Abstract
This paper discusses the adequacy of insurance for managing cyber risk. To this end, we extract 994 cases of cyber losses from an operational risk database and analyse their statistical properties. Based on the empirical results and recent literature, we investigate the insurability of cyber risk by systematically reviewing the set of criteria introduced by Berliner (1982). Our findings emphasise the distinct characteristics of cyber risks compared with other operational risks and bring to light significant problems resulting from highly interrelated losses, lack of data and severe information asymmetries. These problems hinder the development of a sustainable cyber insurance market. We finish by discussing how cyber risk exposure may be better managed and make several suggestions for future research.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
See, for example, the Bank of England’s current annual systemic risk survey, the WEF Global Risk Landscape and articles on well-known cyber risk incidents (NSA, Sony, LGT, etc.). Recently, the G20 group denoted cyber attacks as a threat to the global economy; see Ackerman (2013). Both in probability of occurrence and potential severity cyber risks and the failure of critical information infrastructure are one of the top five global risks. More specifically, the World Economic Forum (2014) estimates the probability of a critical information infrastructure breakdown with 10 per cent and the financial consequences after a few days to about US$250 billion.
Cyber insurance is often discussed as a big market opportunity because of the public’s high awareness of cyber risk and its increasing exposure to it (see Betterley, 2010).
The market coverage (the per cent of companies that have bought cyber insurance) is estimated between 6 and 10 per cent. See Willis (2013a, 2013b), for the United States, and Marsh (2013), for Europe.
In Appendix B, we present all existing articles on cyber insurance and outline their contributions. Many articles emphasise the complexity and dependent risk structure (e.g. Hofmann and Ramaj, 2011; Öğüt et al., 2011) or adverse selection and moral hazard issues (e.g. Gordon et al., 2003). In short, the extant literature tends to highlight aspects of the insurability of cyber risks; our discussion of insurability is thus based on own data and on a review of this literature.
Haas and Hofmann (2013) discuss risk management and the insurability of cloud computing from an enterprise risk management perspective; in contrast to this paper, they consider only a subsection of the cyber risk landscape, do not use empirical data and do not systemically review Berliner’s (1982) criteria.
To see how our data analysis and literature review compares with practical “real-world” experience, we also conducted interviews with providers and potential buyers of cyber insurance and embed these in the insurability discussion.
See Mukhopadhyay et al. (2005, 2013).
See Öğüt et al. (2011).
See, for example, Böhme and Kataria (2006).
See GCHQ (2012).
See BIS (2006).
See CEIOPS (2009).
Note that reputational risk is typically excluded when operational risk is considered; see, for example, BIS (2006). Reputational effects, however, are an important aspect of cyber risk, so they are included in our discussion.
See Ponemon Institute (2013a, 2013b).
In addition, the study by Greisiger (2013) looks at data breach claims from 2010 to 2012 reported by companies with cyber-liability insurance. Submitted claims range from US$2,500 to US$20 million, while the average claim payouts amount to US$1 million. If it is assumed that, at a minimum, the self-insured retention is met, average claim payouts would increase to US$3.5 million. These average numbers are lower than in Ponemon Institute (2013b), which is due to a much smaller subset of all breaches and because Greisiger (2013) focuses on actual claim payouts rather than expenses incurred.
See McAfee (2013).
Among these are the annually published Computer Crime and Security Survey (Computer Security Institute, 2014), the monthly Internet Security Threat Report (Symantec, 2014), the annually Cyber Liability & Data Breach Insurance Claims Study (Greisiger, 2013), the monthly Cyber Attack Statistics (Hackmageddon, 2013), and several studies by the KPMG Forensic Services (see KPMG, 2013). Furthermore, the annually published Global Corporate IT Security Risks Study (Kaspersky Lab, 2013) has a special focus on key IT security issues and cyber threats which worry businesses.
There is an overlap not only between operational risk and cyber risk, but also between IT risk and cyber risk. IT risk traditionally focuses primarily on physical assets such as hardware, while cyber risk focuses on digital information (see Haas and Hofmann, 2013). Nevertheless, much can be learned about risk management not only from operational risk, but also from IT risk, which has been a topic of research for several decades.
See Marsh (2013).
See Willis (2013b). According to Willis (2013b), about 20 per cent of all financial services companies have cyber risk coverage, whereas manufacturing (2 per cent) and health care (1 per cent) have the lowest shares of companies covered. Another recent market survey for the United States by the Harvard Business Review Analytic Services (2013) finds that among 152 companies, market coverage is 19 per cent.
See Betterley (2013).
See Gould (2013).
See, for example, Marsh (2012). Sometimes, reputational losses (see, e.g. NAIC, 2013; Ponemon Institute, 2013b) and regulatory fines (see, e.g. Betterley, 2013; Ponemon Institute, 2013b) also are covered by cyber insurance policies.
See Willis (2013a).
See Hess (2011).
A detailed description of the search strategy is available from the authors upon request.
Seven trade journal articles on cyber insurance and 13 industry studies on cyber risk are included as well (see Appendix B). The industry studies do not discuss cyber insurance, but the data and information on cyber risk provided therein are useful for our discussion of insurability. Moreover, we conducted interviews with four cyber insurance providers (AIG, Allianz, Chubb, Zurich) and 16 (potential) buyers of cyber insurance from the financial services sector. These interviews are helpful in discovering whether our data analysis and literature review results comport with practical experience such as, for example, actual cover limits. Twenty-five per cent of the 16 persons interviewed already have cyber insurance.
See Berliner (1982).
See, for example, Biener and Eling (2012), Doherty (1991), Jaffee and Russell (1997), Janssen (2000), Karten (1997), Nierhaus (1986), Schmit (1986) and Vermaat (1995).
Mean and median are close to estimations of average losses found in the literature; Ponemon Institute (2013b) finds that security and data breaches result in an average financial impact of US$9.4 million. Average losses from the theft of data are estimated at US$2.1 million by KPMG (2013).
The largest cyber risk case occurred at the Bank of China in February 2005 when US$13,313.51 million were laundered through one of its branches, which was possible because the bank’s internal money laundering controls were manipulated by employees. The largest non-cyber risk case involves the U.S. tobacco company Philip Morris, which, in November 2001, was ordered to pay US$89,143.99 million in punitive damages to sick smokers.
Cyber risk policies typically cover a maximum such as, for example, US$50 million. Actual cover limits vary. If US$50 million is the limit, then 92 per cent of the cases in our sample would be covered completely by the policy.
The modelled VaR for non-cyber risk is more than twice as high as for cyber risk.
In the operational risk literature, typically models of extreme value theory and spliced distribution are used. In light of the result that cyber risk differs significantly from other operational risk, the question arises as to whether the usual methods of modelling operational risk are appropriate for modelling cyber risk or whether other methods should be used.
Our market survey of potential customers in the financial services industry shows that banks are especially prone to cyber risk, that is, the respondents from the banking sector had significantly more experience with cyber risk than the respondents from other financial service sectors.
Correcting for outliers (i.e. deleting the 10 highest losses in each subsample), we obtain the same result (average (median) loss for one firm involved of US$15.63 (1.77) million and for the case with multiple firms involved US$6.77 (1.93) million). We also analysed the intra-year pattern of cyber risk incidents in order to identify potential concentrations within a year. No intra-year pattern could be identified.
The results are robust with regard to the size categorisation. We estimated the values for a separation into Small: less than 100, Medium: less than 1,000, and Large: more than 1,000 employees and find no differences in this pattern.
We also analysed the development of cyber risks over time and found that the number of cyber risk incidents was relatively small before 2000. After that point, however, the number of incidents continuously increased and in the last years accounts for a substantial part of all operational risk incidents. These findings again emphasise the increasing economic importance of cyber risk in recent years. The average loss, however, has decreased over the last several years, which might indicate the increasing use of self-insurance measures that reduce the loss amount in the event of a cyber attack. Detailed results are available from the authors upon request.
See, for example, Böhme (2005), Biener (2013).
See, for example, Haas and Hofmann (2013), Hofmann and Ramaj (2011), Öğüt et al. (2011), Bolot and Lelarge (2009).
See ENISA (2012).
Other authors also acknowledge the data scarcity issue in cyber insurance as a potential barrier to market development (see, e.g. Betterley, 2010; Department of Homeland Security, 2012; Shackelford, 2012); Chabrow (2012) nails the problem on the head: “Cyber insurance remains a gamble to insurance companies; if it’s a gamble for them, it’s a gamble for you”.
See, for example, Haas and Hofmann (2013), ENISA (2012).
Healey (2013) shows that past cyber incidents have either been widespread or prolonged, but not both. There are, however, arguments for an increase in the likelihood of such “rare” events and thus dynamic changes in cyber risk characteristics. In particular, systems are complex and consequences of interventions are often not easily understood; the interconnectedness of cyber systems involves the risk of shock transmission; the common-mode functionality of cyber system elements leads to shocks affecting multiple elements of the system simultaneously; a lack of incentives for increasing cyber security (e.g. for IT producers) results in an underinvestment in cyber security; increasing connectivity of physical assets to the cyberspace increases the potential impact and thus attractiveness of manipulating cyber systems (see Zurich, 2014).
See, for example, Haas and Hofmann (2013), Gatzlaff and McCullough (2012).
See KPMG (2013).
See Kaspersky Lab (2013).
Moreover, we observe that the average loss also depends on region; for instance, firms located in North America have lower average losses than do firms on other continents, which might be due to the North American firms having more experience in identifying and managing cyber losses. Thus, if it turns out that increased experience decreases loss, the criterion of insurability will with time become even easier to satisfy.
See Shackelford (2012).
See Gordon et al. (2003).
See Öğüt et al. (2011). To mitigate potential moral hazard problems, classical solutions such as deductibles and the introduction of premium reduction systems are discussed (see Gordon et al., 2003). In addition, Baer and Parkinson (2007) suggest regular risk assessments that allow linking coverage to a certain minimum standard of cyber security. Shackelford (2012) suggests monetary incentives for self-protective measures analogous to a safe driving discount in motor insurance.
Screening, self-selection and signalling can be used to address adverse selection issues. Gordon et al. (2003) suggest information security audits and premium differentiations for proper risk type selection. Similarly, Baer and Parkinson (2007) recommend intense examinations of firm’s IT and security processes. Majuca et al. (2006) discuss potential underwriting questions (i.e. self-selection) that should be assessed to alleviate adverse selection issues before an extensive physical review process is conducted. Another type of signalling could be a certification of the data security following ISO standards; in general, there is a lack of exchange of best practices in cyber risk management that inhibits identification of dominant strategies for tackling cyber risk (see ENISA, 2012).
Mukhopadhyay et al. (2005, 2006, 2013) apply the collective risk model in conjunction with expected utility theory to make judgments about the theoretical value of cyber insurance to firms with different levels of risk aversion. They find that with increasing risk aversion, firms will accept fairly priced cyber insurance over no insurance. This finding is rather obvious in light of insurance economics, but it does provide a starting point for the discussion of premiums in our context.
See Shackelford (2012); Shackelford (2012) also reports large geographic and industry variations; for example, there are more policies available in the United States than in Europe or in Canada.
For an example of an assessment questionnaire, see Drouin (2004).
We compared cyber insurance policies from the four insurers we interviewed (AIG, Allianz, Chubb and Zurich). Actual cover limits vary between CHF10 million and CHF50 million (i.e. US$11m and US$55m). All four insurers emphasise that higher limits are possible, but not preferred by the insurer.
See, for example, Mukhopadhyay et al. (2005).
See also Wojcik (2012).
The interviewed insurers’ response to this problem is to offer a modular product structure where coverage is chosen by the customer; the intensity of the risk assessment then depends on the coverage chosen.
See Öğüt et al. (2011). This result is also supported by Shetty et al. (2010).
See Kesan et al. (2004).
For an international overview, see Barlow Lyde & Gilbert (2007).
See, for example, the U.S. Securities and Exchange Commission’s (SEC) disclosure guidance on cyber security (SEC, 2011), the U.S. White House Executive Order on cyber security (White House, 2013) and the reform of E.U. data protection laws (European Commission, 2012).
See Ouellette (2012).
See Berliner (1982). An extended version of this table with all references can be found in Appendix B.
Seeing that we show that cyber risk is substantially different from other operational risk, it would not be surprising if extant operational risk models turn out to be inappropriate for modelling cyber risks.
For purposes of comparison, we also present results for a 92.5 per cent threshold; thresholds below reveal a non-fit for non-cyber risks according to Villaseñor-Alva and González-Estrada (2009); raising thresholds much higher makes the sample used for the fit in cyber risk too small.
An approximation of the loss distribution per category was not made, since the sample size would be too small for computation of the tail distribution.
See, for example, Eling (2012).
References
Ackerman, G. (2013) ‘G-20 urged to treat cyber-attacks as threat to global economy,’ Bloomberg, from www.bloomberg.com/news/2013-06-13/g-20-urged-to-treat-cyber-attacks-as-threat-to-economy.html, accessed 18 January 2014.
Baer, W.S. and Parkinson, A. (2007) ‘Cyberinsurance in IT security management’, IEEE Security and Privacy 5 (3): 50–56.
Bandyopadhyay, T., Mookerjee, V.S. and Rao, R.C. (2009) ‘Why IT managers don’t go for cyber-insurance products’, Communications of the ACM 52 (11): 68–73.
Bank for International Settlements (BIS) (2006) International Convergence of Capital Measurement and Capital Standards: A Revised Framework Comprehensive Version, from www.bis.org/publ/bcbs128.pdf, accessed 10 December 2013.
Barlow Lyde & Gilbert (2007) International Comparative Review of Liability Insurance Law, London: Insurance Day.
Berliner, B. (1982) Limits of Insurability of Risks, Englewood Cliffs, NJ: Prentice-Hall.
Betterley, R.S. (2010) Understanding the Cyber Risk Insurance and Remediation Services Marketplace: A Report on the Experiences and Opinions of Middle Market CFOs, from www.casact.org/community/affiliates/CANE/0412/Betterley2.pdf, accessed 16 December 2013.
Betterley, R.S. (2013) ‘Cyber/Privacy Insurance Market Survey 2013: Carriers deepen their risk management services benefits—Insureds grow increasingly concerned with coverage limitations’, from www.betterley.com/samples/cpims13_nt.pdf, accessed 16 December 2013.
Biener, C. (2013) ‘Pricing in microinsurance markets’, World Development 41 (1): 132–144.
Biener, C. and Eling, M. (2012) ‘Insurability in microinsurance markets: An analysis of problems and potential solutions’, Geneva Papers on Risk and Insurance—Issues and Practice 37 (1): 77–107.
Böhme, R. (2005) ‘Cyber-insurance revisited,’ in Proceedings of the Fourth Workshop on the Economics of Information Security (WEIS 2005), Harvard University, Cambridge, MA.
Böhme, R. and Kataria, G. (2006) Models and measures for correlation in cyber-insurance, working paper, Proceedings of the Fifth Workshop on the Economics of Information Security (WEIS 2006), University of Cambridge, U.K..
Bolot, J. and Lelarge, M. (2009) ‘Cyber insurance as an incentive for internet security’, in M.E. Johnson (ed.) Managing Information Risk and the Economics of Security, New York: Springer, pp. 269–290.
Cebula, J.J. and Young, L.R. (2010) A Taxonomy of Operational Cyber Security Risks, Technical Note CMU/SEI-2010-TN-028, Software Engineering Institute, Carnegie Mellon University.
CEIOPS (2009) CEIOPS’ Advice for Level 2 Implementing Measures on Solvency II: SCR Standard Formula—Article 111 (f): Operational Risk. CEIOPS-DOC-45/09, Frankfurt: Committee of European Insurance and Occupational Pensions Supervisors.
Chabrow, E. (2012) ‘10 concerns when buying cyber insurance’, from www.bankinfosecurity.com/10-concerns-when-buying-cyber-insurance-a-4859/op-1, accessed 18 January 2014.
Computer Security Institute (CSI) (2014) ‘Computer crime and security survey’, from www.gocsi.com/, accessed 18 January 2014.
Cylinder, H. (2008) ‘Evaluating cyber insurance’, CPCU eJournal 61 (12): 1–19.
Department of Homeland Security (2012) Cybersecurity Insurance Workshop Readout Report, from www.dhs.gov/sites/default/files/publications/cybersecurity-insurance-read-out-report.pdf, accessed 17 January 2014.
Doherty, N.A. (1991) ‘The design of insurance contracts when liability rules are unstable’, The Journal of Risk and Insurance 58 (2): 227–246.
Drouin, D. (2004) Cyber Risk Insurance: A Discourse and Preparatory Guide, Bethesda, MD: SANS Institute, from www.sans.org/reading-room/whitepapers/legal/cyber-risk-insurance-1412, accessed 19 December 2013.
Eling, M. (2012) ‘Fitting insurance claims to skewed distributions: Are the skew-normal and skew-student good models?’, Insurance: Mathematics and Economics 51 (2): 239–248.
ENISA (2012) ‘Incentives and barriers of the cyber insurance market in Europe’, from www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/incentives-and-barriers-of-the-cyber-insurance-market-in-europe, accessed 18 January 2014.
European Commission (2012) Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), from ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf, accessed 18 January 2014.
Gatzlaff, K.M. and McCullough, K.A. (2012) ‘Implications of privacy breaches for insurers’ Journal of Insurance Regulation 31: 195–214.
Gilli, M. and Këllezi, E. (2006) ‘An application of extreme value theory for measuring financial risk’, Computational Economics 27 (2–3): 1–23.
Gordon, L.A., Loeb, M.P. and Sohail, T. (2003) ‘A framework for using insurance for cyber-risk management’, Communications of the ACM 44 (9): 70–75.
Gould, J. (2013) ‘Allianz eyes growth in computer hacking insurance’, from uk.reuters.com/article/2013/07/10/us-allianz-hacking-cover-idUKBRE9690O120130710, accessed 16 December 2013.
Government Communications Headquarters (GCHQ) (2012) 10 Steps to Cyber Security, White Paper of the Information Security Arm of GCHG, London.
Greisiger, M. (2013) ‘Cyber liability & data breach insurance claims—A study of actual payouts of covered data breaches’, NetDiligence from www.netdiligence.com/files/CyberClaimsStudy-2013.pdf, accessed 24 April 2014.
Haas, A. and Hofmann, A. (2013) Risiken aus Cloud-Computing-Services: Fragen des Risikomanagements und Aspekte der Versicherbarkeit, FZID Discussion Paper No. 74-2013.
Hackmageddon.com (2013) ‘Cyber attack statistics’, from www.hackmageddon.com/2013-cyber-attacks-statistics/, accessed 1 May 2014.
Harvard Business Review Analytic Services (2013) Meeting the Cyber Risk Challenge, Boston, MA: Harvard Business School Publishing.
Healey, J. (ed.) (2013) A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, Vienna, VA: Cyber Conflict Studies Association.
Herath, H. and Herath, T. (2011) ‘Copula-based actuarial model for pricing cyber-insurance policies’, Insurance Markets and Companies: Analyses and Actuarial Computations 2 (1): 7–20.
Hess, C. (2011) ‘The impact of the financial crisis on operational risk in the financial services industry: Empirical evidence’, Journal of Operational Risk 6 (1): 23–35.
Hofmann, A. and Ramaj, H. (2011) ‘Interdependent risk networks: The threat of cyber attack’, International Journal of Management and Decision Making 11 (5/6): 312–323.
Jaffee, D.M. and Russell, T. (1997) ‘Catastrophe insurance, capital markets, and uninsurable risks’, The Journal of Risk and Insurance 64 (2): 205–230.
Janssen, J. (2000) ‘Implementing the kyoto mechanisms: Potential contributions by banks and insurance companies’, Geneva Papers on Risk and Insurance—Issues and Practice 25 (4): 602–618.
Karten, W.T. (1997) ‘How to expand the limits of insurability’, Geneva Papers on Risk and Insurance—Issues and Practice 22 (4): 515–522.
Kaspersky Lab (2013) Global Corporate IT Security Risks: 2013, from www.kasperskycontenthub.com/presscenter/files/2013/10/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf, accessed 24 April 2014.
Kesan, J.P., Majuca, R.P. and Yurcik, W.J. (2004) The economic case for cyberinsurance, University of Illinois Law and Economics working papers.
KPMG (2013) e-Crime – Computerkriminalität in der deutschen Wirtschaft mit Kennzahlen für Österreich und Schweiz, KPMG Forensic Services, from www.kpmg.com/CH/de/Library/Articles-Publications/Seiten/e-crime-survey-2013.aspx, accessed 18 January 2014.
Lemos, R. (2010) ‘Should SMBs invest in cyber risk insurance?’, from http://www.darkreading.com/should-smbs-invest-in-cyber-risk-insurance/d/d-id/1134322, accessed 19 December 2013.
Majuca, R.P., Yurcik, W. and Kesan, J.P. (2006) The evolution of cyberinsurance, working paper, from arxiv.org/abs/cs/0601020, accessed 18 January 2014.
Marsh (2012) Cyber Insurance, from www.iod.org.nz/Portals/0/Branches%20and%20events/Canterbury/Marsh%20Cyber%20Insurance.pdf, accessed 17 January 2014.
Marsh (2013) Cyber Risk Survey 2013, from www.allianz-fuer-cybersicherheit.de/ACS/DE/_downloads/techniker/risikomanagement/partner/Partnerbeitrag_Marsh_Cyber-Risk_Survey.pdf?__blob=publicationFile, accessed 16 December 2013.
McAfee (2013) ‘The economic impact of cybercrime and cyber espionage’, from www.mcafee.com/sg/resources/reports/rp-economic-impact-cybercrime.pdf, accesses 9 January 2014.
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A. and Sadhukan, S. K. (2006) ‘e-Risk management with insurance: A framework using copula aided Bayesian belief networks,’ in Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS), Koba, HI, 4–7 January 2006.
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A. and Sadhukan, S.K. (2013) ‘Cyber-risk decision models: To insure IT or not?’, Decision Support Systems 56 (1): 11–26.
Mukhopadhyay, A., Saha, D., Mahanti, A., Chakrabarti, B.B. and Podder, A. (2005) ‘Insurance for cyber-risk: A utility model’ Decision 32 (1): 153–169.
National Association of Insurance Commissioners (NAIC) (2013) ‘Cyber risk’, from www.naic.org/cipr_topics/topic_cyber_risk.htm, accessed 7 December 2013.
Nierhaus, F. (1986) ‘A strategic approach to insurability of risks’, Geneva Papers on Risk and Insurance—Issues and Practice 11 (39): 83–90.
Öğüt, H., Raghunathan, S. and Menon, N. (2011) ‘Cyber security risk management: Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection’, Risk Analysis 31 (3): 497–512.
Ouellette, P. (2012) ‘Pros and cons of cyber insurance for health data breaches’, from www.healthitsecurity.com/2012/10/29/pros-and-cons-of-cyber-insurance-for-health-data-breaches/, accessed 18 January, 2014.
Ponemon Institute (2013a) Cost of Data Breach Study: Global Analysis, from www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf, accessed 24 April 2014.
Ponemon Institute (2013b) Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, from www.assets.fiercemarkets.com/public/newsletter/fiercehealthit/experian-ponemonreport.pdf, accessed 18 January 2014.
Schmit, J.T. (1986) ‘A new view of the requisites of insurability’, The Journal of Risk and Insurance 53 (2): 320–329.
Securities and Exchange Commission (SEC) (2011) ‘Cybersecurity’, Division of Corporation Finance Securities and Exchange Commission CF Disclosure Guidance: Topic No. 2, Washington.
Shackelford, S.J. (2012) ‘Should your firm invest in cyber risk insurance?’, Business Horizons 55 (4): 349–356.
Shetty, N., Schwarz, G., Felegyhazi, M. and Walrand, J. (2010) ‘Competitive cyber-insurance and internet security’ in T. Moore, D. Pim and C. Ioannidis (eds.) Economics of Information Security and Privacy, New York: Springer, pp. 229–247.
Symantec (2014) Internet Security Threat Report 2014, from www.symantec.com/security_response/publications/threatreport.jsp, accessed 18 January 2014.
Vermaat, A.J. (1995) ‘Uninsurability: A growing problem’, Geneva Papers on Risk and Insurance—Issues and Practice 20 (4): 446–453.
Villaseñor-Alva, J.A. and González-Estrada, E. (2009) ‘A bootstrap goodness of fit test for the generalized pareto distribution’, Computational Statistics and Data Analysis 53 (11): 3835–3841.
Wang, Q.-H. and Kim, S.H. (2009a) ‘Cyberattacks: Does physical boundary matter?’, ICIS 2009 Proceedings—Thirtieth International Conference on Information Systems, Paper 48.
Wang, Q.-H. and Kim, S.H. (2009b) Cyber attacks: Cross-country interdependence and enforcement, working paper.
White House (2013) Executive Order: Improving Critical Infrastructure Cybersecurity, Washington.
Willis (2013a) Willis Fortune 500 Cyber Disclosure Study, 2013, from blog.willis.com/downloads/cyber-disclosure-fortune-500, accessed 16 December 2013.
Willis (2013b) Willis Fortune 1000 Cyber Disclosure Report, from blog.willis.com/downloads/cyber-disclosure-fortune-1000-2013, accessed 16 December 2013.
Wojcik, J. (2012) ‘Cyber insurance not always enough’, Business Insurance 46 (16): 4.
World Economic Forum (2012) Global Risks 2012—Seventh Edition, from www3.weforum.org/docs/WEF_GlobalRisks_Report_2012.pdf, accessed 9 January 2014.
World Economic Forum (2014) Global Risks 2014—Ninth Edition, from www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf, accessed 17 April 2014.
Zurich Insurance Company Ltd and Atlantic Council of the United States (Zurich) (2014) ‘Risk Nexus: Beyond Data Breaches—Global Inter connections of Cyber Risk’, Zurich and Washington.
Author information
Authors and Affiliations
Additional information
This paper has been granted the 2014 Shin Research Excellence Award—a partnership between The Geneva Association and the International Insurance Society—for its academic quality and relevance by decision of a panel of judges comprising both business and academic insurance specialists.
See NAIC (2013).
Appendices
Appendix A
Appendix B
Appendix C
Operational risk models, in general, apply methods from the extreme value theory when estimating the loss severity distribution. We follow Hess and estimate the loss severity distribution using a spliced distribution approach.27 Losses above a predefined threshold are modelled by a generalised Pareto distribution (GPD), while losses below the threshold are modelled with an exponential distribution. We apply the bootstrap goodness-of-fit test by Villaseñor-Alva and González-EstradaFootnote 79 and, based on this, choose a threshold at the 90 per cent percentile.Footnote 80 The value at risk (VaR) is then approximated by an estimator described by Gilli and Këllezi.Footnote 81 The VaR of the estimated loss severity distribution is close to the empirical one (see Table C1).Footnote 82 The modelled VaR is much higher for non-cyber risk. The estimated shape parameter of the GPD distribution gives an indicator for the heaviness of the tails; the higher the parameter, the heavier the tail.82 Boxplots and distribution and density functions for cyber and non-cyber risk are shown in Figures C1 and C2.
Boxplots of cyber and non-cyber risk categories: (a) non-cyber risk vs cyber risk; (b) cyber risk by categories.Note: In the figures we use the 1.5 IQR whisker and do not show outliers.
Estimated distribution and density function: (a) Distribution functions; (b) density functions.
We also model losses with other distributions common to actuarial science, such as the log-normal, Gamma or Weibull distribution.Footnote 83 We estimate the respective parameters and present the VaR. The VaR estimator from the log-normal and Gamma distribution are very far from the empirical value, which might indicate that the distribution assumption does not fit the data well. The result for the Weibull distribution is much closer to the empirical VaR. In all cases, the losses for cyber risks are substantially lower than for non-cyber risks.
Rights and permissions
About this article
Cite this article
Biener, C., Eling, M. & Wirfs, J. Insurability of Cyber Risk: An Empirical Analysis. Geneva Pap Risk Insur Issues Pract 40, 131–158 (2015). https://doi.org/10.1057/gpp.2014.19
Published:
Issue Date:
DOI: https://doi.org/10.1057/gpp.2014.19