Exact Insurance Premiums for Cyber Risk of Small and Medium-Sized Enterprises

Abstract

As cyber attacks have become more frequent, cyber insurance premiums have increased, resulting in the need for better modeling of cyber risk. Toward this direction, Jevtić and Lanchier [Insur. Math. Econ. 91 (2020) 209–223] proposed a dynamic structural model of aggregate loss distribution for cyber risk of small and medium-sized enterprises under the assumption of a tree-based local-area-network topology that consists of the combination of a Poisson process, homogeneous random trees, bond percolation processes, and cost topology. Their model assumes that the contagion spreads through the edges of the network with the same fixed probability in both directions, thus overlooking a dynamic cyber security environment implemented in most networks, and their results give an exact expression for the mean of the aggregate loss but only a rough upper bound for the variance. In this paper, we consider a bidirectional version of their percolation model in which the contagion spreads through the edges of the network with a certain probability of moving toward the lower level assets of the network but with another probability of moving toward the higher level assets of the network, which results in a more realistic cyber security environment. In addition, our mathematical approach is quite different and leads to exact expressions for both the mean and the variance of the aggregate loss, and therefore an exact expression for the insurance premiums.