Affirmative and silent cyber coverage in traditional insurance policies : Qualitative content analysis of selected insurance products from the German insurance market

This paper examines the design of affirmative and silent coverage in view of the cyber risks in traditional insurance policies for select product lines on the German market. Given the novelty and complexity of the topic and the insufficient coverage in the literature, we use two different sources. We analysed the general insurance terms and conditions of different traditional insurance lines using Mayring’s qualitative content analysis. Also, we conducted interviews with experts from the German insurance industry to evaluate how insurers understand their silent cyber exposures, and what measures they take to deal with this new exposure. The study shows a considerable cyber liability risk potential for insurers in the considered insurance lines. This arises from the affirmative as well as silent cover inclusions and exclusions for cyber risks, which result from imprecise wordings of insurance clauses and insufficient descriptions of the contractually specified scope of the insurance coverage

Cyber insurance as a risk manager

L’objectif de cette étude vise à comprendre comment les compagnies d’assurance Canadienne conceptualisent les cyber risques afin d’être en mesure de quantifier des pertes résiduelles ou en constante évolution. Par l’entremise de 10 entretiens qualitatif avec des professionnel de l’assurance, nous avons trouvé que la souscription à une cyber assurance peut aider les entrepreneurs à gérer les risques causés par la cyber criminalité. L’étude montre que la cyber assurance contribue à la compréhension et à la diffusion de connaissance en matière de cybercriminalité. Ceci est facilité par la recherche continue sur le phénomène et de la mise à jour ces polices d’assurance. Aussi, il a été trouvé que les professionnels de l’assurance facilitent l’application des mesures de prévention cyber. Cette gestion est permise grâce aux outils mis à disposition des assureurs afin d’évaluer les composantes de sécurité pour contrer les cyber attaques. Finalement, la recherche démontre que le milieu des assurances joue un rôle d’envergure dans la surveillance et la gouvernance des cyber risques.The goal of this research is to understand how Canadian insurance companies conceptualize cyber risks to quantify a residual or evolving loss. Through ten qualitative semi-structured interviews conducted with insurance professionals throughout Canada, we found that the purchase of cyber coverage contributes to the risk management efforts. Companies are increasingly looking to implement or enhance their cyber security measures through cyber insurance. In fact, the study found that cyber insurance can serve three purposes. The first is that it allows for a better understanding and diffusion of knowledge through the continuous research on cybercrimes and the revision of cyber policies. The second finding is that insurance professionals work with companies to assess and facilitate the integration of preventive measures. This is based on the tools they use to asses a company’s cyber security infrastructure. Finally, the study found that insurance companies have a considerable societal impact on the surveillance and governance of cybercrimes

From intangibility to 'fluid' tangibility of cyberrisk: localisation, visualisation, and prevention

Doctoral thesis (PhD) – Nord University, 2022publishedVersio

Cyber Risks, Potential Liabilities and Insurance Responses in the Marine Sector

The marine sector is vulnerable to cyber-attacks as it becomes more dependent on information and operational technology systems connected to the internet. While this allows for greater efficiency, the interconnected nature of such systems will expose the sector to new and evolving cyber risks. The research begins by briefly examining the nature of cyber risks, identifying likely threat actors and the motivation behind such attacks. Through the use of hypothetical scenarios, the researcher identified; i) some of the cybersecurity vulnerabilities particular to the marine sector, ii) the potential losses and liabilities from a cyber-attack / incident and iii) analysed how insurance may be used to mitigate the risks focusing specifically on the adequacy of traditional marine policies as well as cyber insurance policies to cover such risks. Traditional marine policies were analysed to identify the gaps in cyber coverage in addition to the recognition that without a clearly written cyber exclusion clause, insurers will be exposed to risks and liabilities they did not intend to cover. As for Assureds, while traditional hull and cargo insurance policies may cover some risk, they will not fully cover losses unique to cyber risks such as network failure, data loss, business interruption, cyber espionage and reputational damage so they too may not have adequate coverage against cyber-attacks. The main conclusion from the research is that marine and cyber insurance policies currently available do not adequately protect against cyber related losses and liabilities particularly those unique to the marine sector. This is primarily due to the extensive list of exclusions found in cyber insurance policies and commonly used cyber exclusions clauses usually attached to traditional marine policies. The coverage limits are also inadequate to cover the potential losses to marine facilities and assets which are usually connected to a complex supply chain

Bridging the Gap between Security Competencies and Security Threats: Toward a Cyber Security Domain Model

Security incidents are increasing in a wide range of organizational types and sizes worldwide. Although various threat models already exist to classify security threats, they seem to take insufficient account of which organizational assets the threat events are targeting. Therefore, we argue that conducting more job-specific IT security training is necessary to ensure organizational IT security. This requires considering which assets employees use in their daily work and for which threat events employees need to build up IT security competencies. Subsequently, we build a framework-based Cyber Security Domain Model (CSDM) for IT-secure behavior. We follow the Evidence Centered Assessment Design (ECD) to provide a deep- dive analysis of the domain for IT-secure behavior. As the leading result relevant for research and practice, we present our CSDM consisting of 1,087 cyber threat vectors and apply it to five job specifications

Managing cyber risk in organizations and supply chains

In the Industry 4.0, modern organizations are characterized by an extensive digitalization and use of Information Technology (IT). Even though there are significant advantages in such a technological progress, a noteworthy drawback is represented by cyber risks, whose occurrence dramatically increased over the last years. The information technology literature has shown great interested toward the topic, identifying mainly technical solutions to face these emerging risks. Nonetheless, cyber risks cause business disruption and damages to tangible and intangible corporate assets and require a major integration between technical solutions and a strategic management. Recently, the risk management domain and the supply chain literature have provided studies about how an effective cyber risk management process should be planned, to improve organizational resilience and to prevent financial drawbacks. However, the aforementioned studies are mainly theoretical and there is still a significant lack of empirical studies in the management literature, measuring the potential effects of cyber threats within single companies, and along networks of relationships, in a wider supply chain perspective. The present thesis aims at filling some of these gaps through three empirical essays. The first study has implemented a Grounded Theory approach to develop an interview targeting 15 European organizations. Afterwards, the fuzzy set Qualitative Comparative Analysis (fsQCA) has been performed, in order to ascertain how managers perceive cyber risks. Results contradict studies that focus merely on technical solution, and con\ufb01rm the dynamic capability literature, which highlights the relevance of a major integration among relational, organizational, and technical capabilities when dealing with technological issues. Moreover, the study proposes a managerial framework that draws on the dynamic capabilities view, in order to consider the complexity and dynamism of IT and cyber risks. The framework proposes to implement both technical (e.g. software, insurance, investments in IT assets) and organizational (e.g. team work, human IT resources) capabilities to protect the capability of the company to create value. The second essay extends the investigation of the drawbacks of cyber risks to supply chains. The study conducts a Grounded Theory empirical investigation toward several European organizations that rely on security and risk management standards in order to choose the drivers of systematic IT and cyber risk management (risk assessment, risk prevention, risk mitigation, risk compliance, and risk governance). The evidence gleaned from the interviews have highlighted that investments in supply chain mitigation strategies are scant, resulting in supply chains that perform like they had much higher risk appetite than managers declared. Moreover, it has emerged a general lack of awareness regarding the effects that IT and cyber risks may have on supply operations and relationships. Thus, a framework drawing on the supply chain risk management is proposed, offering a holistic risk management process, in which strategies, processes, technologies, and human resources should be aligned in coherence with the governance of each organization and of the supply chain as a whole. The \ufb01nal result should be a supply chain where the actors share more information throughout the whole process, which guarantees strategic bene\ufb01ts, reputation protection, and business continuity. The third essay draws on the Situational Crisis Communication Theory (SCCT) to ascertain whether and how different types of cyber breaches differently affect the corporate reputation, defined as a multidimensional construct in which perceptions of customers, suppliers, (potential) employees, investors and local communities converge. Data breaches have been categorized into three groups by the literature, meaning intentional and internal to the organization (e.g., malicious employees stealing customers\u2019 data), unintentional and internal to the organization (e.g., incorrect security settings that expose private information), and intentional and external to the organization (e.g., ransomware infecting companies\u2019 software). However, this is among the first study to analyse the different reputational drawbacks these types may cause. Moreover, the study considers that, in the industry 4.0 era, social media analysis may be of paramount importance for organizations to understand the market. In fact, user-generated content (UGC), meaning the content created by users, might help in understanding which dimensions of the corporate have been more attacked after a data breach. In this context, the study implements the Latent Dirichlet Allocation (LDA) automated method, a base model in the family of \u201ctopic models\u201d, to extract the reputational dimensions expressed in UGC of a sample of 35 organizations in nine industries that had a data breach incident between 2013 and 2016. The results reveal that in general, after a data breach, three dimensions\u2014perceived quality, customer orientation and corporate performance\u2014 are a subject of debate for users. However, if the data breach was intentional ad malicious, users focused more on the role of firms\u2019 human resources management, whereas if users did not identify a responsible, users focused more on privacy drawbacks. The study complements crisis communication research by categorizing, in a data breach context, stakeholders\u2019 perceptions of a crisis. In addition, the research is informative for risk management literature and reputation research, analysing corporate reputation dimensions in a data breach crisis setting