Pricing Cyber Security Insurance: A Copula Model Using an Objective, Verifiable, Loss Measure

Abstract

Cybersecurity breaches may be correlated due to geography, similar infrastructure, or use of a third-party contractor. We show how a copula model may be used to estimate the probability of an attack where breaches may be correlated among firms. Losses arising from cybersecurity breaches have an unknown distribution. We propose the stock price reaction to a breach as an objective measure of the loss in wealth sustained by the firm due to a breach, a loss that can be modeled and that insurers can use to price cyberinsurance products. This loss measure reflects the immediate and long-term effects of a breach, including reputational effects and other intangible impacts that are otherwise more difficult to quantify. We examine stock returns for 258 cybersecurity breach announcements over 2011-2016 in order to obtain the empirical loss distribution. We find a five-day abnormal return of -1.44%. Seventy-one percent of these 258 announcements result in a negative abnormal return, and a gamma distribution provides an excellent fit to these losses. In addition to introducing a copula model for correlated losses, our study shows that insurers can use either the empirical stock market distribution of losses or the theoretical (gamma) distribution in the pricing of cyberinsurance.