Why IT Managers Don\u27t Go for Cyber-Insurance Products

Despite positive expectations, cyber-insurance products have failed to take center stage in the management of IT security risk. Market inexperience, leading to conservatism in pricing cyber-insurance instruments, is often cited as the primary reason for the limited growth of the cyber-insurance market. In contrast, here we provide a demand-side explanation for why cyber-insurance products have not lived up to their initial expectations. We highlight the presence of information asymmetry between customers and providers, showing how it leads to overpricing cyber-insurance contracts and helps explain why cyber insurance might have failed to deliver its promise as a cornerstone of IT security-management programs

Optimally Designing Cybersecurity Insurance Contracts to Encourage the Sharing of Medical Data

Though the sharing of medical data has the potential to lead to breakthroughs in health care, the sharing process itself exposes patients and health care providers to various risks. Patients face risks due to the possible loss in privacy or livelihood that can occur when medical data is stolen or used in non-permitted ways, whereas health care providers face risks due to the associated liability. For medical data, these risks persist even after anonymizing/deidentifying, according to the standards defined in existing legislation, the data sets prior to sharing, because shared medical data can often be deanonymized/reidentified using advanced artificial intelligence and machine learning methodologies. As a result, health care providers are hesitant to share medical data. One possible solution to encourage health care providers to responsibly share data is through the use of cybersecurity insurance contracts. This paper studies the problem of designing optimal cybersecurity insurance contracts, with the goal of encouraging the sharing of the medical data. We use a principal-agent model with moral hazard to model various scenarios, derive the optimal contract, discuss its implications, and perform numerical case studies. In particular, we consider two scenarios: the first scenario is where a health care provider is selling medical data to a technology firm who is developing an artificial intelligence algorithm using the shared data. The second scenario is where a group of health care providers share health data amongst themselves for the purpose of furthering medical research using the aggregated medical data

An Insurance-based Approach to Improving SME Cyber Security

There has been increasing concern in recent years about the lack of urgency in SMEs regarding security of their information. Concern stems not only from the risks the SMEs are taking not only with their own data, but also with the data they share with supply chain partners. Current surveys have shown that the situation is getting worse with human error compounded by cybercriminals exploiting weaknesses in SME systems and using them to hack supply chain hubs. In this paper, a researcher and a practitioner from the UK investigate possible reasons for SME apparent lack of interest in securing data, or developing information security management systems (ISMSs). In the absence of UK legislation, the only way SMEs are likely en masse to improve their information security is through pressure from supply chain partners and particularly supply chain hubs. The authors present an interesting development in cyber liability insurance which provides the basis for a cost-effective solution that will encourage good information assurance across the supply chain. The solution offered in association with a major International insurer is explained in detail in this paper. It has the dual advantages for participating SMEs of ensuring that they achieve a level of information assurance that will offer them actual protection, and at the same time provide them with insurance that will protect them financially against data breaches or other costly consequences of weak information security. The scheme used will provide actuarial evidence for the insurer to further refine the model. Clients that cannot show evidence of a base level of security will not get insurance cover; by contrast those assessed as being more secure will be eligible for a discount. The tool used in this model is a self-assessed version of the IASME or Cyber Essentials information assurance standards, both recently developed in the UK to meet the needs of SMEs wishing to safeguard their precious information but not possessing the resources to achieve the ISO27001 standard

Cyber risk : an analysis of self-protection and the prediction of claims

For a set of Brazilian companies, we study the occurrence of cyber risk claims by analyzing the impact of self protection and the prediction of their occurrence. We bring a new perspective to the study of cyber risk analyzing the probabilities of acquiring protection against this type of risk by using propensity scores. We consider the problem of whether acquiring cyber protection improves network security using a matching method that allows a fair comparison among companies with similar characteristics. Our analysis, assisted with Brazilian data, shows that despite informal arguments that favor self-protection against cyber risks as a tool to improve network security, we observed that in the presence of self-protection against cyber risks, the incidence of claims is higher than if there were no protection. Regarding the prediction of the occurrence of a claim, a system considering a feedforward multilayer perceptron neural network was created, and its performance was measured. Our results show that, when applied to the relevant information of the companies under study, it presents a very good performance, reaching an eciency in general classication above 85%. The fact is that the use of neural networks can be quite opportune to help in solving the problem presented.info:eu-repo/semantics/publishedVersio

Rethinking FS-ISAC: An IT Security Information Sharing Network Model for the Financial Services Sector

This study examines a critical incentive alignment issue facing FS-ISAC (the information sharing alliance in the financial services industry). Failure to encourage members to share their IT security-related information has seriously undermined the founding rationale of FS-ISAC. Our analysis shows that many information sharing alliances’ membership policies are plagued with the incentive misalignment issue and may result in a “free-riding” or “no information sharing” equilibrium. To address this issue, we propose a new information sharing membership policy that incorporates an insurance option and show that the proposed policy can align members’ incentives and lead to a socially optimal outcome. Moreover, when a transfer payment mechanism is implemented, all member firms will be better off joining the insurance network. These results are demonstrated in a simulation in which IT security breach losses are compared both with and without participating in the proposed information sharing insurance plan