Content Analysis of Cyber Insurance Policies

How do carriers write policies and price cyber risk?

by Sasha Romanosky, Lillian Ablon, Andreas Kuehn, Therese Jones

Download eBook for Free

FormatFile SizeNotes
PDF file 0.4 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Data breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars. Consequently, the market for insuring against these losses (aka cyber insurance) has grown rapidly in the past decade. However, very little is known about these policies and the mechanisms behind the risk assessments. While there exists much theoretical literature about cyber insurance, very little practical information is publicly available. For example, what losses are actually covered by cyber insurance policies, and what are the exclusions? What factors are used to compute the premiums, and how do existing underwriting approaches reflect the technical rate of risk? In this research, we collect and analyze over 100 cyber insurance policies filed with state insurance commissioners. By analyzing these policies, we provide the first-ever analysis of the underwriting process for cyber insurance and uncover how insurance companies understand and price cyber risks.

This research was conducted by RAND Justice, Infrastructure, and Environment.

This report is part of the RAND Corporation working paper series. RAND working papers are intended to share researchers' latest findings and to solicit informal peer review. They have been approved for circulation by RAND but may not have been formally edited or peer reviewed.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.