Doi: 10.1145/1592761.1592780
desPi Te Posi TiVe exPeCTaTioNs, cyber-insurance products have failed to take center stage in the management of IT security risk. Market inexperience, leading to conservatism in pricing cyber-insurance instruments, is often cited as the primary reason for the limited growth of the cyber-insurance market. In contrast, here we provide a demand-side explanation for why cyber-insurance products have not lived up to their initial expectations. We highlight the presence of information asymmetry between customers and providers, showing how it leads to overpricing cyber-
insurance contracts and helps explain why cyber insurance might have failed to deliver its promise as a cornerstone of IT security-management programs.
Technological controls often lag hackers’ skills at circumvention. As a result, residual IT security risks cannot be completely eliminated through technological advancement alone. Investment models9 of information security suggest that residual IT security risks are transferable to a willing party through cyber insurance. Academic research2 also corroborates the economic value of cyber insurance in managing the cyber risks integral to a firm’s operations. Cyber insurance refers to insurance contracts designed to mitigate liability issues, property loss and theft, data damage, loss of income from network outage and computer failures, Web-site defacement, and cyberextortion. 12 Current cyber-insurance products tend to provide three basic types of coverage: liability arising from theft of data; remediation in response to the breach; and legal and regulatory fines and penalties. 1
The size of the U.S. cyber-insurance market (annual premiums) was expected to reach $2.5 billion by 2005, 11 and insurance giants like AIG and Chubb created numerous cyber-insurance products for managing IT risk. However, IT managers still show little interest in cyber insurance for their risk-man-agement programs; in 2008, the size of cyber-insurance market was estimated at $450 million. 1 The 2006 CSI/FBI computer crime and security survey8 reported that although firms use cyber insurance more than before, the annual rate of increase is not substantial; respondents indicating utilization of cyber-insurance products increased from 25% to 29% between 2005 and 2006.
Scant attack-loss data, lack of prod-uct-market experience, and accounting difficulties are the most commonly cited reasons for the market’s slow growth. These factors have led to conservatism by providers that err on the safe side by overpricing their products. However, in a competitive market,
References:
Archives