The Impact of Purchasing Cyber Insurance on the Enhancement of Operational Cyber Risk Mitigation of U.S. Banks - A Case Study

Abstract

Cyberspace is complex, fragile and risky resulting in potential financial loss, disruption, damage or destruction to enterprises from information technology systems failure. As a result, banks, as early adopters of information technologies, have been forced to deal with increasing threats, vulnerabilities and consequences of this evolving cyber risk. To counter non-systemic cyber risk, banks have turned to a myriad of cyber risk mitigation options, two of which are theorized to work in conjunction with each other, purchasing cyber insurance and enhancing operational cyber risk mitigation programs and activities, making the two collectively more effective at reducing the gap between cyber risk and cybersecurity. However, the literature, to date, supporting this theory is primarily theoretical due to the lack of empirical data. This case study addresses this deficiency by collecting and analyzing empirical data on the purchase of cyber risk insurance and the enhancement of operational cyber risk mitigation programs and activities. Using a mixed-method approach, the results found that while most of the cyber insurance variables in this study had either a random or negative impact on operational cyber risk mitigation programs and activities, three of the independent cyber insurance variables of how many years has your bank been purchasing cyber privacy insurance, is your bank's cyber risk, cyber network security or cyber privacy insurance coverage first-party (purchased by the bank) or is it third-party (purchased by your contractor(s)) and does your bank use a third-party contractor(s) to supply your IT and cybersecurity needs have both positive qualitative and quantitative results that enhance the dependent operational cyber risk mitigation functions variables in large banks in the State of New Jersey. These results are useful to both academic scholars and banking practitioners.