased cyber losses means more litigation over claim. Business Insurance. (Available at http://www.businessinsurance.com/article/20150222/NEWS06/303019999/1248).
Meland, P. H., Inger, A. T., & Solhaug, B. (2015). Mitigating risk with cyber insurance. IEEE Security and Privacy, 6, 38–43.
Moore, T. (2005). Countering hidden-action attacks on networked systems. Proceedings of the Workshop on the Economics of Information Security. Cambridge: USA.
Mossin, J., & Smith, T. (1968). Aspects of rational insurance purchasing. Journal of Political Economy, 76, 533–568.
Nelson, S. D., Simek J. W. 2005. Cyber insurance: singing in the Rain. (Available at http://www.senseient.com/pdf/CYBER INSURANCE.pdf).
Ogut, H., Raghunathan, S., & Menon, N. (2005). Cyber insurance and IT security investment: Impact of interdependent risk. Cambridge, USA: Proceedings of the Workshop on the Economics of Information Security.
Pols, J., Parker, D. 2008. The great debate: security spending. Information Systems Security Association Journal, 6(4) ,21-25.
Raviv, A. (1979). The design of an optimal insurance policy. American Economic Review, 69, 84–96.
Schlesinger, H. (1981). The optimal level of deductibility in insurance contracts. The Journal of Risk and Insurance, 48(3), 465–481.
Schroeder, D. 2014. Cyber Insurance: just one component of risk management. The Walstreet Journal, May 27 2014. Available at http://blogs.wsj.com/cio/2014/03/27/cyber-insurance-just-one-component-of-risk-management/.
Schwartz, G., Shetty, N., & Warland, J. (2010). Cyber-insurance: Missing market driven by user heterogeneity. Cambridge, USA: Proceedings of the Workshop on the Economics of Information Security.
Siegel, C. A., Ty, R. S., & Serritella, P. (2002). Cyber-risk management: technical and insurance controls for enterprise-level security. Information Systems Security, 11(4), 33–49.
Steele, C. (2007). Cyber insurance supplements, not replaces data breach security (Available at http://searchsecuritychannel.techtarget.com/news/article/0289142sid97_ gci1262357 00.html).
The Betterley Report: Cyber risk and Privacy Market Survey (2010). (Available at http://betterley.com/samples/CyberRisk10nt.pdf).
The Betterley Report: Cyber risk Market Survey (2008). (Available at http://www.betterley.com).
The Betterley Report: Cyber/Private Insurance Market Survey. (2015) (Available at http://www.betterley.com).
Richardson, R. (2008). The CSI Computer crime and security survey. Available at (https://www.miel.in/pdfs/CSIsurvey2008.pdf).
The CSI/FBI Computer Crime and Security Surveys 2000-2006. (Available at http://www.gocsi.com).
Wood, L. (2007). Can 'cyber insurance' protect you from data breach catastrophe? (Available at http://tinyurl.com/3co9hd).
Author information
Authors and Affiliations
Corresponding author
Appendices for a model to analyze the challenge of using cyber insurance
Appendices for a model to analyze the challenge of using cyber insurance
1.1 Appendix Section 1: Proof of proposition-1, Lemma-1, and Lemma-2
Proposition 1
For a secondary loss Gassociated with a realized private symptomatic breach, there exists a minimum realized loss r (=x1 + G) up to which the insured firm does not claim its losses, for losses above r, the insured firm claims its actual loss.
Proof
The local optimization problem is reduced to locate an arbitrary point r in the loss axis (Fig. 4) such that the expected net revenue from the payout \( E\left[ R(r)\right]=\underset{r}{\overset{\infty }{\int }} I(x) f(x) dx\kern0.5em -\kern0.5em \left(1- F(r)\right) \) is maximized. The FOC of the above yields the optimalr: r = I−1(G). However, the point r must lie towards the right of pointx1 (the firm has no reason to claim below the deductible and absorb just the secondary losses). Thus in general: r = I−1(r − x1). This fixes the point rconclusively, r = x1 + G. The point r marks the boundary, beyond which the insured firm claims a suffered loss in the private breach.
Lemma 1
For any given deductible, the premium structure under adjusted pricing is never higher than that under traditional pricing i.e. P1(x1) ≥ P2(x1)
Proof
It can be shown that\( {P}_2={P}_1- q\;\left(1+\lambda \right)\;\gamma\;\delta \underset{x_1}{\overset{x_1+ G}{\int }}\left( x-{x}_1\right)\; f(x)\; dx \), such that for nonnegative values for G, δ, γ, and λ, P1 ≥ P2.
Lemma 2
For a selected deductible x1 , x1 ≥ 0 , overpricing (P1 − P2 ) under traditional pricing:
-
1)
Increases linearly with the probability of private breach γ
-
2)
Increases non-linearly with the expected secondary loss G
Proof
The overpricing is denoted as \( \Delta P= q\;\left(1+\lambda \right)\;\gamma\;\delta \underset{x_1}{\overset{x_1+ G}{\int }}\left( x-{x}_1\right)\; f(x)\; dx \). Under our uniform primary loss distribution assumptions with range [a, b], these salient cases follow:
As a result, the overpricing of Premium exhibits the following characteristics (diagram below)
-
Does not exist in the range x1 ≤ Max{(a − G), 0}
-
Increases linearly with the probability of private breach γ in the rangex1 > Max{(a − G), 0}
-
Exhibits quadratic increase with the secondary loss G in the range a < x1 + G ≤ b
-
Remains invariant of the secondary loss G in the range x1 > Max{(b − G), 0}
1.2 Appendix Section 2: Derivation of utility and premium expressions
1.2.1 A. Derivation of the offered premiums in the given ranges of deductible:
Scenario-1, Unadjusted:
Scenario-2, Adjusted:
1.2.2 B: Derivation of the expected utility of the insured firm, in the given ranges of deductible
1.3 Appendix Section 3: Adjacent problems for the experiment - solution procedure
The maximization problem of (9) can be construed as a set of adjacent sub problems defined by the pertinent ranges of the deductible. The insured firm could concurrently maximize each of these sub problems to derive the corresponding optimal deductibles, each of which is now specific to the deductible range. Finally, among all these range-specific optimal deductibles, the deductible that yields the highest expected utility among all the maximized solutions of the sub problems could then be selected for onward communication to the insurer. The dissociation of the maximization problem into a set of sub problems is sufficient without any loss in quality of solution so long the restricted range of deductible 0 ≤ x1 ≤ b is exhaustively searched. The above process is represented in the following table, which is how we conduct our numerical experiment. Every row in Table 3 represents a sub problem, which is numerically maximized twice: once under traditional pricing (column 3), and then under adjusted pricing (column 4) of premium. The process is repeated for 10 different values of each of the parameters.
1.4 Appendix Section 4: Claim oriented secondary loss based analysis
1.4.1 Claim oriented risk perception loss in stakeholders, and under-claiming strategy of the insured firm with deductible and cap provisions in cyber insurance
Denote y(x) as the claim function. Firms differ in the way they are exposed to post-claim risk perception loss g(I(y(x))). Companies dealing in sensitive personal information, engaged in major e-commerce activities, or with little brick and mortar presence may likely experience high exposure from g(I(y(x))). These firms are also highly exposed to cyber risks because of the nature of their business. Consider Fd to be one such firm and represent its secondary losses by a convex loss g(I(y(x))), such that g(0) = 0 , g′(I) ≥ 0 , g″(I) > 0. What this means is that as the stakeholders come to know of larger breaches through a realized indemnity, the IT security health perception about Fd is adversely revised at an increasing rate. Also, consider that the loss from cyber risk can assume any value in the positive line and the cyber contract is written with a deductible x1 and a cap x2.
Proposition 2
Facing a convex risk perception loss g(I(y)), for every realizationx of its random cyber loss\( \tilde{X} \), an insured firm claims y = Min{x, x2, ξ∗}, (ξ ∗ = I−1(g′−1(1))), when Min{x, x2, ξ∗} > x1 + g(Min{x, x2, ξ∗} − x1); else the firm does not claim.
Proof
Let the net revenue from indemnity be R(y) = I(y) − g(I(y)); From F.O.C., g′(I(y)) = 1 is the condition for optimal claim because the second order derivative R″(y) = I″(y){1 − g′(I(y))} − I′(y)2g″(I(y)) is clearly negative at g′(I(y∗)) = 1.
Denote ξ ∗ = I−1(g′−1(1)), and consider the following cases:
Case-1:x ≤ x1.
Because y ≤ x, andx ≤ x1, I(y) = 0 , g(I(y)) = 0 , R(y) = 0, insured firm does not claim.
Case-2:x1 < x.
Sub case 2A: ξ ∗ > x.
Knowing g(0) = 0, g′(I(ξ∗)) = 1 and ξ ∗ > x, 1 − g′(I(y)) is positive in the rangex1 < x < ξ∗. Thus R′(y) = I′(y){1 − g′(I(y))} is positive whenI′(y) > 0, (I′(y) > 0 in the range x1 < y ≤ x2) and 0 when I′(y) = 0 (true in the range x2 < y). Beginning at x1, the value of I (y) increases monotonically till y = x2, beyond which it remains constant. However, if x < x2, the firm may claim only up to y = x. In other words, the firm claims Min{x, x2}. R = Min{x, x2} − x1 − g(Min{x, x2} − x1), and the firm claims when R > 0. Thus the effective claim strategy is: Claim Min{x, x2}, only when Min{x, x2} > x1 + g(Min{x, x2} − x1); else do not claim.
Sub case 2B: ξ ∗ ≤ x.
Here Fd claims Min{ξ∗, x2} when Min{x, x2} > x1 + g(Min{x, x2} − x1).
This defines an effective under-claiming range x − ξ∗ when ξ ∗ < x. Q.E.D.
Rights and permissions
About this article
Cite this article
Bandyopadhyay, ., Mookerjee, V. A model to analyze the challenge of using cyber insurance. Inf Syst Front 21, 301–325 (2019). https://doi.org/10.1007/s10796-017-9737-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-017-9737-3