Pricing and Investments in Internet Security: A Cyber-Insurance Perspective

Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as self-defense mechanisms. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In this regard, an important research problem is the analysis of optimal user self-defense investments and cyber-insurance contracts under the Internet environment. In this paper, we investigate two problems and their relationship: 1) analyzing optimal self-defense investments in the Internet, under optimal cyber-insurance coverage, where optimality is an insurer objective and 2) designing optimal cyber-insurance contracts for Internet users, where a contract is a (premium, coverage) pair

Evaluation of Cyber Insurance as a Risk Management Tool Providing Cyber-Security

Purpose – to clarify the characteristics of cyber risk and cyber insurance. More specifically to identify key parts of cyber insurance contract and analyse cyber insurance market. Design/methodology/approach: methodologically this research paper concentrates on analyses and study of scientific literature in order to provide the proper description and classification of cyber risks. Also statistical data was collected and analysed to provide a cyber-risk insurance market overview. Moreover, to prepare the underwriting methodology part in this paper, the scientific literature deduction was used, to reach conclusions from collected information sources. Findings: firstly, this research paper provides an explicit definition of a cyber-risk and cyber insurance. In general, financial institutions and regulators of insurance market categorize cyber type risks as a part of operational risk because it is related to technology and information assets. Therefore, cyber risk is described as operational risk that affects technology assets, information, databases and other sensitive online storage. According to guidelines provided in Solvency II and Basel II documents, cyber risks can be put into four categories: technology and system failures, unsuccessful internal processes, act of people, external processes. These four categories of potential cyber risks are described particularly in this article. Secondly, the comprehensive cyber insurance market analyses is provided following the article. According to AXA Insurance Solutions company there was 170 insurers offering cyber liability policies in 2017 and about 30 more new carriers joined the market in 2018. According to the Cyber Policy Inc. the number 5 cyber insurance carriers in the marker is: AIG; Chubb; Hiscox, Liberty Mutual, HSB. With the beginning of 2019 it is expected from buyers to keep pressuring the insurance companies to deliver even more comprehensive services, more coverage options and potential. In general, cyber insurance market is supposed to remain stable, but the quality of policy language should evolve together with other endorsements to general cyber insurance policy. Thirdly, the general guidelines of underwriting the cyber insurance coverage policy is provided within this paper. In order to implement any form of risk reduction for cyber risk (also including insurance), the company at first should very clearly expose its potential vulnerabilities and weaknesses. Three types of general internal company’s information can be marked out for preparing the cyber insurance coverage background: IT related information; human resources; finance, internal audit, legal issues. For insurance company to better understand the company the general business information is most important part. In order to extent the company’s disclosure to cyber threats and to better prepare the solutions if insurance this business profile information should be conducted very carefully. Prevention is one of the most important factors of a cyber-risk insurance policy. Companies that are buying cyber risk insurance may get access to pre-breach assessments, prevented suppliers or cybersecurity information for this purpose. Research limitations: this research paper concentrates on the European Union insurance market and experience of the insurer located in the EU. Moreover, this field of research is very unstable and the changing very fast together with continuously development of IT services sector. More studies and analyses should be made together with the changing environment of cyber security. Practical implications: this research paper may serve not only for further studies and scientific discussion. Moreover, it could be useful for the businesses as a valuable tool to better understand what cyber insurance is, how to prepare for implementing cyber security policy in the company

Policy measures and cyber insurance: a framework

The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public–private partnership. This paper rectifies this omission and presents a framework to help underpin such a partnership, giving particular consideration to possible government interventions that might affect the cyber insurance market. We have undertaken a qualitative analysis of reports published by policy-making institutions and organisations working in the cyber insurance domain; we have also conducted interviews with cyber insurance professionals. Together, these constitute a stakeholder analysis upon which we build our framework. In addition, we present a research roadmap to demonstrate how the ideas described might be taken forward