User:The Computer Consigliere/Cyber insurance

Cyber insurance is a specialty lines insurance product intended to protect businesses, and individuals providing services for such businesses, from Internet-based risks, and more generally from risks relating to information technology infrastructure, information privacy, information governance liability, and activities related thereto. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

Advantages
Because the cyber insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify. As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services.

As insurers payout on cyber losses, and as cyber threats develop and change, insurance products are increasingly being purchased alongside existing IT security services. Indeed, the underwriting criteria for insurers to offer cyber insurance products are also early in development, and underwriters are actively partnering with IT security companies to develop their products.

As well as directly improving security, cyber insurance is enormously beneficial in the event of a large-scale security breach. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance.

Finally, insurance allows cyber security risks to be distributed fairly, with the cost of premiums commensurate with the size of expected loss from such risks. This avoids potentially dangerous concentrations of risk while also preventing free-riding.

Disadvantages
Information Technology is an inherent facet of virtually all modern businesses, the requirement for a separate product only exists because of a deliberate scoping exercise which has excluded theft and damage associated with modern technologies from the existing product lines.

Bruce Schneier has postulated that existing insurance practices tend to follow either the "Flood or Fire" model however Cyber events don't appear to be modeled by either of these event types, this has led to the situation where the scope of Cyber Insurance is further restricted to decrease the risk to the underwriters. Compounding this is a paucity of data relating to actual damage correlated with the type of event, a lack of standards associated with the classification of events, and a lack of evidence associated with the efficacy of "Industry best practices".

Insurance relies upon sound actuarial data against a largely static background of risk. Given that these don't exist at present it is unlikely that either the buyers of these products will achieve the value outcomes that they desire. This view of the market is reflected in the current market state where standard exclusions result in a situation where "An insurer could argue they apply to almost any data breach".

History
Early works in the 1990s focused on the general merits of cyber insurance, or protocols borrowed from digital cash to enable risk reallocation in distributed systems. In the late 1990s, when the business perspective of information security became more prominent, visions of cyber insurance as a risk management tool were formulated. Although its roots in the 1980s looked promising, battered by events such as Y2K and the 9/11 attacks, the market for cyber insurance failed to thrive and remained in a niche for unusual demands. Coverage is tightly limited, and clients include SMBs (small and medium businesses) in need of insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations.

If not the first, at least one of the first, cyber liability policies as we now call them was developed for the Lloyd's of London market in 2000. The policy was spearheaded by Keith Daniels and Rob Hamesfahr then attorneys with the Chicago, IL law firm of Blatt, Hammesfahr & Eaton. Working closely with Ian Hacker, then a Lloyd's underwriter, and Ted Doolittle and Kinsey Carpenter, then brokers with Kinsey Carpenter, a San Francisco, CA insurance broker, the policy provided third-party coverage along with business interruption coverage. In those early days, it was thought that a big risk would be for a company to negligently transmit a virus that could infect other companies' systems who would then bring suit against the original company as well as business interruption. The policy was one of the first, as well, to include first-party and third-party coverages in the same form. While such errors & omissions have likely happened, suits against organizations on this basis have proven to be rare. The focus of forms that have developed since 2000 has been on business interruption, payment of fines and penalties, credit monitoring costs, public relations costs, and the cost of restoring or rebuilding private data, and they continue to expand and evolve today. Also, technology errors & omissions policies are now sold with third-party coverage to organizations, such as programmers and technology installers who could get sued if their advice or product fails to be satisfactory to their clients. Other early entrants to the cyber market included American International Group (AIG) and Chubb. Today, more than 80 companies are competing in the cyber market.

Even a 2002 conservative forecast, which predicted a global market for cyber insurance worth $2.5 billion in 2005, turned out to be five times higher than the size of the market in 2008. Overall, in relative terms, the market for cyber insurance shrank as the Internet economy grew. In practice, several obstacles have prevented the market for cyber insurance from achieving maturity; absence of reliable actuarial data to compute insurance premiums, lack of awareness among decision-makers contributing to too little demand, as well as legal and procedural hurdles have been identified in the first generation" of cyber insurance literature until about 2005.

The United States' Government Accountability Office completed a study in 2021 assessing the state of the cyber insurance market and found that while coverage rates had almost doubled between 2016 and 2020, the cost of coverage had risen significantly and coverage limits had reduced, specifically for healthcare and educational organizations. The study noted the lack of universal definitions for cyber terms and the lack of historical data as continued issues, and noted ransomware directly contributed to reductions in coverage limits or led to ransomware-specific clauses in policies.

Types

 * Identity Theft and Fraud. Covers destruction or loss of the policyholder’s data as the result of a criminal or fraudulent cyber event, including theft and transfer of funds.
 * Business interruption. Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.
 * Reputation. Insurance against reputation damage and cyber defamation.
 * Data Restoration. Covers expenses related with the restoration or recreation of data that were lost due to security or system failure.
 * Intellectual Property. Covers loss of intellectual property and trade secrets.
 * Hardware and Software Restoration. Covers physical damage to, or loss of use of, computer-related assets destroyed or damaged as the result of a cyber attack.
 * Credit Monitoring. Covers expenses for providing monitoring services for impacted organizations and individuals.
 * Litigation & Forensic Investigation. Covers the legal, technical, or forensic services necessary to assess whether a cyber attack has occurred, to assess the impact of the attack, and to mitigate further harm.

Current Need
The infrastructure, the users, and the services offered on computer networks today are all subject to a wide variety of risks posed by threats that include distributed denial of service attacks, intrusions of various kinds, eavesdropping, hacking, phishing, worms, viruses, spams, etc. In order to counter the risk posed by these threats, network users have traditionally resorted to antivirus and anti-spam software, firewalls, intrusion-detection systems (IDSs), and other add-ons to reduce the likelihood of being affected by threats. In practice, a large industry (companies like Symantec, McAfee, etc.) as well as considerable research efforts are currently centered around developing and deploying tools and techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the resulting negative impact of the anomalies.

Despite improvements in risk protection techniques over the last decade due to hardware, software, and cryptographic methodologies, it is impossible to achieve perfect/near-perfect cyber security protection. The impossibility arises due to a number of reasons:


 * Scarce existence of sound technical solutions.
 * Difficulty in designing solutions catered to varied intentions behind network attacks.
 * Misaligned incentives between network users, security product vendors, and regulatory authorities regarding protecting the network.
 * Network users taking advantage of the positive security effects generated by other users' investments in security, in turn, themselves not investing in security and resulting in the free-riding problem.
 * Customer lock-in and first-mover effects of vulnerable security products.
 * Difficulty to measure risks resulting in challenges to designing pertinent risk removal solutions.
 * The problem of a lemons market, whereby security vendors have no incentive to release robust products in the market.
 * Liability shell games played by product vendors.
 * User naiveness in optimally exploiting feature benefits of technical solutions.

Given the above-mentioned inevitable barriers to near 100% risk mitigation, the need arises for alternative methods for risk management in cyberspace. To highlight the importance of improving the current state of cyber security, US President Barack Obama issued a cyber security executive order in February 2013 that emphasizes the need to reduce cyber threats and be resilient to them. In this regard, some security researchers in the recent past have identified cyber insurance as a potential tool for effective risk management.

cyber insurance is a risk management technique via which network user risks are transferred to an insurance company, in return for a fee, i.e., the insurance premium. Examples of potential cyber insurers might include ISP, cloud provider, traditional insurance organizations. Proponents of cyber insurance believe that cyber insurance would lead to the design of insurance contracts that would shift appropriate amounts of self-defense liability to the clients, thereby making the cyberspace more robust. Here the term ‘self-defense' implies the efforts by a network user to secure their system through technical solutions such as anti-virus and anti-spam software, firewalls, using secure operating systems, etc. cyber insurance has also the potential to be a market solution that can align with economic incentives of cyber insurers, users (individuals/organizations), policymakers, and security software vendors. i.e., the cyber insurers will earn profit from appropriately pricing premiums, network users will seek to hedge potential losses by jointly buying insurance and investing in self-defense mechanisms, policymakers would ensure the increase in overall network security, and the security software vendors could experience an increase in their product sales via forming alliances with cyber insurers.

A key area to manage risk is to establish what is an acceptable risk for each organization. Practicing 'duty of care' helps protect all interested parties - executives, regulators, judges, the public who can be affected by those risks. The Duty of Care Risk Analysis Standard (DoCRA) provides practices and principles to help balance compliance, security, and business objectives when developing security controls.

Availability
As of 2014, 90% of the cyber insurance premium volume was covering exposure in the United States. Although at least 50 insurance companies have cyber insurance product offerings, the actual writing is concentrated within a group of five underwriters. Many insurance companies have been hesitant to enter this coverage market, as sound actuarial data for cyber exposure is non-existent. Hampering the development of this actuarial data is inadequate disclosure regarding cyber attacks by those affected. After a significant malware incident in 2017, however, Reckitt Benckiser released information on how much the cyberattack would impact financial performance, leading some analysts to believe the trend is for companies to be more transparent with data from cyber incidents.

With cyber insurance premiums expected to grow from around $2 billion in 2015 to an estimated $20 billion or more by 2025, insurers and reinsurers are continuing to refine underwriting requirements. Market immaturity and lack of standardization are two reasons why underwriting cyber products today make it an interesting place to be in the insurance world. Not only do you have an insurance marketplace that’s trying to reach a standard and accommodate the needs of today’s insured, but you also, at the same time, have a rapidly developing exposure landscape and capacity available.

Pricing
As of 2019, the average cost of cyber liability insurance in the United States was estimated to be $1,501 per year for $1 million in liability coverage, with a $10,000 deductible. The average annual premium for a cyber liability limit of $500,000 with a $5,000 deductible was $1,146, and the average annual premium for a cyber liability limit of $250,000 with a $2,500 deductible was $739. In addition to location, the main drivers of cost for cyber insurance include the type of business, the number of credit/debit card transactions performed, and the storage of sensitive personal information such as date of birth and Social Security numbers.

Existing Issues
Consequently, during 2005, a “second generation" of cyber insurance literature emerged targeting risk management of current cyber networks. The authors of such literature link the market failure with fundamental properties of information technology, specially correlated risk information asymmetries between insurers and insureds, and inter-dependencies.

Information Asymmetry
Information asymmetry has a significant negative effect on most insurance environments, where typical considerations include inability to distinguish between users of different (high and low risk) types, i.e., the so-called adverse selection problem, as well as users undertaking actions that adversely affect loss probabilities after the insurance contract is signed, i.e., the so-called moral hazard problem. The challenge due to the interdependent and correlated nature of cyber risks is particular to cyber insurance and differentiates traditional insurance scenarios (e.g., car or health insurance) from the former. In a large distributed system such as the Internet, risks span a large set of nodes and are correlated. Thus, user investments in security to counter risks generate positive externalities for other users in the network. The aim of cyber insurance here is to enable individual users to internalize the externalities in the network so that each user optimally invests in security solutions, thereby alleviating moral hazard and improving network security. In traditional insurance scenarios, the risk span is quite small (sometimes it spans only one or two entities) and uncorrelated, thus internalizing the externalities generated by user investments in safety, is much easier.

War exclusion clauses
Like other insurance policies, cyber insurance typically includes a war exclusion clause - explicitly excluding damage from acts of war. While the majority of cyber insurance claims will relate to simple criminal behaviour, increasingly companies are likely to fall victim to cyberwarfare attacks by nation-states or terrorist organizations - whether specifically targeted or simply collateral damage. After the US and UK, governments characterized the NotPetya attack as a Russian military cyber attack insurers are arguing that they do not cover such events.

Current Work
Current work regarding the existence of cyber insurance markets is few. Among the important ones are the works by (i) Lelarge and Bolot, (ii) Pal, Golubchik, Psounis, and Hui, (iii) Johnson et al., and (iv) Shetty, et al. These works first comment on the free-riding behavior of Internet users without the presence of cyber insurance. The works by Lelarge et al and Shetty et al present the benefits of cyber insurance in incentivizing Internet users to invest appropriately in security; however, their works address restricted market types. Lelarge et al do not model information asymmetry in their work. Shetty et al prove that cyber insurance markets are inefficient under conditions of information asymmetry. Johnson et al discuss the role of the joint existence of self-insurance and market insurance on the adoption of the different types of insurance by users. In most recent work, Pal et al prove the inefficiency of cyber insurance markets under conditions of partial information asymmetry and correlated risks and show the existence of efficient markets (both regulated and unregulated) under premium discrimination.

Regulation
Activity from regulators towards cyber insurance offerings is similarly limited. The first regulator-issued guidance came in February 2021 from the New York State Department of Financial Services with the release of its Cyber Insurance Risk Framework, including seven best practices for insurers to employ to reduce their risk associated with providing cyber insurance. The Cyber Insurance Risk Framework directed insurers to consider risk via qualitative and quantitative goals, generating comprehensive plans for assessing risk in insured organizations, hiring cybersecurity experts to accurately understand and communicate about risk, and mandating insured organizations notify law enforcement when incidents occur. The Framework also provided statistics from recent cyber insurance-related surveys conducted by DFS, such as slightly more than one-third of insurers have a requirement for insured organizations to notify law enforcement and that the number of insurance claims arising from ransomware increased by 180% between early 2018 and late 2019.