Embracing and Controlling Risk Dependency in Cyber-Insurance Policy Underwriting
Published in: Journal of Cybersecurity, Volume 5, Issue 1 (2019). doi: 10.1093/cybsec/tyz010
Posted on RAND.org on January 14, 2020
This article highlights how cyber risk dependencies can be taken into consideration when underwriting cyber-insurance policies. This is done within the context of a base rate insurance policy framework, which is widely used in practice. Specifically, we show that there is an opportunity for an underwriter to better control the risk dependency and the risk spill-over, ultimately resulting in lower overall cyber risks across its portfolio. To do so, we consider a Service Provider (SP) and its customers as the interdependent insurer's customers: a data breach suffered by the SP can cause business interruption to its customers. In underwriting both the SP and its customers, we show that the insurer can increase its profit by incentivizing the SP (through a discount on its premium) to invest more in security, thereby decreasing the chance of business interruption to the customers, and increasing social welfare. For comparison, we also consider a scenario where the insurer underwrites only the SP's customers (but not the SP), and receives compensation from the SP's insurance carrier when losses are attributed to the SP. We show how the insurer's best strategy is to underwrite both the SP and its customers. We use an actual cyber-insurance policy and claims data to calibrate and substantiate our analytical findings.