By Nicolas Zahn
What happens if the plans for your new product line get stolen by hackers working for your competition? What happens if merger plans get leaked by a disgruntled employee? What happens if you lose customer data one week before Christmas? Those questions are increasingly on the mind of managers as the question with cyber attacks is no longer if, but when. To deal with the risk of cyber attacks, companies are starting to look at a relatively new product to add to their risk management strategies: cyberinsurance.
Starting two to three decades ago, insurance companies came up with policies specifically tailored at cyber risks, e.g. financial damage due to data loss. As companies realized that their traditional insurance policies would likely not cover such events and cyber attacks became more frequent, demand for cyberinsurance increased and more insurance companies started offering policies. While growing, the market for cyberinsurance is still immature and faces challenges, mainly because the insurable risks differ greatly from other insurance markets.
A central aspect is setting a premium for a cyberinsurance policy. The premium is what connects the companies to the insurers: insurers, through their underwriting process, try to figure out what premium they have to charge a given company for a policy, and the companies compare different insurers by comparing the premiums they have to pay. To date, many companies claim that they are not buying cyberinsurance because the premiums are too high. High premiums are, however, not the result of greedy insurance companies, but rather reflect a lack of actuarial data and understanding of IT security as well as a lengthy and complicated underwriting process.
To address the issue of setting premiums for cyberinsurance, CSPRI has prepared a paper that outlines a research agenda for the near future. The paper is based on existing literature and complemented through interviews. The main purpose is to get people in academia, the insurance industry, companies, and the government thinking about the challenges of the cyberinsurance market focusing on the aspect of setting premiums.
There are two ways of determining premiums: through actuarial data and normative standards. With actuarial data, insurance companies are looking at past events to determine how likely they are to occur in the future. Sophisticated statistical models exist to determine this likelihood based on a number of factors for mature insurance markets, e.g. car insurance. With normative standards, insurance companies base their calculations on causal relationships between various factors, e.g. someone who never exercises being more likely to suffer from diabetes.
The premise of the paper is that the current method of setting premiums for cyberinsurance policies is flawed (see table). The underwriting process is too complex and the covered risks are not fully understood, leading to conservative pricing for policies. Actuarial data is missing because losses incurred through cyber attacks are hard to quantify and companies are unwilling to give up this information. The normative standards chosen by insurance companies do not necessarily reflect actual losses incurred by cyber attacks and hence, insurance companies might be setting false incentives for companies. One example is that using a certain operating system, deemed by an insurance company to be safer, results in a lower premium. However, the choice of an operating system alone does not reveal much about the state of a company’s IT security; cyberinsurance is not like car insurance.
While one could argue that the problems currently experienced in the cyberinsurance market will resolve over time, we raise the question: why wait? Cyberinsurance offers a great field of interdisciplinary studies where researchers, private sector representatives, and government officials can get together to resolve the barriers in the cyberinsurance market, thus allowing us to reap the benefits of this addition to the risk management portfolio.
Nicolas Zahn is a student in the Master of International Affairs Program at the Graduate Institute of International and Development Studies in Geneva, Switzerland. He spent the last semester on exchange at George Washington University’s Elliott School of International Affairs and worked as a student researcher together with Dr. Costis Toregas at the Cyber Security Policy and Research Institute.