A Model to Analyze the Unfulfilled Promise of Cyber Insurance : The Impact of Secondary Loss

tridib@utdallas.edu • vijaym@utdallas.edu • rrao@utdallas.edu Abstract Firms often manage cyber risks first by investing in security technologies and then by purchasing cyber insurance to cover for residual risk. However, despite the increasing dependence of firms on information assets, a mature market for cyber insurance is yet to emerge. Lack of actuarial data, market inexperience and accounting difficulties are widely cited as major reasons for slow growth of cyber insurance products. Here, we consider another possible explanation: filing cyber insurance claim for a previously undisclosed breach could constitute a tacit disclosure of the breach incident. Stakeholders use such information to adversely revise their risk perception about the firm leading to a situation where an insured firm may avoid claiming losses incurred from a cyber attack. We develop a model that analyzes an insured firm’s optimal claim strategy when hit by a cyber attack. We show that this claim strategy influences the conditions for a viable market for cyber insurance products, and also explains why cyber insurance products could end up being unattractive to the target clientele. We also discuss the policy implications of our analytical findings.

[1]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[2]  J. Mossin Aspects of Rational Insurance Purchasing , 1968, Journal of Political Economy.

[3]  Christian Gollier,et al.  Risk Vulnerability and the temper-ing E ect of Background Risk , 1996 .

[4]  Inés Macho-Stadler,et al.  An Introduction to the Economics of Information: Incentives and Contracts , 1997 .

[5]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[6]  Harris Schlesinger,et al.  The Optimal Level of Deductibility in Insurance Contracts , 1981 .

[7]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[8]  K. Borch,et al.  The safety loading of reinsurance premiums , 1960 .

[9]  Y. Ermoliev,et al.  Finding Pareto Optimal Insurance Contracts , 2001 .

[10]  Harvey E. Lapan,et al.  The Mathematical Theory of Insurance. , 1975 .

[11]  A. Raviv The Design of an Optimal Insurance Policy , 1979 .

[12]  Michaela Breuer Optimal insurance contracts without the non-negativity constraint on indemnities: revisited , 2006 .

[13]  A. R. G. Heesterman,et al.  Competitive strategies: An advanced textbook in game theory for business students , 1981 .

[14]  Harris Schlesinger,et al.  Optimal Insurance in Incomplete Markets , 1983, Journal of Political Economy.

[15]  Christian Gollier,et al.  Optimum Insurance of Approximate Losses , 1996 .

[16]  G. Thompson,et al.  Optimal Control Theory: Applications to Management Science and Economics , 2000 .

[17]  Knut K. Aase,et al.  Economics of Insurance , 1989 .

[18]  Harris Schlesinger,et al.  Insurance Demand Without the Expected-Utility Paradigm , 1997 .