Cyber Insurance
Contents
Benefits of Cyber Insurance
With widespread take-up of insurance, these requirements become de facto standards, while still being quick to update as necessary. Since insurers will be required to pay out cyber-losses, they have a strong interest in greater security, and their requirements are continually increasing. As well as directly improving security, cyber-insurance is enormously beneficial in the event of a large-scale security incident. Insurance provides a smooth funding mechanism for recovery from major losses, helping to businesses to return to normal and reducing the need for government assistance. Finally, insurance allows cyber-security risks to be distributed fairly, with higher premiums for companies whose expected loss from such risks is greater. This avoids potentially dangerous concentration of risk while also preventing free-riding.
History
Early works in the 1990s focused on the general merits of Cyber Insurance, or protocols borrowed from digital cash to enable risk reallocation in distributed systems. In the late 1990s, when the business perspective of information security became more prominent, visions of cyber-insurance as risk management tool were formulated. Although its roots in the 1980s looked promising, battered by events such as Y2K and 9/11, the market for cyber-insurance failed to thrive and remained in a niche for unusual demands: coverage is tightly limited, and clients include SMBs (small and medium businesses) in need for insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations. Even a conservative forecast of 2002, which predicted a global market for cyber-insurance worth $2.5 billion in 2005, turned out to be five times higher than the size of the market in 2008 (three years later). Overall, in relative terms, the market for cyber insurance shrank as the Internet economy grew. In practice, a number of obstacles have prevented the market for Cyber Insurance from achieving maturity. Absence of reliable actuarial data to compute insurance premiums, lack of awareness among decision-makers contributing to too little demand, as well as legal and procedural hurdles have been identified in the first generation” of cyber insurance literature until about 2005. The latter aspect may cause frustration when claiming compensation for damages. Further, entities considering insurance must undergo a series of often invasive security evaluation procedures, revealing their IT infrastructures and policies. Meanwhile, witnessing thousands of vulnerabilities, millions of attacks, and substantial improvement in defining security standards and computer forensics calls into question the validity of these factors to causally explain the lack of an insurance market.
Current Need for Cyber Insurance.
The infrastructure, the users, and the services offered on computer networks today are all subject to a wide variety of risks posed by threats that include distributed denial of service attacks, intrusions of various kinds, eavesdropping, hacking, phishing, worms, viruses, spams, etc. In order to counter the risk posed by these threats, network users have traditionally resorted to antivirus, and anti-spam software, firewalls, intrusion-detection systems (IDSs), and other add-ons to reduce the likelihood of being affected by threats. In practice, a large industry (companies like Symantec, McAfee, etc.) as well as considerable research efforts are currently centered around developing and deploying tools and techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the resulting negative impact of the anomalies.
In spite of improvements in risk protection techniques over the last decade due to hardware, software and cryptographic methodologies, it is impossible to achieve perfect/near-perfect cyber-security protection. The impossibility arises due to a number of reasons:
- Scarce existence of sound technical solutions.
- Difficulty in designing solutions catered to varied intentions behind network attacks.
- Misaligned incentives between network users, security product vendors, and regulatory authorities regarding protecting the network.
- Network users taking advantage of the positive security effects generated by other users’ investments in security, in turn themselves not investing in security and resulting in the free-riding problem.
- Customer lock-in and first mover effects of vulnerable security products.
- Difficulty to measure risks resulting in challenges to designing pertinent risk removal solutions.
- The problem of a lemons market, whereby security vendors have no incentive to release robust products in the market.
- Liability shell games played by product vendors.
- User naiveness in optimally exploiting feature benefits of technical solutions.
In view of the above-mentioned inevitable barriers to near 100% risk mitigation, the need arises for alternative methods for risk management in cyberspace. To highlight the importance of improving the current state of cyber-security, US President Barack Obama has passed a security bill in 2013 that emphasizes the need to reduce cyber-threats and be resilient to them. In this regard, some security researchers in the recent past have identified cyber-insurance as a potential tool for effective risk management.
Cyber Insurance is a risk management technique via which network user risks are transferred to an insurance company, in return for a fee, i.e., the insurance premium. Examples of potential cyber insurers might include ISP, cloud provider, traditional insurance organizations. Proponents of cyber insurance believe that cyber-insurance would lead to the design of insurance contracts that would shift appropriate amounts of self-defense liability to the clients, thereby making the cyberspace more robust. Here the term ‘self-defense’ implies the efforts by a network user to secure their system through technical solutions such as anti-virus and anti-spam software, firewalls, using secure operating systems, etc. cyber insurance has also the potential to be a market solution that can align with economic incentives of cyber insurers, users (individuals/organizations), policy makers, and security software vendors. i.e., the cyber insurers will earn profit from appropriately pricing premiums, network users will seek to hedge potential losses by jointly buying insurance and investing in self-defense mechanisms, policy makers would ensure the increase in overall network security, and the security software vendors could experience an increase in their product sales via forming alliances with cyber-insurers.
Existing Issues
Consequently, during 2005, a “second generation” of cyber insurance literature emerged targeting risk management of current cyber networks. The authors of such literature link the market failure with fundamental properties of information technology, specially correlated risk information asymmetries between insurers and insureds, and inter-dependencies.
Information asymmetry has a significant negative effect on most insurance environments, where typical considerations include inability to distinguish between users of different high and low risk types, the so-called adverse selection problem, as well as users undertaking actions that adversely affect loss probabilities after the insurance contract is signed, the so-called moral hazard problem. The challenge due to the interdependent and correlated nature of cyber risks is particular to cyber-insurance and differentiates traditional insurance scenarios car or health insurance) from the former. In a large distributed system such as the Internet, risks span a large set of nodes and are correlated. Thus, user investments in security to counter risks generate positive externalities for other users in the network. The aim of cyber-insurance here is to enable individual users to internalize the externalities in the network so that each user optimally invests in security solutions, thereby alleviating moral hazard and improving network security. In traditional insurance scenarios, the risk span is quite small (sometimes it spans only one or two entities) and uncorrelated, thus internalizing the externalities generated by user investments in safety, is much easier.