Economics of incident response panels in cyber insurance

Abstract

Cyber insurance is becoming a popular cyber risk management tool. Beyond pure financial risk transfer, prior theoretical works anticipated that cyber insurance would influence the mitigation measures employed by policyholders, such as by excluding losses caused by security mismanagement or by offering premium discounts for security controls. Empirical literature has shown cyber insurance is ineffective at influencing pre-breach security levels; however, it has also identified how insurers indemnify the cost of a team of post-breach providers with expertise spanning legal, technical, and communications. Our work models the peculiarities of the institution, the panel, that triages incidents and assigns firms. In particular, we model the incomplete aspect of this contract in which policyholders may be assigned a less efficient firm, which can be interpreted as a bait and switch. At the same time, our context for the bait and switch is business-to-business (B2B) and differs from the usual understanding of the phenomenon as an upsell. Consequently, new managerial implications arise on the insurer-side of the market. We characterise the conditions under which policyholders accept their insurer's hotline recommendation for incident response under the incomplete contract. We additionally show how panels can mitigate the adverse selection problem with respect to policyholders' losses by including providers of differentiated efficiency.