Insurance plays an important role in enhancing resilience to cyber threats, which are rising as a result of digitalisation and growing hacker capabilities. The market for standalone cyber insurance has expanded sharply in the last few years, but the dynamic nature of cyber risk requires insurers, businesses and governments to constantly evaluate and update their approaches to cybersecurity.
The articles in the April 2023 special issue of The Geneva Papers on Risk and Insurance, edited by Martin Eling and Martin Boyer, focus on three important aspects of cyber risk – ransomware, modelling and risk management.
The rise of ransomware
In Insurance and enterprise: cyber insurance for ransomware, Tom Baker and Anja Shortland examine the history of cyber insurance and the rise and evolution of ransomware-as-a-service (RaaS). They describe how the emergence of cryptocurrencies as a payment mechanism led to a shift away from data theft towards cyber extortion, with the first RaaS business models appearing in 2016. The rise of double extortion strategies a couple of years later has presented insurers and their customers with a difficult tradeoff – quick ransom payments minimise liability risk but may encourage further attacks. The authors suggest that safe havens for companies that choose not to pay ransoms could incentivise the creation of governance infrastructures that help reduce the profitability of ransomware.
Anna Cartwright et al. analyse the impact of cyber insurance on an organisation’s decision to pay a ransom in How cyber insurance influences the ransomware payment decision: theory and evidence. Their interviews with cyber and ransomware experts revealed different perspectives – some argued that making the payment is the fastest and least costly way to recover, while others stated that it does not significantly alleviate losses and can be time consuming. Taking the severity of the attack into account revealed clearer differences: for highly severe attacks (those involving either significant business interruption and/or the exfiltration of sensitive data), those with insurance were more likely to pay the ransom. Their analysis also showed that businesses with cyber insurance have significantly higher levels of cybersecurity, suggesting they are less vulnerable to such severe attacks.
Cyber loss modelling
In Cyber loss model risk translates to premium mispricing and risk sensitivity, Gareth Peters et al. investigate whether model risk is present in cyber risk data and, if so, how it translates into premium mispricing. Using the largest industry cyber loss database, obtained from Advisen, they found that some of the biggest losses were incompletely reported, rounded and approximated and that some were never settled or realised, leading to model risk. This has the potential to lead to significant mispricing in charged premiums and makes it difficult to accurately assess the insurability of cyber risk.
Daniel Zängerle and Dirk Schiereck develop a model to predict the likelihood, severity and time dependence of a company’s cyber risk exposure in Modelling and predicting enterprise-level cyber risks in the context of sparse data availability. They use the Öffentliche Schadenfälle OpRisk database, an operational risk database on publicly disclosed loss events in the European financial sector, to predict the likelihood and loss exposure of a potential cyber incident. The results suggest that cyber risks are actually less severe than claimed in recent studies and that subindustries should be modelled separately due to clear differences in the level of risk posed.
In Modelling maximum cyber incident losses of German organisations: an empirical study and modified extreme value distribution approach, Bennet von Skarczinski et al. use a survey of 5,000 German organisations to examine cyber losses. They find that median and mean losses increase as the number of employees of an organisation increases. In terms of the type of losses, those from revenue shortfalls are the most statistically significant. Though the range of cyber losses is quite large, the median is between EUR 1,000 and EUR 3,000, indicating that most organisations suffer only small losses. They then introduce a novel approach to modelling cyber losses, which they find outperforms other existing methods.
The article by Gabriela Zeller and Matthias Scherer, Risk mitigation services in cyber insurance: optimal contract design and price structure examines how risk reduction services should be priced by insurers. It distinguishes between two types of risk reduction services: self-protection, activities that reduce the probability of loss, and self-insurance, activities that reduce the severity of potential losses. For single contracts, insurers do not have economic incentives to subsidise pure self-protection services and will therefore shift the full cost to the insurance buyer. However, this does not generally hold for the pricing of self-insurance services or when taking a portfolio viewpoint, i.e. considering the potential interconnectedness of cyber losses across policyholders, in which case sharing the cost of the risk reduction service between the insurer and policyholder can be optimal.
Managing cyber risk
In Coordination of cybersecurity risk management in the U.K. insurance sector, Paul Klumpes explores the efforts of the U.K. government and regulators to coordinate cybersecurity risk management among insurers. Though the cost of cyberattacks and investment in computer systems are found to have increased significantly over the past decade or so, cybersecurity efforts have not improved alongside. The paper also identifies a number of important regulatory gaps, including the fact that there is no single financial regulatory authority with responsibility for the supervision of insurance firms and that there are no specific U.K. regulatory requirements for the reporting of cyber incidents.
Access the full issue here (subscription required): https://link.springer.com/journal/41288/volumes-and-issues/48-2