the ratio of secondary loss to the deductible, the lower is the relative overpricing of a cyber-insurance product.
Thus, it appears that managers make
a rational choice when using cyber-insurance products with high deductible d such that the effect of relative
overpricing on their contracts is minimized. IT managers tend to self-in-sure the smaller losses yet attempt to
provide assurance to their stakeholders of low-probability catastrophic
breaches.b
This analysis suggests that firms
with IT-intensive business processes
find themselves better off self-insur-ing a high proportion of their cyber-risk, whereas those with low-intensity
IT processes could find cyber-insurance products less pricey under today’s market conditions. In light of
these outcomes, it becomes apparent
why cyber insurance, as a market instrument, has seen little utilization
or growth as a financial instrument in
managing firms’ IT security risk.
outlook
The cyber-insurance market is characterized by information asymmetry in
contracts resulting in the suboptimal
transfer of IT risk. From a market perspective, moving to information symmetry (Figure 8, quadrant III) is desirable. Because insured firms pay the
price for information asymmetry (
quadrant II), a move to information symmetry necessarily increases the utility of
the insured firm, with other conditions
the same. However, the same may not
hold for the insurer. A detailed analysis
of the contingency tree (see Figure 7)
suggests that under certain conditions
(such as significant secondary loss) the
insurer is better off under information
asymmetry. Under other conditions,
the insurer could be better off under
information symmetry. This means the
insurer would find it beneficial to lower
premiums and thus grow the market
for cyber insurance.
b That firms buy cyber insurance with high deductibles was also pointed out by the IT director of a Dallas firm during a discussion with us
at the University of Texas, Dallas. He explained
that firms often buy cyber insurance to allay
investors’ fear of major losses from IT security
breaches yet depend on the policies, procedures, and technical controls of IT security to
manage more frequent but smaller losses.
Firms with a significant amount
of IT in their core business processes
largely constitute the demand side of
the cyber-insurance market. The market is thus relatively homogeneous
with respect to (high) secondary loss,
and the insurer is better off in a market characterized by information
asymmetry. This situation suggests
that market mechanisms alone may
not produce information symmetry in
the cyber-insurance market. Because
insured firms likely utilize high levels of deductible in cyber-insurance
contracts and do not claim small yet
frequent losses, the accumulation of
claim data suffers. Lack of claim data
may be one reason why after even the
past 10 years, cyber insurance is not a
major component of corporate IT security initiatives. On the other hand,
the relatively small size of the market
keeps the costs of writing cyber-insurance contracts high, forcing insurers
to impose high margins on individual
contracts. Unless it expands, insurers
cannot gain more experience or accumulate significant actuarial data and
feel no pressing motivation to move
to information symmetry. This could
mean the market stays locked in information asymmetry.
The structural problem with the
market can be resolved if secondary
loss were included in contracts. Exotic bundled contracts (individual
contracts for primary and secondary
losses designed in tandem and bundled together) could be a viable solution. It might take care of the fact that
the primary (secondary) losses are
determined before (after) the breach,
so IT managers are able to take independent decisions concerning disclosures and claims. Even so, valuing secondary loss is more challenging than
valuing primary loss, so there appears
no easy solution, even if bundled contracts are written.
It is possible that along with increased regulatory compliance and
oversight, the relative proportion of
private breaches decreases, along
with the information asymmetry between insurer and insured. Similarly,
separating contracts on the basis of
disclosure (compliance or discretionary) might also be a move in a positive
direction. However, contracts offered
by major insurers today are either ar-
chitecture-oriented (such as a network
breach), asset-based (such as a data
breach), attack-specific (such as viruses and worms), or liability-focused. No
offered contract considers secondary
loss or accommodates the complexi-ties of a firm’s decision to file a claim
in the face of secondary loss. It appears that without significant changes
in the design of the contracts, there is
little hope for the continued growth of
the overall cyber-insurance market.
References
1. betterley report. Cyberrisk Market Survey 2008;
http://www.betterley.com.
2. bohme, r. Cyber insurance revisited. in Proceedings
of the Workshop on the Economics of Information
Security (boston, Ma, June 2–3, 2005); http://
infosecon.net/workshop/index.php.
3. borch, K. Economics of Insurance. Advanced
Textbooks in Economics 29, K. K. aase and a. Sandmo,
eds. north holland, amsterdam, 1990.
4. borch, K. The Mathematical Theory of Insurance.
Lexington books, Lexington, Ma, 1974.
5. Campbell, K., gordon, L.a., Loeb, M.P., and Zhou L.
the economic cost of publicly announced information
security breaches: empirical evidence from the stock
market. Journal of Computer Security 11, 3 (2003),
431–438.
6. Cavusoglu, h., Mishra, b., and raghunathan, S. the
effect of a security breach announcement on market
value: Capital market reactions for breached firms and
internet security developers. International Journal of
Electronic Commerce 9, 1 (fall 2004), 69–104.
7. gollier, C. and Pratt, J. W. risk vulnerability and the
tempering effect of background risk. Econometrica 64,
5 (Sept. 1996), 1109-1123.
8. gordon, L.a., Loeb, M.P., Lucyshyn, W., and richardson,
r. The 11th Annual CSI/FBI Computer Crime and
Security Survey (2006); http://i.cmpnet.com/gocsi/
db_area/pdfs/fbi/fbi2006.pdf.
9. gordon, L.a., Loeb, P.M., and Sohail, t. a framework for
using insurance for cyber-risk management. Commun.
ACM 46, 3 (Mar. 2003), 81–85.
10. Kesan, P.J., Majuca, r.P., and yurcik, W.J. The
Economic Case for Cyber Insurance. Securing Privacy
in the Internet Age. Stanford University Press, Palo
alto, Ca, 2005.
11. Majuca, r. P., yurcik, W., and Kesan, J.P. The Evolution
of Cyber Insurance (2006); http://arxiv.org/ftp/cs/
papers/0601/0601020.pdf.
12. Marsh, inc. e-Commerce e-business; http://global.
marsh.com/risk/ecommerce/.
13. Mossin, J. and Smith, t. aspects of rational insurance
purchasing. Journal of Political Economy 76, 4 (July/
aug. 1968), 553–568.
14. Ponemon institute. The Fourth Annual U. S. Cost of
Data Breach Study (2008); http://www.ponemon.org.
15. raviv, a. the design of an optimal insurance policy.
American Economic Review 69, 1 (Mar. 1979), 84–96.
16. Schlesinger, h. the optimal level of deductibility in
insurance contracts. Journal of Risk and Insurance 48,
3 (Sept. 1981), 465–481.
Tridib Bandyopadhyay ( tbandyop@kennesaw.edu) is
an assistant professor in the Department of Computer
Science and information Systems at Kennesaw State
University, Kennesaw, ga.
Vijay S. Mookerjee ( vijaym@utdallas.edu) is the
Charles and nancy Davidson Distinguished Professor of
information Systems and operations Management in
the School of Management at the University of texas at
Dallas.
Ram C. Rao ( rrao@utdallas.edu) is the founders
Professor and a professor of marketing in the School of
Management at the University of texas at Dallas.