secondary loss is py. Clearly, the firm
has no reason to claim for losses up to
r = d + py. By the second binary criterion, all symptomatic private breaches
causing primary loss of magnitude
between d and r are now likely to be
unclaimed (see Figure 5). Note that r,
not the contracted deductible d, is the
de facto deductible for the symptomatic private breaches. Assuming that a
portion of the realized breaches would
be symptomatic private breaches, the
unique optimized deductible d* lies
somewhere between d and r (d < r).
This happens for any arbitrary deductible d the firm might choose. The overall optimized deductible d* the firm
must optimally use is always greater
than d. More important, whenever a
cyber-insurance contract with an arbitrary deductible d is operationalized at
d*, the insured firm stands to lose part
of the expected indemnity payout over
the contract horizon; see Figure 5 for
the location of this unique deductible.
Only when the firm faces no sec- ˲
ondary loss or symptomatic private
breaches (or both), d and d*
coincide, and the insured firm exhibits
contract-intended behavior under all
circumstances. Two interesting observations follow when a firm selectively uses the contracted or de facto
deductible depending on the type of
realized breach:
The higher the secondary loss, the ˲
farther apart are d and r, meaning d
and d* are farther apart as well; and
A greater proportion of symptom- ˲
atic private breaches over the contract
horizon increases the relative frequency when the de facto deductible r
(not the contract intended d) are used.
This proportionally raises the amount
of indemnity to be lost in the process,
as in Figure 5.
In effect, IT managers looking toward the contract horizon anticipate
too little expected indemnity from
cyber-insurance products, so the contract appears overpriced. For the same
premium, the firm must use a higher
overall deductible (see Figure 6).
Figure 7 outlines the complete cyber-insurance utilization scenario. No
behavior and underclaiming behavior
figure 3. Relationship among loss, deductible, and indemnity in a cyber-insurance contract.
indemnity is realized on
the dashed line (in the direction
of the arrow), as primary
loss increases.
indemnity
deductible
45˚
0
d
Primary loss
figure 4. Relationship between premium and deductible in a cyber-insurance contract.
cyber contract
(P, d)
Premium
Downward falling rate
of Premium (P)
0
Deductible
Drawn for uniform primary loss and constant market loading factor
figure 5. Relationship between de facto deductible r and realized indemnity I.
d* would lie
somewhere here
indemnity
indemnity realized
Contracted deductible
Secondary loss
indemnity is realized in
the direction of the dashed arrow,
as primary loss in symptomatic
private breach increases.
0
d
r
Primary loss
figure 6. Perceived overpricing of a cyber-insurance contract.
(P, d) (P, d*)
Contract
operationalized
Perceived
overpricing
Premium
ΔP
Contract
as offered
downward risk revision is a function of the
magnitude of the primary loss. The fundamental insights from each case are the same.
Deductible
Drawn for uniform primary loss and constant market loading factor
