Cybersecurity Insurance Research Articles

Cybersecurity investments in supply chains with two-stage risk propagation

Cyber-attacks present a significant threat to supply chains as their nodes are directly or indirectly vulnerable to risk propagation at various stages. The risk level varies depending on the type of attack. A cybersecurity insurance offers a practical method to mitigate this risk, and it is crucial to determine optimal cybersecurity investments for all supply chain nodes. Previous studies have overlooked the joint impact of the attack type, two-stage risk propagation, and cybersecurity insurance in optimizing cybersecurity investments. This paper addresses this research gap by examining optimal investments under targeted and opportunistic attacks in a two-stage supply chain using game theory. The findings indicate that optimal investments differ based on the type of attack. For instance, retailers should invest more in cybersecurity under opportunistic attacks, while suppliers need to spend more under targeted attacks. Additionally, the results show that under opportunistic attacks, members should reduce their investments. Conversely, under targeted attacks, investments should initially increase and then stabilize. In the case of opportunistic attacks, suppliers and retailers should prioritize reconfiguring their systems over investing heavily in cybersecurity. The model presented in this paper demonstrates that not all cyber risks are worth defending against and that cybersecurity insurance for the entire supply chain can be more cost-effective than addressing cybersecurity risks individually. The paper also explores the impact of joint decisions on cybersecurity insurance when firms are unwilling to invest individually. The insights obtained enable supply chains to identify their optimal cybersecurity investment strategies effectively.

Cybersecurity Risk and Audit Pricing—A Machine Learning-Based Analysis

ABSTRACT Cybersecurity risk represents a growing business threat. However, little attention has been paid to its assessment. This study proposes a machine learning algorithm that considers firm cybersecurity risk disclosure, information technology governance, external monitoring by financial analysts and auditors, and general firm characteristics to estimate cybersecurity risk (i.e., the likelihood of a firm experiencing data breaches during a year). This measure outperforms the measure produced by logistic regression models, is higher in industries more prone to cyberattacks, and effectively predicts future data breaches and firm use of cybersecurity insurance policies. I also examine whether auditors consider firm cybersecurity risk in the engagement planning process, finding that, on average, a one-percentage-point increase in cybersecurity risk is associated with a 1.15 percent increase in audit fees. In addition, auditors charge a fee premium after a data breach only if the client has heightened cybersecurity risk. Data Availability: Data are available from the public sources cited in the text.

CONTEMPORARY PROBLEMS OF TECHNOLOGICAL RISKS AND THE WAYS OF DEVELOPMENT

The article ‘’Contemporary problems of technological risks and ways of development ‘’ describes the role of technical risks in the economy of Georgia and the search for ways of its development. The problems that stand in this direction are mentioned. Today, in the era of technologies, the degree of technical risks increases in direct proportion of the development of technologies, which has become a heavy burden for users. Today, each of us uses plastic cards or simply has an account in some social network, and all this automatically puts us at technological risk. Therefore, the most frequently discussed issue is precisely the technical risks and possible serve consequences caused by them. Electronic commerce and internet banking are also noteworthy as the object of attack. Thus, we think that the topic is relevant. The paper discusses the changes that have been made to mitigate these risks. The results of the research are given, the analysis of which gives an idea of the quality of the existing technological risks and ways of elimination. The problems that prevent the better development of technological risks throughout the country are mentioned: 1. Lack of support from the government. 2. Unqualified staff. 3. Inadequate legislation in terms of cyber security. 4. Inadequate insurance of cyber risks. The article presents the results of survey conducted within the framework of the study and relevant statistics. 1. The government should find more support for people affected by technological risks. 2. Specialists employed in the field should be retrained. 3. Legislation should be refined and become victim-friendly. 4. Improve cyber security insurance. Taking all this into account will help’ to solve the problems in technological risks throughout the country. The article contains the opinions ad advice of the authors, seen from the point of view of scientists and its implementation in practice will help to effectively conduct the activities of the filed. Keywords: Technological risks. Cyber security. Economy. Plastic cards. Government. Insurance.

Loss and premium calculation of network nodes under the spread of SIS virus

In the big data and “Internet+” era, the research related cybersecurity risk has attracted much attention. However, Premium pricing for cybersecurity insurance remains in its early days. In this paper, we established a premium pricing method for cybersecurity risks. Firstly, the losses during the cyber infection is modeled by an interacting Markov SIS (Susceptible-Infected-Susceptible) epidemic model. we also proposed a premium simulation method called the Gillespie algorithm, which can be used for simulation of a continuous-time stochastic process. At last, as an example, we calculated the premiums by using premium principles and simulation in a simple network respectively. The numerical case studies demonstrate the premium pricing model performs well, and the premiums based on simulations are rather conservative, and recommended using in practice by comparing the results of premiums.

Cyber insurance: state of the art, trends and future directions

Society has become increasingly dependent on IT infrastructure and services. Additionally, the pandemic of COVID-19 forced the transition of the traditional way of working (i.e., physical presence) into a more modern and flexible one (i.e., working remotely). This has led to an increase of cyberattacks, as a direct consequence of the increase of the attack surface but subsequently also led to an increased necessity for the protection of information systems. Toward the protection of information systems, cyber insurance is considered as a strategy for risk management, where necessary. Cyber insurance is emerging as an important tool to protect organizations against cyberattack-related losses. In this work, we extensively examine the relevant literature on cybersecurity insurance, research and practice, in order to draft the current landscape and present the trends.

Mitigating the consequences of electronic health record data breaches for patients and healthcare workers.

Electronic health records (EHRs) have been widely adopted in Australian public sector healthcare and will remain an ongoing, essential data system. However, recent substantial data breaches from hacked business data systems in Australian enterprises, as well as international healthcare providers, mean that EHR data breaches are increasingly likely in Australia. Risks include medical identity theft and extortion attempts based on threats to release sensitive patient information. Hacking is now a foreseeable additional risk of medical treatment. Risk mitigation for the consequences of data breaches needs to be considered, as well as support for patients (and families) and healthcare workers. This includes identity theft protection services, cybersecurity insurance, and psychological support.

Development Opportunities, Challenges, and Strategies for Cybersecurity Insurance in the Digital Economy Era

Development Opportunities, Challenges, and Strategies for Cybersecurity Insurance in the Digital Economy Era

Pemodelan dan Perhitungan Premi Asuransi Keamanan Siber dengan Model Non-Markov

The development of information and communication technology not only has positive impacts, but also negative impacts, especially in the cybersecurity sector. Insurance companies need to create a relatively new insurance product, namely cybersecurity insurance. However, development of cybersecurity insurance still needs further investigation because there is no standard actuarial table like mortality table in life insurance. This article will discuss the modeling of infection and recovery process of a node and various other connected nodes in a computer network of the company using non-Markov model in the case of absence of dependence between cybersecurity risks, applying the Monte Carlo simulation method to obtain experimental data with various distributions – Weibull, Lognormal, and Inverse Gaussian – for the calculation of premium charged by insurance companies to insured companies interested in purchasing cybersecurity insurance products. Standard deviation premium principle and exponential utility premium principle are used to calculate premium. We concluded that the infection and recovery time with a long-tailed distribution has a lower premium price compared to those with a short-tailed distribution.

Do Auditors Consider Cybersecurity Insurance in Pricing Audits?

Do Auditors Consider Cybersecurity Insurance in Pricing Audits?

Pricing Cyber Security Insurance

Cybersecurity breaches may be correlated due to geography, similar infrastructure, or use of a third-party contractor. We show how a logistic regression may be used to estimate the probability of an attack where breaches may be correlated among firms up and down the supply chain. We also show how a Poisson regression may be used to estimate the number of records breached. Losses arising from cybersecurity breaches have an unknown distribution. We propose the stock price reaction to a breach as an objective measure of the loss in wealth sustained by the firm due to a breach. This loss measure reflects the immediate and long-term effects of a breach, including reputational effects and other intangible impacts that are otherwise more difficult to quantify. We examine stock returns for 258 cybersecurity breach announcements over 2011-2016 in order to obtain the empirical loss distribution. We find a five-day abnormal return of -1.44%. Seventy-one percent of these 258 announcements result in a negative abnormal return, and a gamma distribution provides an excellent fit to these losses. In addition to introducing a predictive model for correlated losses, our study shows how insurers can use either the empirical stock return distribution of losses or the per record cost of a breach in the pricing of cyberinsurance.

When do businesses report cybercrime? Findings from a UK study

Although it is known that businesses report cybercrime to public authorities at a low rate, and this hinders prevention strategies, there is a lack of research on companies’ decisions to report cyber victimisation. This paper analyses the UK Cyber Security Breaches Survey to explore factors associated with cybercrime reporting by businesses. Results indicate that the type of cybercrime is relevant to the reporting decision, and that the likelihood of reporting increases when cybersecurity incidents generate negative impacts and when the company places high priority on cybersecurity. However, we find no association between having cybersecurity insurance and reporting. Finally, while having outsourced cybersecurity management is associated with reporting to anyone outside the organisation but not to public authorities, in-house cybersecurity teams seem more inclined to report to public authorities. Findings are discussed in relation to the role of the private cybersecurity sector and the criminal justice system in combatting cybercrime.

Why cybersecurity insurance should be regulated and compulsory

ABSTRACT This paper argues that promoting and regulating cybersecurity insurance could solve a key problem: despite the well-publicized hacks of businesses across the world and numerous government awareness campaigns, many small- and medium-sized companies (SMEs) in Europe do not practise proper cybersecurity. Introducing compulsory cybersecurity insurance for SMEs would be the single most effective way to achieve cyber resilience in a modern digital economy and protect businesses from both cybercriminals and state-sponsored hackers. Besides setting minimum standards for company cybersecurity and ensuring that post-breach support services are included in every insurance policy, governments must also address significant issues in the emerging cyber insurance market such as removing false incentives regarding ransoms and fines and creating a backstop mechanism to address aggregate risk. Moreover, they should ensure that all claims are collected in one database since this data would transform our understanding of malware threats and the costs they are causing. Combining these measures could unleash the potential of cyber insurance for the protection of all businesses and their customers, especially if the EU adopts a coherent policy for all member states.

The challenges of cybersecurity insurance development: The case of Latvia

Purpose. This paper aims to provide an overview of the current challenges of cybersecurity insurance, focusing on the identification of development constraints and opportunities and the key impact factors of this recently emerging insurance market in Latvia. Methodology. The authors used theoretical and empirical research methods, e.g., a literature review, surveys of experts from principal insurance companies and professionals from prominent mobile network operators, and interviews with experts in cybersecurity and pioneers of cybersecurity insurance in Latvia. Findings. The research results illustrate the immense difficulties in providing cyber risk insurance in Latvia. The lack of historical knowledge and evolving nature of cyber risks create significant challenges in quantifying and expressing cyber threats in monetary value. Cyber risk modelling is in its infancy, as events and threat vectors are still evolving. Due to the evolving nature of cyber risks, simulating events and fitting into traditional risk management forms are the primary challenges for insurance companies. Despite the increasing relevance of cyber risks to businesses, research on guidelines and methods of mitigating cyber risks with cyber insurance is still limited. Social implications. Cyber insurance is a direct result of public awareness of cyber threats and preparedness to mitigate business risks. Thus, cyber insurance is an integral part of educating and building a more resilient society. Originality/Value. The authors propose various approaches to cybersecurity insurance development, such as technology awareness building, standardization of mandatory reporting requirements and public–private partnerships in which the government covers part of the risk to overcome insurability limitations. Keywords: cyber insurance, cybersecurity, cyber insurance market, cyber risks

The invisible hole of cybersecurity insurance services

This study examines the cybersecurity insurance market in the United States (U.S.) in order to reveal if an “invisible hole” of services and information exists in this market. This is performed by mapping the cybersecurity insurance services, offered by insurance companies, to cope with cybersecurity risks, and finding in which way these services are exposed, visible and comprehensive, in the insurance companies' websites. The research questions examined the extent cybersecurity insurance services offered by the main U.S. insurance companies; the visibility of such services on their websites; and the types of services offered. The sample included 44 insurance companies based upon nine lists of the top U.S. insurance companies. The findings present that most companies (68%) offer cybersecurity insurance services, while only a few (26.92%) expose such information in a visible way. Moreover, on the one hand, the insurance companies use general terms for services, which may be blur and ambiguous, while on the other hand, there is a widespread of specific services, most of them (81%) provided only by few companies. These findings may derive due to insufficient understanding of cybersecurity insurance clients' needs and may reflect the lack of maturity of the cybersecurity insurance market, as matured marketplaces are mostly more standardized. This study demonstrates that there is a long way to advance until the insurance market for cybersecurity risks will be mature, customers (businesses and organizations) will understand the needs for such insurance, and insurance companies will develop and offer relevant insurance services.

Trends and best practices in health care cybersecurity insurance policy

Health care organizations are a major target for cyberattacks. This is primarily due to their peculiar vulnerabilities and attractiveness to nefarious cyber actors. Data breaches from these attacks present a significant threat to the viability of health care organizations, ranging from financial losses to compromised patient safety. Cybersecurity insurance has become an essential tool for mitigating financial liabilities that may arise from breaches for many organizations. This paper reviews the current state of cybersecurity insurance adoption in the health care sector. It highlights best practices in cybersecurity insurance policy for health care organizations and recommends future directions to strengthen cybersecurity and improve cybersecurity insurance.

A Cybersecurity Insurance Model for Power System Reliability Considering Optimal Defense Resource Allocation

With the increasing application of Information and Communication Technologies (ICTs), cyberattacks have become more prevalent against Cyber-Physical Systems (CPSs) such as the modern power grids. Various methods have been proposed to model the cybersecurity threats, but so far limited studies have been focused on the defensive strategies subject to the limited security budget. In this paper, the power supply reliability is evaluated considering the strategic allocation of defense resources. Specifically, the optimal mixed strategies are formulated by the Stackelberg Security Game (SSG) to allocate the defense resources on multiple targets subject to cyberattacks. The cyberattacks against the intrusion-tolerant Supervisory Control and Data Acquisition (SCADA) system are mathematically modeled by Semi-Markov Process (SMP) kernel. The intrusion tolerance capability of the SCADA system provides buffered residence time before the substation failure to enhance the network robustness against cyberattacks. Case studies of the cyberattack scenarios are carried out to demonstrate the intrusion tolerance capability. Depending on the defense resource allocation scheme, the intrusion-tolerant SCADA system possesses varying degrees of self-healing capability to restore to the good state and prevent the substations from failure. If more defense resources are invested on the substations, the intrusion tolerant capability can be further enhanced for protecting the substations. Finally, the actuarial insurance principle is designed to estimate transmission companies’ individual premiums considering correlated cybersecurity risks. The proposed insurance premium principle is designed to provide incentive for investments on enhancing the intrusion tolerance capability, which is verified by the results of case studies.

Cybersecurity Insurance: Modeling and Pricing

Cybersecurity risk has attracted considerable attention in recent decades. However, the modeling of cybersecurity risk is still in its infancy, mainly because of its unique characteristics. In this study, we develop a framework for modeling and pricing cybersecurity risk. The proposed model consists of three components: the epidemic model, loss function, and premium strategy. We study the dynamic upper bounds for the infection probabilities based on both Markov and non-Markov models. A simulation approach is proposed to compute the premium for cybersecurity risk for practical use. The effects of different infection distributions and dependence among infection processes on the losses are also studied.

Cybersecurity insurance and risk-sharing

In today’s interconnected digital world, cybersecurity risks and resulting breaches are a fundamental concern to organizations and public policy setters. Accounting firms, as well as other firms providing risk advisory services, are concerned about their clients’ potential and actual breaches. Organizations cannot, however, eliminate all cybersecurity risks so as to achieve 100% security. Furthermore, at some point additional cybersecurity measures become more costly than the benefits from the incremental security. Thus, those responsible for preventing cybersecurity breaches within their organizations, as well as those providing risk advisory services to those organizations, need to think in terms of the cost-benefit aspects of cybersecurity investments. Besides investing in activities that prevent or mitigate the negative effects of cybersecurity breaches, organizations can invest in cybersecurity insurance as means of transferring some of the cybersecurity risks associated with potential future breaches.This paper provides a model for selecting the optimal set of cybersecurity insurance policies by a firm, given a finite number of policies being offered by one or more insurance companies. The optimal set of policies for the firm determined by this selection model can (and often does) contain at least three areas of possible losses not covered by the selected policies (called the Non-Coverage areas in this paper). By considering sets of insurance policies with three or more Non-Coverage areas, we show that a firm is often better able to address the frequently cited problems of high deductibles and low ceilings common in today’s cybersecurity insurance marketplace. Our selection model facilitates improved risk-sharing among cybersecurity insurance purchasers and sellers. As such, our model provides a basis for a more efficient cybersecurity insurance marketplace than currently exists. Our model is developed from the perspective of a firm purchasing the insurance policies (or the risk advisors guiding the firm) and assumes the firm’s objective in purchasing cybersecurity insurance is to minimize the sum of the costs of the premiums associated with the cybersecurity insurance policies selected and the sum of the expected losses not covered by the insurance policies.

Pricing Cyber Security Insurance: A Copula Model Using an Objective, Verifiable, Loss Measure

Cybersecurity breaches may be correlated due to geography, similar infrastructure, or use of a third-party contractor. We show how a copula model may be used to estimate the probability of an attack where breaches may be correlated among firms. Losses arising from cybersecurity breaches have an unknown distribution. We propose the stock price reaction to a breach as an objective measure of the loss in wealth sustained by the firm due to a breach, a loss that can be modeled and that insurers can use to price cyberinsurance products. This loss measure reflects the immediate and long-term effects of a breach, including reputational effects and other intangible impacts that are otherwise more difficult to quantify. We examine stock returns for 258 cybersecurity breach announcements over 2011-2016 in order to obtain the empirical loss distribution. We find a five-day abnormal return of -1.44%. Seventy-one percent of these 258 announcements result in a negative abnormal return, and a gamma distribution provides an excellent fit to these losses. In addition to introducing a copula model for correlated losses, our study shows that insurers can use either the empirical stock market distribution of losses or the theoretical (gamma) distribution in the pricing of cyberinsurance.

Cybersecurity at the Grassroots: American Local Governments and the Challenges of Internet Security

Abstract In this paper, we examine cybersecurity challenges faced by America’s local, governments, including: the extent of cyberattacks; problems faced in preventing attacks from being successful; barriers to providing high levels of cybersecurity management; and actions that local governments believe should be taken to improve cybersecurity practice. Our research method consisted of a focus group of information technology (IT) and cybersecurity officials from one American state. Our findings indicate that cyberattacks are constant and can number in the tens of thousands or more per day. While our participants noted that while they were not perfect at it, they felt that they had cybersecurity technology under good control. Their biggest challenge is human – that is, end-users who make mistakes or engage in misconduct. Local governments face several barriers in providing high levels of cybersecurity, including: insufficient funding and staffing; problems of governance; and insufficient or under-enforced cybersecurity policies. Participants suggested several ways to improve local government cybersecurity, including: vulnerability assessment, scanning and testing, cybersecurity insurance, improving end-user authentication and authorization, end-user training and control, control over the use of external devices, and improved governance methods, among others. We conclude by making suggestions for further research into local government cybersecurity.