Cyber insurance

Last updated

Cyber insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first and third parties coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

Contents

Advantages

Because the cyber insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify. [1] As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services.

As insurers payout on cyber-losses, and as cyber threats develop and change, insurance products are increasingly being purchased alongside existing IT security services. Indeed, the underwriting criteria for insurers to offer cyber-insurance products are also early in development, and underwriters are actively partnering with IT security companies to develop their products.

As well as directly improving security, cyber insurance is enormously beneficial in the event of a large-scale security breach. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance. [2]

As a side benefit, many cyber-insurance policies require entities attempting to procure cyber insurance policies to participate in an IT security audit before the insurance carrier will bind the policy. This will help companies determine their current vulnerabilities and allow the insurance carrier to gauge the risk they are taking on by offering the policy to the entity. By completing the IT security audit the entity procuring the policy will be required, in some cases, to make necessary improvements to their IT security vulnerabilities before the cyber-insurance policy can be procured. This will in-turn help reduce risk of cyber crime against the company procuring cyber insurance. [3]

Finally, insurance allows cyber-security risks to be distributed fairly, with the cost of premiums commensurate with the size of expected loss from such risks. This avoids potentially dangerous concentrations of risk while also preventing free-riding.

Disadvantages

Information Technology is an inherent facet of virtually all modern businesses, the requirement for a separate product only exists because of a deliberate scoping exercise which has excluded theft and damage associated with modern technologies from the existing product lines.

Bruce Schneier [4] has postulated that existing insurance practices tend to follow either the "Flood or Fire" model [5] however Cyber events don't appear to be modeled by either of these event types, this has led to the situation where the scope of Cyber Insurance is further restricted to decrease the risk to the underwriters. Compounding this is a paucity of data relating to actual damage correlated with the type of event, a lack of standards associated with the classification of events, and a lack of evidence associated with the efficacy of "Industry best practices". [6]

Insurance relies upon sound actuarial data against a largely static background of risk. Given that these don't exist at present it is unlikely that either the buyers of these products will achieve the value outcomes that they desire. This view of the market is reflected in the current market state where standard exclusions result in a situation where "An insurer could argue they apply to almost any data breach". [7]

According to Josephine Wolff, cyber insurance has been "ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable." [8]

History

According to Josephine Wolff’s research into the history of cyber insurance, its origins trace back to an April 1997 International Risk Insurance Management Society convention at which Steven Haase presented the launch of the first cyber insurance product, including first and third party coverages. [9] [10] [11] Haase first came up with the concept of cyber insurance a few years earlier and had discussed it with various industry colleagues at times, but this 1997 event marked a breakthrough moment when the first cyber insurance policy and underwriting platform were actually launched. The event resulted in the creation of the first policy designed to focus on the risks of internet commerce, which was the Internet Security Liability (ISL) policy, developed by Haase and underwritten by AIG. [12] Around this same time, in 1999, David Walsh founded CFC Underwriting in the United Kingdom, a company which treats cyber as one of its main focus areas. [13] [14] Chris Cotterell founded Safeonline around the same time, which soon became another significant player in the cyber insurance space. [15] [16] The early meeting between Haase and 20 industry colleagues in Hawaii is now commonly referred to as the “Breach on the Beach” and is considered a pivotal moment at which cyber insurance was first recognized and celebrated. [17] [18]

Early works in the 1990s focused on the general merits of cyber-insurance. In the late 1990s, when the business perspective of information security became more prominent, visions of cyber-insurance as a risk management tool were formulated. Although its roots in the 1980s looked promising, battered by events such as Y2K and the 9/11 attacks, the market for cyber-insurance failed to thrive and remained in a niche for unusual demands. Coverage is tightly limited, and clients include SMBs (small and medium businesses) in need of insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations.

If not the first, at least one of the first, cyber liability policies as we now call them was developed for the Lloyd's of London market in 2000. The policy was spearheaded by Keith Daniels and Rob Hamesfahr then attorneys with the Chicago, IL law firm of Blatt, Hammesfahr & Eaton. Working closely with Ian Hacker, then a Lloyd's underwriter, and Ted Doolittle and Kinsey Carpenter, then brokers with Kinsey Carpenter, a San Francisco, CA insurance broker, the policy provided third-party coverage along with business interruption coverage. In those early days, it was thought that a big risk would be for a company to negligently transmit a virus that could infect other companies' systems who would then bring suit against the original company as well as business interruption. The policy was one of the first, as well, to include first-party and third-party coverages in the same form. While such errors & omissions have likely happened, suits against organizations on this basis have proven to be rare. The focus of forms that have developed since 2000 has been on business interruption, payment of fines and penalties, credit monitoring costs, public relations costs, and the cost of restoring or rebuilding private data, and they continue to expand and evolve today. Also, technology errors & omissions policies are now sold with third-party coverage to organizations, such as programmers and technology installers who could get sued if their advice or product fails to be satisfactory to their clients. Other early entrants to the cyber market included American International Group (AIG) and Chubb. Today, more than 80 companies are competing in the cyber market.

Even a 2002 conservative forecast, which predicted a global market for cyber-insurance worth $2.5 billion in 2005, turned out to be five times higher than the size of the market in 2008. [19] Overall, in relative terms, the market for cyber-insurance shrank as the Internet economy grew.

Recent history shows that the purchase of cyber insurance has increased due to the rise in internet-based attacks, such as ransomware attacks. Government Accountability Office, "Insurance clients are opting in for cyber coverage—up from 26% in 2016 to 47% in 2020. At the same time, U.S. insurance entities saw the costs of cyberattacks nearly double between 2016 and 2019. As a result, insurance premiums also saw major increases." [20]

In practice, several obstacles have prevented the market for cyber-insurance from achieving maturity; absence of reliable actuarial data to compute insurance premiums, lack of awareness among decision-makers contributing to too little demand, as well as legal and procedural hurdles have been identified in the first generation" of cyber-insurance literature until about 2005. [21] The latter aspect may cause frustration when claiming compensation for damages. Furthermore, entities considering cyber-insurance must undergo a series of often invasive security evaluation procedures, revealing their IT infrastructures and policies. Meanwhile, witnessing thousands of vulnerabilities, millions of attacks, and substantial improvement in defining security standards and computer forensics calls into question the validity of these factors to causally explain the lack of an insurance market.[ verification needed ]

Types

Current need

The infrastructure, the users, and the services offered on computer networks today are all subject to a wide variety of risks posed by threats that include distributed denial of service attacks, intrusions of various kinds, eavesdropping, [22] [23] hacking, [24] phishing, worms, viruses, spams, etc. In order to counter the risk posed by these threats, network users have traditionally resorted to antivirus and anti-spam software, firewalls, intrusion-detection systems (IDSs), and other add-ons to reduce the likelihood of being affected by threats. In practice, a large industry (companies like Symantec, McAfee, etc.) as well as considerable research efforts are currently centered around developing and deploying tools and techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the resulting negative impact of the anomalies.

Despite improvements in risk protection techniques over the last decade due to hardware, software, and cryptographic methodologies, it is impossible to achieve perfect/near-perfect cyber-security protection. The impossibility arises due to a number of reasons: [25]

Given the above-mentioned inevitable barriers to near 100% risk mitigation, the need arises for alternative methods for risk management in cyberspace. To highlight the importance of improving the current state of cyber-security, US President Barack Obama issued a cyber-security executive order in February 2013 [26] that emphasizes the need to reduce cyber-threats and be resilient to them. In this regard, some security researchers in the recent past have identified cyber-insurance as a potential tool for effective risk management.

Cyber-insurance is a risk management technique via which network user risks are transferred to an insurance company, in return for a fee, i.e., the insurance premium. Examples of potential cyber-insurers might include ISP, cloud provider, traditional insurance organizations. Proponents of cyber-insurance believe that cyber-insurance would lead to the design of insurance contracts that would shift appropriate amounts of self-defense liability to the clients, thereby making the cyberspace more robust. Here the term ‘self-defense' implies the efforts by a network user to secure their system through technical solutions such as anti-virus and anti-spam software, firewalls, using secure operating systems, etc. Cyber-insurance has also the potential to be a market solution that can align with economic incentives of cyber-insurers, users (individuals/organizations), policymakers, and security software vendors. i.e., the cyber-insurers will earn profit from appropriately pricing premiums, network users will seek to hedge potential losses by jointly buying insurance and investing in self-defense mechanisms, policymakers would ensure the increase in overall network security, and the security software vendors could experience an increase in their product sales via forming alliances with cyber-insurers. [27]

A key area to manage risk is to establish what is an acceptable risk for each organization or what is 'reasonable security' for their specific working environment. Practicing 'duty of care' helps protect all interested parties - executives, regulators, judges, the public who can be affected by those risks. The Duty of Care Risk Analysis Standard (DoCRA) [28] provides practices and principles to help balance compliance, security, and business objectives when developing security controls.

Legislation

In 2022, Kentucky and Maryland enacted insurance data security legislation based upon the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law (MDL-668). [29] Maryland's SB 207 [30] takes effect on October 1, 2023. Kentucky's House Bill 474 [31] goes into effect on January 1, 2023.

Existing issues

Consequently, during 2005, a “second generation" of cyber-insurance literature emerged targeting risk management of current cyber-networks. The authors of such literature link the market failure with fundamental properties of information technology, specially correlated risk information asymmetries between insurers and insureds, and inter-dependencies. [32]

Information asymmetry has a significant negative effect on most insurance environments, where typical considerations include inability to distinguish between users of different (high and low risk) types, i.e., the so-called adverse selection problem, as well as users undertaking actions that adversely affect loss probabilities after the insurance contract is signed, i.e., the so-called moral hazard problem. The challenge due to the interdependent and correlated nature of cyber-risks is particular to cyber-insurance and differentiates traditional insurance scenarios (e.g., car or health insurance) from the former. In a large distributed system such as the Internet, risks span a large set of nodes and are correlated. Thus, user investments in security to counter risks generate positive externalities for other users in the network. The aim of cyber-insurance here is to enable individual users to internalize the externalities in the network so that each user optimally invests in security solutions, thereby alleviating moral hazard and improving network security. In traditional insurance scenarios, the risk span is quite small (sometimes it spans only one or two entities) and uncorrelated, thus internalizing the externalities generated by user investments in safety, is much easier.

Ambiguities in terms

FM Global in 2019 conducted a survey of CFOs at companies with over $1 billion in turnover. The survey found that 71% of CFOs believed that their insurance provider would cover "most or all" of the losses their company would suffer in a cyber security attack or crime. Nevertheless, many of those CFOs reported that they expected damages related with cyber attacks that are not covered by typical cyber attack policies. Specifically, 50% of the CFOs mentioned that they anticipated after a cyber attack a devaluation of their company's brand while more than 30% expected a decline in revenue. [33]

War exclusion clauses

Like other insurance policies, cyber insurance typically includes a war exclusion clause - explicitly excluding damage from acts of war. While the majority of cyber insurance claims will relate to simple criminal behaviour, increasingly companies are likely to fall victim to cyberwarfare attacks by nation-states or terrorist organizations - whether specifically targeted or simply collateral damage. After the US and UK, governments characterized the NotPetya attack as a Russian military cyber-attack insurers are arguing that they do not cover such events. [34] [35] [36]

It is well known from market practice that cyber-insurance markets have not blossomed in terms of injected premium inflow as per its visionary potential. There is a big multi-billion-dollar supply demand gap indicating market failure in an economic sense. While policy and legal studies [37] have had a sound say in why that is the case, it is the field of mathematical modeling research that have formally established the fact on why it is so.

Examples of seminal modeling work studying the economic efficiency of non-accumulative cyber-risk covering cyber insurance markets include (i) Lelarge and Bolot, [38] (ii) Pal et al., [39] (iii) Pal et al., [40] (iv) Pal et al., [41] (v) Johnson et al., [42] and (vi) Shetty, et al. [43] These works first show the free-riding behavior of Internet users (primarily users and organizations) without the presence of cyber-insurance, and then study how insurance can reduce free-riding within a network of organizations.

The works by Lelarge and Bolot; and Shetty et al. present the benefits of cyber-insurance in incentivizing Internet users to invest appropriately in security. However, their works address restricted market types that only consider independent residual cyber-risks from various user sources arriving to cyber-insurers. Lelarge et al. do not model information asymmetry in their work. Although Shetty et al. prove that cyber-insurance markets are inefficient under conditions of information asymmetry, their results do not generally extend to settings where insured organizations are networked among each other. Johnson et al. discuss the role of the joint existence of self-insurance and market insurance on the adoption of the different types of insurance by users, but do not model the network of interdependent organizations. In most recent work, Pal et al. in a series of joint articles prove the inefficiency of cyber-insurance markets under conditions of partial information asymmetry and correlated risks and show the existence of efficient markets (both regulated and unregulated) under premium discrimination.

Recent work on mathematical cyber-risk modeling to study the market sustainability of covering aggregate cyber-risk by cyber (re-)insurers have been undertaken only by Pal et al. [44] [45] [46] Based on a series of rigorous modeling analysis on the dimensions of economics and statistics. they prove that only in the case of aggregating light-tailed and independently sourced cyber-risks (a practically less probable event) will efficient cyber-insurance markets be sustainable. In all other cases, cyber (re-)insurance markets will exist but will be largely inefficient with symptoms such as low premium injection, market for lemons, high supply demand gap, and few re-insurers. Information asymmetry between the insured and the insurance provider alongside the correlated nature of cyber-risks are the primary reasons for such market inefficiencies.

Cunningham, Pfleeger, [47] Pal, Liu et al., [48] and Liu et al. [49] computationally argue against the existence of sustainable cyber (re-)insurance markets under information asymmetry. The common message out of their study is that IT driven systems have too many vulnerabilities for computers to detect them (thereby eliminating information asymmetry) in practically feasible time - leave alone humans. While Cunningham logically argues for this problem to be Turing Undecidable, Pal et al., [50] and Liu et al., [51] are the first to formally prove that the problem is NP-Hard and derive an approximation solution to alleviate the information asymmetry problem. The results justify why the cyber (re-)insurance markets have been so sparse over the last decade.

Availability

As of 2014, 90% of the cyber-insurance premium volume was covering exposure in the United States. Although at least 50 insurance companies have cyber-insurance product offerings, the actual writing is concentrated within a group of five underwriters. Many insurance companies have been hesitant to enter this coverage market, as sound actuarial data for cyber exposure is non-existent. Hampering the development of this actuarial data is inadequate disclosure regarding cyber attacks by those affected. [52] After a significant malware incident in 2017, however, Reckitt Benckiser released information on how much the cyberattack would impact financial performance, leading some analysts to believe the trend is for companies to be more transparent with data from cyber incidents. [53]

With cyber insurance premiums expected to grow from around $2 billion in 2015 to an estimated $20 billion or more by 2025, insurers and reinsurers are continuing to refine underwriting requirements. Market immaturity and lack of standardization are two reasons why underwriting cyber products today make it an interesting place to be in the insurance world. Not only do you have an insurance marketplace that's trying to reach a standard and accommodate the needs of today's insured, but you also, at the same time, have a rapidly developing exposure landscape and capacity available.

Pricing

As of 2019, the average cost of cyber liability insurance in the United States was estimated to be $1,501 per year for $1 million in liability coverage, with a $10,000 deductible. [54] The average annual premium for a cyber liability limit of $500,000 with a $5,000 deductible was $1,146, and the average annual premium for a cyber liability limit of $250,000 with a $2,500 deductible was $739. [55] In addition to location, the main drivers of cost for cyber insurance include the type of business, the number of credit/debit card transactions performed, and the storage of sensitive personal information such as date of birth and Social Security numbers.

Related Research Articles

<span class="mw-page-title-main">Insurance</span> Equitable transfer of the risk of a loss, from one entity to another in exchange for payment

Insurance is a means of protection from financial loss in which, in exchange for a fee, a party agrees to compensate another party in the event of a certain loss, damage, or injury. It is a form of risk management, primarily used to protect against the risk of a contingent or uncertain loss.

Terrorism insurance is insurance purchased by property owners to cover their potential losses and liabilities that might occur due to terrorist activities.

Title insurance is a form of indemnity insurance, predominantly found in the United States and Canada, that insures against financial loss from defects in title to real property and from the invalidity or unenforceability of mortgage loans. Unlike some land registration systems in countries outside the United States, US states' recorders of deeds generally do not guarantee indefeasible title to those recorded titles. Title insurance will defend against a lawsuit attacking the title or reimburse the insured for the actual monetary loss incurred up to the dollar amount of insurance provided by the policy.

<span class="mw-page-title-main">Vehicle insurance</span> Insurance for road vehicles

Vehicle insurance is insurance for cars, trucks, motorcycles, and other road vehicles. Its primary use is to provide financial protection against physical damage or bodily injury resulting from traffic collisions and against liability that could also arise from incidents in a vehicle. Vehicle insurance may additionally offer financial protection against theft of the vehicle, and against damage to the vehicle sustained from events other than traffic collisions, such as vandalism, weather or natural disasters, and damage sustained by colliding with stationary objects. The specific terms of vehicle insurance vary with legal regulations in each region.

<span class="mw-page-title-main">Reinsurance</span> Insurance purchased by an insurance company

Reinsurance is insurance that an insurance company purchases from another insurance company to insulate itself from the risk of a major claims event. With reinsurance, the company passes on ("cedes") some part of its own insurance liabilities to the other insurance company. The company that purchases the reinsurance policy is referred to as the "ceding company" or "cedent". The company issuing the reinsurance policy is referred to as the "reinsurer". In the classic case, reinsurance allows insurance companies to remain solvent after major claims events, such as major disasters like hurricanes or wildfires. In addition to its basic role in risk management, reinsurance is sometimes used to reduce the ceding company's capital requirements, or for tax mitigation or other purposes.

Home insurance, also commonly called homeowner's insurance, is a type of property insurance that covers a private residence. It is an insurance policy that combines various personal insurance protections, which can include losses occurring to one's home, its contents, loss of use, or loss of other personal possessions of the homeowner, as well as liability insurance for accidents that may happen at the home or at the hands of the homeowner within the policy territory.

Underwriting (UW) services are provided by some large financial institutions, such as banks, insurance companies and investment houses, whereby they guarantee payment in case of damage or financial loss and accept the financial risk for liability arising from such guarantee. An underwriting arrangement may be created in a number of situations including insurance, issues of security in a public offering, and bank lending, among others. The person or institution that agrees to sell a minimum number of securities of the company for commission is called the underwriter.

<span class="mw-page-title-main">General insurance</span> Non-life insurance policies

General insurance or non-life insurance policy, including automobile and homeowners policies, provide payments depending on the loss from a particular financial event. General insurance is typically defined as any insurance that is not determined to be life insurance. It is called property and casualty insurance in the United States and Canada and non-life insurance in Continental Europe.

<span class="mw-page-title-main">Terrorism Risk Insurance Act</span>

The Terrorism Risk Insurance Act (TRIA) is a United States federal law signed into law by President George W. Bush on November 26, 2002. The Act created a federal "backstop" for insurance claims related to acts of terrorism. The Act "provides for a transparent system of shared public and private compensation for insured losses resulting from acts of terrorism." The Act was originally set to expire December 31, 2005, was extended for two years in December 2005, and was extended again on December 26, 2007. The Terrorism Risk Insurance Program Reauthorization Act expired on December 31, 2014.

Liability insurance is a part of the general insurance system of risk financing to protect the purchaser from the risks of liabilities imposed by lawsuits and similar claims and protects the insured if the purchaser is sued for claims that come within the coverage of the insurance policy.

Directors and officers liability insurance is liability insurance payable to the directors and officers of a company, or to the organization itself, as indemnification (reimbursement) for losses or advancement of defense costs in the event an insured suffers such a loss as a result of a legal action brought for alleged wrongful acts in their capacity as directors and officers. Such coverage may extend to defense costs arising from criminal and regulatory investigations or trials as well; in fact, often civil and criminal actions are brought against directors and officers simultaneously. Intentional illegal acts, however, are typically not covered under D&O policies.

The liability insurance crisis in the United States of America refers to a volatile economic period during the mid-1980s. During these years, until about 1990, rising insurance premiums and an unavailability of coverage for several types of liability insurance led to a crisis that has been attributed, among others, to the expansion of tort doctrines for insurer liability and the McCarran-Ferguson exemption from antitrust laws.

Australia's insurance market can be divided into roughly three components: life insurance, general insurance and health insurance. These markets are fairly distinct, with most larger insurers focusing on only one type, although in recent times several of these companies have broadened their scope into more general financial services, and have faced competition from banks and subsidiaries of foreign financial conglomerates. With services such as disability insurance, income protection and even funeral insurance, these insurance giants are stepping in to fill the gap where people may have otherwise been in need of a personal or signature loan from their financial institution.

Auto insurance risk selection is the process by which vehicle insurers determine whether or not to insure an individual and what insurance premium to charge. Depending on the jurisdiction, the insurance premium can be either mandated by the government or determined by the insurance company in accordance to a framework of regulations set by the government. Often, the insurer will have more freedom to set the price on physical damage coverages than on mandatory liability coverages.

Professional liability insurance (PLI), also called professional indemnity insurance (PII) but more commonly known as errors & omissions (E&O) in the US, is a form of liability insurance which helps protect professional advising, consulting, and service-providing individuals and companies from bearing the full cost of defending against a negligence claim made by a client in a civil lawsuit. The coverage focuses on alleged failure to perform on the part of, financial loss caused by, and error or omission in the service or product sold by the policyholder. These are causes for legal action that would not be covered by a more general liability insurance policy which addresses more direct forms of harm. Professional liability insurance may take on different forms and names depending on the profession, especially medical and legal, and is sometimes required under contract by other businesses that are the beneficiaries of the advice or service.

Insurance in the United States refers to the market for risk in the United States, the world's largest insurance market by premium volume. According to Swiss Re, of the $6.782 trillion of global direct premiums written worldwide in 2022, $2.959 trillion (43.6%) were written in the United States.

Satellite insurance is a specialized branch of aviation insurance in which, as of 2000, about 20 insurers worldwide participate directly. Others participate through reinsurance contracts with direct providers. It covers three risks: relaunching the satellite if the launch operation fails; replacing the satellite if it is destroyed, positioned in an improper orbit, or fails in orbit; and liability for damage to third parties caused by the satellite or the launch vehicle.

An insurance-linked security (ILS) is a financial instrument whose value is driven by insurance loss events. Those such instruments that are linked to property losses due to natural catastrophes represent a unique asset class, the return from which is uncorrelated with that of the general financial market.

Legal protection insurance (LPI), also known as legal expenses insurance (LEI) or simply legal insurance, is a particular class of insurance which facilitates access to law and justice by providing legal advice and covering the legal costs of a dispute, regardless of whether the case is brought by or against the policyholder. Depending on the national rules, legal protection insurers can also represent the policyholder out-of-court or even in-court.

Vehicle insurance in the United States is designed to cover the risk of financial liability or the loss of a motor vehicle that the owner may face if their vehicle is involved in a collision that results in property or physical damage. Most states require a motor vehicle owner to carry some minimum level of liability insurance. States that do not require the vehicle owner to carry car insurance include Virginia, where an uninsured motor vehicle fee may be paid to the state, New Hampshire, and Mississippi, which offers vehicle owners the option to post cash bonds. The privileges and immunities clause of Article IV of the U.S. Constitution protects the rights of citizens in each respective state when traveling to another. A motor vehicle owner typically pays insurers a monthly or yearly fee, often called an insurance premium. The insurance premium a motor vehicle owner pays is usually determined by a variety of factors including the type of covered vehicle, marital status, credit score, whether the driver rents or owns a home, the age and gender of any covered drivers, their driving history, and the location where the vehicle is primarily driven and stored. Most insurance companies will increase insurance premium rates based on these factors and offer discounts less frequently.

References

  1. Toregas, Costis. "Insurance for Cyber Attacks: The Issue of Setting Premiums in Context" (PDF). Archived (PDF) from the original on 2020-07-27.
  2. BIGS (2017)
  3. Tsohou, Aggeliki; Diamantopoulou, Vasiliki; Gritzalis, Stefanos; Lambrinoudakis, Costas (2023-06-01). "Cyber insurance: state of the art, trends and future directions". International Journal of Information Security. 22 (3): 737–748. doi:10.1007/s10207-023-00660-8. ISSN   1615-5270. PMC   9841933 . PMID   36684688.
  4. "Schneier on Security". www.schneier.com. Retrieved 2022-07-19.
  5. "Cybersecurity Insurance - Schneier on Security".
  6. Wolff, Josephine. "Cyberinsurance Tries to Tackle the Unpredictable World of Hacks". Wired.
  7. "Insurer cites cyber policy exclusion to dispute data breach settlement".
  8. Wolff, Josephine (2022). Cyberinsurance policy : rethinking risk in an age of ransomware, computer fraud, data breaches, and cyberattacks. MIT Press. ISBN   978-0-262-37075-2. OCLC   1334725282.
  9. Wolff, Josephine (August 30, 2022). "A Brief History of Cyberinsurance". Slate. Retrieved September 29, 2024.
  10. Williams, Carl (June 7, 2024). "How Steven Haase Pioneered Cyber Insurance and Shaped an Industry". Tech Times. Retrieved September 29, 2024.
  11. Szczepanski, Kevin (March 2, 2022). "Barclay Damon Live Presents: The Cyber Sip Podcast, Episode 8: State of the Market – Cybersecurity Insurance, With Kelly Geary" (PDF). Barclay Damon. Retrieved September 29, 2024.
  12. Wolff, Josephine (August 30, 2022). "A Brief History of Cyberinsurance". Slate. Retrieved September 29, 2024.
  13. Gagan, Mark (January 18, 2022). "The Voice of Insurance Podcast, Episode 107: David Walsh and Graeme Newman of CFC Underwriting: Build Your Own". PodBean. Retrieved September 29, 2024.
  14. Frost, Jen (November 29, 2023). "CFC CEOs Newman and Walsh to depart after Lloyd's investigation". Insurance Business Magazine. Retrieved September 29, 2024.
  15. Bronson, Caitlin (April 23, 2015). "Five minutes with…Chris Cotterell, Safeonline LLP". Insurance Business Magazine. Retrieved September 29, 2024.
  16. "SafeOnline". Business Insurance Magazine. Retrieved September 29, 2024.
  17. Wolff, Josephine (2022). Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyber Attacks; Chapter 2 - Breach on the Beach. Cambridge, MA, USA: MIT Press. pp. 27–30.
  18. Wolff, Josephine (August 30, 2022). "A Brief History of Cyberinsurance". Slate. Retrieved September 29, 2024.
  19. Kesan, Jay P.; Majuca, Ruperto P.; Yurcik, William J. "The Economic Case for Cyberinsurance". Workshop on the Economics of Information Security (WEIS), 2004.
  20. Office, U. S. Government Accountability (2023-09-27). "Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability | U.S. GAO". www.gao.gov. Retrieved 2024-01-30.
  21. Johnson, Benjamin; Böhme, Rainer; Grossklags, Jens. "Security Games with Market Insurance". In Proceedings of GameSec, 2011.
  22. "Network Eavesdropping Attacks and How They Work". Cybersecurity Risks for Businesses. Retrieved July 31, 2023.
  23. "Network Eavesdropping - OWASP". Archived from the original on 2014-12-05. Retrieved 2014-12-30.
  24. Morriss, Sean (6 January 2015). "Is Your Business Vulnerable to these Cyber Threats?". Archived from the original on 11 March 2015. Retrieved 2 February 2015.
  25. Anderson, Ross; Moore, Tyler. "The economics of information security: A survey and open questions". Proceedings of 5th International Symposium on Human Aspects of Information Security & Assurance.
  26. "Executive Order -- Improving Critical Infrastructure Cybersecurity". Obama Whitehouse Archives. 12 February 2013. Retrieved 11 April 2019.
  27. Pal, Ranjan; Golubchik, Leana; Psounis, Konstantinos; Hui, Pan (2014). "Will Cyber-Insurance Improve Network Security: A Market Analysis". Proceedings of IEEE INFOCOM.
  28. "Duty of Care Risk Analysis Standard". The DoCRA Council. Archived from the original on 2018-08-14.
  29. NAIC. "INSURANCE DATA SECURITY MODEL LAW" (PDF). NAIC.
  30. "Maryland Senate Bill 207". LegiScan.
  31. "House Bill 474". Kentucky General Assembly.
  32. Schwartz, Galina; Bohme, Rainer. "Modeling Cyber-Insurance". In Proceedings of WEIS, 2010.
  33. Global, F. M. (30 July 2019). "Cyber insurance may create false sense of security among senior financial executives at world's top companies, suggests FM Global survey". FM Global. Archived from the original on 2020-09-20.
  34. Satariano, Adam (15 April 2019). "Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong". New York Times. Retrieved 25 April 2019.
  35. Osborne, Charlie (11 January 2019). "NotPetya an 'act of war,' cyber insurance firm taken to task for refusing to pay out". ZDNet. Retrieved 25 April 2019.
  36. Menapace, Michael (10 March 2019). "Losses From Malware May Not Be Covered Due To Your Policy's Hostile Acts Exclusion". The National Law Review. Retrieved 25 April 2019.
  37. Wolff, Josephine. Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks.
  38. Lelarge, Marc; Bolot, Jean (2009). "Economic Incentives to Increase Security in the Internet: The Case for Insurance". IEEE Infocom 2009. pp. 1494–1502. doi:10.1109/INFCOM.2009.5062066. ISBN   978-1-4244-3512-8. S2CID   9520569.
  39. Pal, Ranjan; Golubchik, Leana; Psounis, Konstantinos; Hui, Pan (2014). "Will Cyber-Insurance Improve Network Security: A Market Analysis". Proceedings of IEEE INFOCOM.
  40. Pal, Ranjan; Golubchik, Leana (2010). "Analyzing Self-Defense Investments in Internet Security under Cyber-Insurance Coverage". Proceedings of the IEEE International Conference on Distributed Computing Systems.
  41. Pal, Ranjan; Golubchik, Leana; Psounis, Konstantinos; Hui, Pan (2018). "Improving Cyber-Security via Profitable Insurance Markets". ACM SIGMETRICS Performance Evaluation Review. 45 (4): 7–15. doi:10.1145/3273996.3273999. S2CID   43919975.
  42. Johnson, Benjamin; Böhme, Rainer; Grossklags, Jens (2011). "Security Games with Market Insurance". Decision and Game Theory for Security. Lecture Notes in Computer Science. Vol. 7037. pp. 117–130. doi:10.1007/978-3-642-25280-8_11. ISBN   978-3-642-25279-2.
  43. Shetty, Nikhil; Schwartz, Galina; Walrand, Jean (2010). "Can Competitive Insurers Improve Network Security?". Trust and Trustworthy Computing. Lecture Notes in Computer Science. Vol. 6101. pp. 308–322. doi:10.1007/978-3-642-13869-0_23. ISBN   978-3-642-13868-3.
  44. Pal, Ranjan; Psounis, Konstantinos; Crowcroft, Jon; Kelly, Frank; Hui, Pan; Tarkoma, Sasu; Kumar, Abhishek; Kelly, John; Chatterjee, Aritra; Golubchik, Leana; Sastry, Nishanth; Nag, Bodhibrata (2020). "When Are Cyber Blackouts in Modern Service Networks Likely?: A Network Oblivious Theory on Cyber (Re)Insurance Feasibility". ACM Transactions on Management Information Systems. doi:10.1145/3386159. hdl: 10138/318422 . S2CID   218517399.
  45. Pal, Ranjan; Huang, Ziyuan (2021). "Will Catastrophic Cyber-Risk Aggregation Thrive in the IoT Age? A Cautionary Economics Tale for (Re-)Insurers and Likes". ACM Transactions on Management Information Systems. 12 (2): 1–36. doi: 10.1145/3446635 . S2CID   235649675.
  46. Pal, Ranjan; Huang, Ziyuan; Yin, Xinlong (2021). Interoperability of Heterogeneous IoT Platforms. Internet of Things. doi:10.1007/978-3-030-82446-4. ISBN   978-3-030-82445-7. S2CID   245119168.
  47. Pfleeger, Shari; Cunningham, Robert (2010). "Why Measuring Security Is Hard". IEEE Security & Privacy. 8 (4): 46–54. doi:10.1109/MSP.2010.60. S2CID   10893419.
  48. Pal, Ranjan; Liu, Peihan; Lu, Taoan; Hua, Edward (2022). "How Hard is Cyber-Risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSs". ACM Transactions on Cyber-Physical Systems. 6 (4): 1–31. doi: 10.1145/3568399 . S2CID   252920065.
  49. Pal, Ranjan; Lu, Taoan; Liu, Peihan; Xinlong, Yin (2021). "CYBER (RE-)INSURANCE POLICY WRITING IS NP-HARD IN IOT SOCIETIES". Proceedings of IEEE Winter Simulation Conference.
  50. Pal, Ranjan; Liu, Peihan; Lu, Taoan; Hua, Edward (2022). "How Hard is Cyber-Risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSs". ACM Transactions on Cyber-Physical Systems. 6 (4): 1–31. doi: 10.1145/3568399 . S2CID   252920065.
  51. Pal, Ranjan; Lu, Taoan; Liu, Peihan; Xinlong, Yin (2021). "CYBER (RE-)INSURANCE POLICY WRITING IS NP-HARD IN IOT SOCIETIES". Proceedings of IEEE Winter Simulation Conference.
  52. Veysey, Sarah (June 10, 2015). "Data scarce for insurers covering cyber risks" . Cyber Insurance. Retrieved June 11, 2015.
  53. Daneshkhu, Scheherazade. "Reckitt seeks to quantify havoc of malware attack". Financial Times. No. 7 July 2017. Retrieved 24 August 2017.
  54. Lerner, Matthew (September 19, 2019). "Average costs of cyber liability insurance studied". Business Insurance. Retrieved January 7, 2021.
  55. Mak, Adrian (September 17, 2019). "Average Cost of Cyber Insurance". AdvisorSmith. Retrieved January 7, 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.