figure 7. Decisions, costs, and payoffs under contingent
scenarios involving cyber insurance.
Cyber Contract
Pay premium
is no longer overpriced, and the cyber-insurance product is able to efficiently
transfer more IT risk from insured to
insurer.
incur primary loss
breach
no breach
symptomatic
systemic
incur secondary loss
Public
Private
Claim
Claim?
no Claim?
Claim
no Claim
receive indemnity
receive indemnity,
(probabilistically)
incur secondary loss
receive indemnity
are thus rational for IT managers under certain circumstances; their lack
of interest in cyber-insurance products
is rational as well. More important, an
underclaiming strategy remains off-contract, possibly heralding information asymmetry between insurers and
insured firms in the cyber-insurance
market.
information asymmetry
Figure 8 outlines how the cyber-insurance market could move through
possible scenarios of information
asymmetry. Initially, the market could
begin in naïve symmetry (quadrant
I) where neither the insured nor the
insurer knows the existence, nature,
or magnitude of the secondary loss.
As such, a cyber-insurance contract
is written with business prudence in
light of other established insurance
markets. As the insured firm utilizes
information assets in its business processes, the value of asset unuse, disuse, abuse, and misuse become clearer. The insured firm realizes there
could be attendant secondary losses
following direct losses, as stakeholders reassess the firm’s post-breach security. The insured firm now internalizes the ex-post definitions of the types
of breach discussed earlier, and managers formalize their optimized claiming strategy for symptomatic private
breaches also discussed earlier. This
differs from the contract-intended
behavior, and the market moves from
naïve symmetry to information asymmetry (quadrant II).
Under information asymmetry, either the insured firm fails to credibly
signal its off-contract behavior or the
insurer ignores the signal while structuring the cyber-insurance contract.
Either way, the market is in a state of
information asymmetry, and the insured firm pays for the ensuing inefficiency.
The cyber-insurance market is, in
part, locked in a state of information
asymmetry. Only when the insurer
considers the fact that the insured
firm selectively uses the contracted
and de facto deductibles when pricing
the contract, does the market move
to information symmetry (quadrant
III). When the insurer corrects its premium structure this way, the contract
Risk transfer
Employing the underclaiming strategy for symptomatic private breaches
has a profound effect on cyber insurance as an instrument for transferring
IT risk. Applicable for only some realized breaches, it reduces the expected
indemnity payout for a given level of
premium, causing firms to find the
instrument overpriced and hence unattractive. Since firms lack a credible
way to communicate their off-contract
claiming strategy under current contract provisions, they are forced to pay
for information asymmetry.
A detailed analysis of our mathematical model suggests that a cyber-insurance contract optimally transfers a lower amount of IT security risk
under information asymmetry. It also
suggests that further reducing risk
transfer depends on the level of secondary loss. It is important to realize
that the major consumers of cyber-insurance products are IT-intensive
firms that could face relatively high
secondary losses.
Unfortunately, IT-intensive firms
also likely find the proposed premium
structure overpriced in the presence of
information asymmetry, as in Figure
5. On the other hand, firms with low
IT security exposure may find cyber-insurance products less overpriced in
light of their lower secondary loss.
We have shown that in the presence
of secondary loss in symptomatic private breaches, the optimal deductible
d* is between d and r, as in Figure 5.
Further analysis shows the smaller
figure 8. information asymmetry and market transition.
informed
insured
ii.
information Asymmetry
iii.
information symmetry
uninformed
insured
i.
naïve symmetry
not Possible
uninformed insurer