What Is Cyber Insurance? May 2024

[Insu_agent]

What is Cyber-Insurance?

Cyber-insurance is an insurance product used to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies. Coverages provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds.

The Benefits of Cyber-Insurance

Cyber-insurance increases cyber-security by encouraging the adoption of best practices. Insurers will require a level of security as a precondition of coverage, and companies adopting better security practices often receive lower insurance rates. This helps companies to internalize both the benefits of good security and the costs of poor security, which in turn leads to greater investment and improvements in cyber-security.

The security requirements used by cyber-insurers are also helpful. With widespread take-up of insurance, these requirements become de facto standards, while still being quick to update as necessary. Since insurers will be required to pay out cyber-losses, they have a strong interest in greater security, and their requirements are continually increasing. As well as directly improving security, cyber-insurance is enormously beneficial in the event of a large-scale security incident. Insurance provides a smooth funding mechanism for recovery from major losses, helping to businesses to return to normal and reducing the need for government assistance. Finally, insurance allows cyber-security risks to be distributed fairly, with higher premiums for companies whose expected loss from such risks is greater. This avoids potentially dangerous concentration of risk while also preventing freeriding.

Advantages over Governmental Regulation

Cyber-insurance has a number of advantages over governmental regulation as a means for improving cyber-security. First and foremost, government standardsetting is simply not suitable for a rapidly evolving area such as cyber security.

Standards produced by organized bodies are based on compromise, and government involvement in the process stifles innovation further. Closely related to this is the threat of regulatory capture attendant with any system of governmental regulation.

Positive reinforcement is generally the more effective behavior modification technique, as individuals naturally prefer reward to punishment. Fear of legal sanctions can force companies to maintain a set of minimum standards, as cyberinsurance does, but unlike cyber-insurance it does not provide any incentive to do better. Governmental regulation results in an emphasis on meeting basic minimum standards, whereas insurance results in companies striving to adopt – and improve upon – best practices. Finally, because the risk is global, United States regulations alone cannot effectively manage it. However, worldwide regulation is impractical because international organizations move even more slowly than national governments. Widespread use of cyber-insurance will produce better security than a system of governmental regulation and standardsetting.

Problems with the Market for Cyber-Insurance

Despite the benefits of cyber-insurance, the market for cyber-insurance is adversely affected by a number of problems.

First and foremost, insurers are afraid of a "cyber-hurricane‟ – a major disaster resulting in great number of claims. Cyber-hurricanes represent an uncertain risk of very large losses, and as such are very difficult for insurers to plan for. Because computer systems are interdependent and standardized, they tend to be especially vulnerable to correlated losses of this nature. This fear increases insurance premiums, because insurers naturally focus on worst-case estimates of the expected loss from such an event so that they can maintain underwriting profitability.

In addition, "cyber-hurricanes‟ raise a barrier to entry to the insurance market, because an insurer may be wiped out if a major event occurs before they have built up sufficient cash reserves. Prices for private market reinsurance for cyberinsurers is extremely high as the fear of a "cyber-hurricane" is felt most by the reinsurance community.

Second, because cyber-insurance is a relatively new area, insurers are hampered by a lack of actuarial data with which to calculate premiums. In addition to increasing price, a lack of data leads to problems with the risk analysis undertaken by companies when deciding whether insurance against a particular risk is worthwhile. A lack of data also makes cyberinsurance appear less desirable to companies, while simultaneously increasing the price of cyber-insurance. .