overpricing is generally corrected over
time, as risks/uncertainties are better
understood. However, even after more
than a decade of commercialization,
cyber-insurance products remain un-derutilized. Here, we argue that the
demand-side problem with cyber insurance is deeper than the supply-side
problem. Moreover, unless the former
is addressed, it is unlikely to correct
itself naturally over time.
We further highlight the difference
between the way a cyber-insurance
contract is structured and the way it
is used by IT managers, exploring the
decisions behind a disclosure and an
indemnity claim of a breach. We differentiate the types of breach based
on the way they affect firms. We also
explain how they might alter the contract-intended claiming behavior of
IT managers. When insurers are unaware of such off-contract behavior
or choose to not incorporate such behavior in pricing their offerings, information asymmetry prevails in cyber-insurance contracts. The result is an
overpriced cyber-insurance contract
and less risk being transferred.
Disclosure and claim of
a Realized Breach
With the help of an event study, H.
Cavusoglu et al.
6 showed that publicly
disclosed IT security breaches reduce
breached firms’ stock prices, at least
in the short term, because breaches
convey questionable health of an IT
security program to stakeholders, who
then downgrade their risk perception
of the firm. Elsewhere, K. Campbell
et al.
5 showed that investors discriminate against the type of breach in valuing a breach’s economic effect. It is
not surprising that the CSI/FBI computer crime and security survey8 found
that only a fraction of the realized
breaches are publicly disclosed. Firms
apparently use discretion in disclosing realized breaches, depending on
the requirements of legal compliance,
types of breach, professional norms,
and accounting materiality.
Suppose there is no regulatory requirement for disclosure. When a
firm lacks cyber-insurance coverage,
the information flow regarding a realized breach remains strictly internal
to the firm (see Figure 1). On the other
hand, if the firm has a cyber-insurance
contract in place, it is able to claim its
losses from a breach, but the claiming
process involves additional external
organizations. The increased information flow through external firms
greatly affects the firm’s ability to keep
breach information private. Integrating these ideas with insight from H.
Cavusoglu et. al.
6 and K. Campbell et.
al.,
5 consider the following observations about claiming indemnity from
IT security breaches:
The grapevine. Word of an undisclosed breach can reach stakeholders indirectly via interorganizational
grapevines and independent analysts;
Stakeholder perception. As a subsequent effect of the breach, a firm may
also suffer secondary loss in terms of
reduced stakeholder (investors and
customers) valuation; and
Managers’ decisions. Because breach
information might trigger further secondary losses, IT managers’ decisions
(whether or not to file a claim) depend
on the primary and secondary losses,
as weighed against the contract’s potential indemnity payout.
Breaches and Losses
Because the process of reclamation
through cyber-insurance contracts involves compromise, post-breach definitions are pertinent, starting with the
breach:
Symptomatic. A breach is symptomatic when a firm is breached through
exploitation of firm-specific vulner-abilities (such as hackers in 2005 accessing the T.J. Maxx stores database
of customer credit and debit card information, an exploitation of the vul-
figure 1. information flow in a cyber-insurance claim process.
6. Adjust/Audit
I T Assessor/
Adjuster
it security
(Ciso)
1. notify incident
is management
(Cio)
Victim Firm
Accounting/
Finance
3. report event
assessment
2. disclose incident?
4a. report loss
7. report adjusted claim
Corporate risk
management
5. instruct to adjust claim
Pr and/or legal
Insurer
8. Pay/Close Claim
4b. File Claim
