The Law and Economics of Cyber Insurance Contracts

This Article combines cyber risk literature with insurance law and economics literature to study cyber insurance contracts. It aims to explore to what extent current cyber insurance contracts contribute to social welfare, both theoretically and empirically. First, main trade-offs in insuring cyber risk are discussed within a theoretical framework that also includes account strategic behavior of market participants and impediments for market growth that result from the complex dynamics of cyber risk. Subsequently, a case study in the Netherlands compares the theoretical expectations with the actual state of cyber insurance contracts, prices and market participants. The results suggest that insurers currently halt between two options: either a strategy of rigorous market penetration with easily accessible and attractive insurance products, or a strategy of significant hedging of correlated risks that reduces the potential of cyber insurance. This Article also aims to assist lawyers, legal councils and judges when drafting or reviewing actual cyber insurance contracts

The Economics of Cyber-Insurance

The cyber-insurance market currently is at a nascent stage. According to the German reinsurance company Munich Re, worldwide spending on cyber-insurance was US3.4-US4 billion in 2017, which is estimated to increase to US8-US9 billion by 2020 (https://tinyurl.com/ycrwhvlf). Cyber-insurance premiums currently account for only a tiny fraction of total insurance premiums. For instance, only in OECD economies do total insurance premium exceed US$5 trillion in 2016 (https://data.oecd.org/insurance/gross-insurance-premiums.htm)

The law and economics of cyber risk pooling

In this paper, we study the law and economics of cyber risk pooling arrangements: risk sharing without an insurer. We start our discussion with the current theoretical foundations for risk shifting in cyber security. We subsequently discuss cyber risk pooling in relation to individual risk management and cyber insurance. This leads to the formulation of conditions for effective risk pooling in cyber security. We show that pooling, under some circumstances, may be more effective than cyber insurance. The main question for future research is whether risk pools in cyber security are capable of compartmentalization of risks and whether transaction costs of monitoring can be kept sufficiently low

Pricing cyber-insurance for systems via maturity models

Pricing insurance for risks associated with information technology systems presents a complex modelling challenge, combining the disciplines of operations management, security, and economics. This work proposes a socioeconomic model for cyber-insurance decisions compromised of entity relationship diagrams, security maturity models, and economic models, addressing a long-standing research challenge of capturing organizational structure in the design and pricing of cyber-insurance policies. Insurance pricing is usually informed by the long experience insurance companies have of the magnitude and frequency of losses that arise in organizations based on their size, industry sector, and location. Consequently, their calculations of premia will start from a baseline determined by these considerations. A unique challenge of cyber-insurance is that data history is limited and not necessarily informative of future loss risk meaning that established actuarial methodology for other lines of insurance may not be the optimal pricing strategy. The model proposed in this paper provides a vehicle for agreement between practitioners in the cyber-insurance ecosystem on cyber-security risks and allows for the users to choose their desired level of abstraction in the description of a system.Comment: 31 pages, 12 figures, 11 table

The barriers to sustainable risk transfer in the cyber-insurance market

Efficient risk transfer is an important condition for ensuring the sustainability of a market according to the established economics literature. In an inefficient market, significant financial imbalances may develop and potentially jeopardise the solvency of some market participants. The constantly evolving nature of cyber-threats and lack of public data sharing mean that the economic conditions required for quoted cyber-insurance premiums to be considered efficient are highly unlikely to be met. This paper develops Monte Carlo simulations of an artificial cyber-insurance market and compares the efficient and inefficient outcomes based on the informational setup between the market participants. The existence of diverse loss distributions is justified by the dynamic nature of cyber-threats and the absence of any reliable and centralised incident reporting. It is shown that the limited involvement of reinsurers when loss expectations are not shared leads to increased premiums and lower overall capacity. This suggests that the sustainability of the cyber-insurance market requires both better data sharing and external sources of risk tolerant capital.Comment: 32 pages, 9 figures, 17 table

Public Policy and the Insurability of Cyber Risk

In June 2017, the food and beverage conglomerate Mondelez International became a victim of the NotPetya ransomware attack. Around 1,700 of its servers and 24,000 of the company’s laptops were suddenly and permanently unusable. Commercial supply and distribution disruptions, theft of credentials from many users, and unfulfilled customer orders soon followed, leading to losses that totaled more than $100 million. Unfortunately, Zurich, which had sold the company a property insurance policy that included a variety of coverages, informed Mondelez in 2018 that cyber coverage would be denied under the policy based on the “war exclusion clause.” This case, now pending, will be a watershed moment for the cyber insurance industry, highlighting the great ambiguity around the insurability of certain types of cyber risk and the scope of coverage that insurers will provide in the case of a cyber incident. The literature on the insurability of cyber risk has focused all of its attention on questions of economic efficiency and viability. Scholarship has, for example, examined the actuarial challenges in cyber risk modeling and the likelihood for adverse selection resulting from information asymmetries and lack of historical claims data. Scholars have so far avoided a different set of considerations rooted not in economics but rather in public policy analysis of societal values. This paper lays the framework for such an analysis. Relying on traditional insurance and torts jurisprudence, the paper makes the public policy case for limited legal interventions in the indemnification of three controversial categories of cyber harm: (1) acts of cyber terrorism or state-sponsored cyber operations; (2) extortion payments for ransomware attacks; and (3) administrative fines for violations of statutory data protection regulations. In so doing, the paper highlights systemic challenges to cyber insurance underwriting while explaining insurers’ role in increasing societal cyber posture by reducing the likelihood of moral hazard and suboptimal cyber-norms enforcement

The barriers to sustainable risk transfer in the cyber-insurance market

Efficient risk transfer is an important condition for ensuring the sustainability of a market according to the established economics literature. In an inefficient market, significant financial imbalances may develop and potentially jeopardize the solvency of some market participants. The constantly evolving nature of cyber-threats and lack of public data sharing mean that the economic conditions required for quoted cyber-insurance premiums to be considered efficient are highly unlikely to be met. This paper develops Monte Carlo simulations of an artificial cyber-insurance market and compares the efficient and inefficient outcomes based on the informational setup between the market participants. The existence of diverse loss distributions is justified by the dynamic nature of cyber-threats and the absence of any reliable and centralized incident reporting. It is shown that the limited involvement of reinsurers when loss expectations are not shared leads to increased premiums and lower overall capacity. This suggests that the sustainability of the cyber-insurance market requires both better data sharing and external sources of risk tolerant capital