Cyber-Insurance

Cyber-insurance is an insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.Because the cyber-insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify. As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services.Information Technology is an inherent facet of virtually all modern businesses, the requirement for a separate product only exists because of a deliberate scoping exercise which has excluded theft and damage associated with modern technologies from the existing product lines.Early works in the 1990s focused on the general merits of cyber-insurance, or protocols borrowed from digital cash to enable risk reallocation in distributed systems. In the late 1990s, when the business perspective of information security became more prominent, visions of cyber-insurance as a risk management tool were formulated. Although its roots in the 1980s looked promising, battered by events such as Y2K and the 9/11 attacks, the market for cyber-insurance failed to thrive and remained in a niche for unusual demands. Coverage is tightly limited, and clients include SMBs (small and medium businesses) in need of insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations.The infrastructure, the users, and the services offered on computer networks today are all subject to a wide variety of risks posed by threats that include distributed denial of service attacks, intrusions of various kinds, eavesdropping, hacking, phishing, worms, viruses, spams, etc. In order to counter the risk posed by these threats, network users have traditionally resorted to antivirus and anti-spam software, firewalls, intrusion-detection systems (IDSs), and other add-ons to reduce the likelihood of being affected by threats. In practice, a large industry (companies like Symantec, McAfee, etc.) as well as considerable research efforts are currently centered around developing and deploying tools and techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the resulting negative impact of the anomalies.Consequently, during 2005, a “second generation' of cyber-insurance literature emerged targeting risk management of current cyber-networks. The authors of such literature link the market failure with fundamental properties of information technology, specially correlated risk information asymmetries between insurers and insureds, and inter-dependencies.Current work regarding the existence of cyber-insurance markets is few. Among the important ones are the works by (i) Lelarge and Bolot, (ii) Pal, Golubchik, Psounis, and Hui, (iii) Johnson et al., and (iv) Shetty, et al. These works first comment on the free riding behavior of Internet users without the presence of cyber-insurance. The works by Lelarge et al and Shetty et al present the benefits of cyber-insurance in incentivizing Internet users to invest appropriately in security; however, their works address restricted market types. Lelarge et al do not model information asymmetry in their work. Shetty et al prove that cyber-insurance markets are inefficient under conditions of information asymmetry. Johnson et al discuss the role of the joint existence of self-insurance and market insurance on the adoption of the different types of insurance by users. In a most recent work, Pal et al prove the inefficiency of cyber-insurance markets under conditions of partial information asymmetry and correlated risks and show the existence of efficient markets (both regulated and unregulated) under premium discrimination.As of 2014, 90% of the cyber-insurance premium volume was covering exposure in the United States. Although at least 50 insurance companies have cyber-insurance product offerings, the actual writing is concentrated within a group of five underwriters. Many insurance companies have been hesitant to enter this coverage market, as sound actuarial data for the cyber exposure is non-existent. Hampering the development of this actuarial data is inadequate disclosure regarding cyber attacks by those affected. After a significant malware incident in 2017, however, Reckitt Benckiser released information on how much the cyberattack would impact financial performance, leading some analysts to believe the trend is for companies to be more transparent with data from cyber incidents.