Cover: Embracing and Controlling Risk Dependency in Cyber-Insurance Policy Underwriting

Embracing and Controlling Risk Dependency in Cyber-Insurance Policy Underwriting

Published in: Journal of Cybersecurity, Volume 5, Issue 1 (2019). doi: 10.1093/cybsec/tyz010

Posted on Jan 14, 2020

by Mohammad Mahdi Khalili, Mingyan Liu, Sasha Romanosky

This article highlights how cyber risk dependencies can be taken into consideration when underwriting cyber-insurance policies. This is done within the context of a base rate insurance policy framework, which is widely used in practice. Specifically, we show that there is an opportunity for an underwriter to better control the risk dependency and the risk spill-over, ultimately resulting in lower overall cyber risks across its portfolio. To do so, we consider a Service Provider (SP) and its customers as the interdependent insurer's customers: a data breach suffered by the SP can cause business interruption to its customers. In underwriting both the SP and its customers, we show that the insurer can increase its profit by incentivizing the SP (through a discount on its premium) to invest more in security, thereby decreasing the chance of business interruption to the customers, and increasing social welfare. For comparison, we also consider a scenario where the insurer underwrites only the SP's customers (but not the SP), and receives compensation from the SP's insurance carrier when losses are attributed to the SP. We show how the insurer's best strategy is to underwrite both the SP and its customers. We use an actual cyber-insurance policy and claims data to calibrate and substantiate our analytical findings.

Research conducted by

This report is part of the RAND external publication series. Many RAND studies are published in peer-reviewed scholarly journals, as chapters in commercial books, or as documents published by other organizations.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.