contributed articles
Doi: 10.1145/1592761.1592780
Proposed contracts tend to be overpriced
because insurers are unable to anticipate
customers’ secondary losses.
BY tRiDiB BanDYoPaDh Ya Y, ViJa Y s. mooKeRJee, anD Ram c. Rao
Why it
managers
Don’t Go
for cyber-
insurance
Products
desPi Te Posi TiVe exPeCTaTioNs, cyber-insurance
products have failed to take center stage in the
management of IT security risk. Market inexperience,
leading to conservatism in pricing cyber-insurance
instruments, is often cited as the primary reason for
the limited growth of the cyber-insurance market. In
contrast, here we provide a demand-side explanation
for why cyber-insurance products have not lived up to
their initial expectations. We highlight the presence
of information asymmetry between customers and
providers, showing how it leads to overpricing cyber-
insurance contracts and helps explain
why cyber insurance might have failed
to deliver its promise as a cornerstone
of IT security-management programs.
Technological controls often lag
hackers’ skills at circumvention. As a
result, residual IT security risks cannot be completely eliminated through
technological advancement alone.
Investment models9 of information
security suggest that residual IT security risks are transferable to a willing
party through cyber insurance. Academic research2 also corroborates the
economic value of cyber insurance in
managing the cyber risks integral to a
firm’s operations. Cyber insurance refers to insurance contracts designed
to mitigate liability issues, property
loss and theft, data damage, loss of income from network outage and computer failures, Web-site defacement,
and cyberextortion.
12 Current cyber-insurance products tend to provide
three basic types of coverage: liability
arising from theft of data; remediation
in response to the breach; and legal
and regulatory fines and penalties.
1
The size of the U.S. cyber-insurance
market (annual premiums) was expected to reach $2.5 billion by 2005,
11 and
insurance giants like AIG and Chubb
created numerous cyber-insurance
products for managing IT risk. However, IT managers still show little interest
in cyber insurance for their risk-man-agement programs; in 2008, the size of
cyber-insurance market was estimated
at $450 million.
1 The 2006 CSI/FBI
computer crime and security survey8
reported that although firms use cyber
insurance more than before, the annual rate of increase is not substantial; respondents indicating utilization of cyber-insurance products increased from
25% to 29% between 2005 and 2006.
Scant attack-loss data, lack of prod-uct-market experience, and accounting difficulties are the most commonly cited reasons for the market’s slow
growth. These factors have led to conservatism by providers that err on the
safe side by overpricing their products.
However, in a competitive market,