Insurability of Cyber Risk: An Empirical Analysis

Christian Biener, Martin Eling, and Jan Hendrik WirfsUniversity of St. Gallen, Switzerland

Institute of Insurance Economics

IIS 50th Annual Seminar in LondonJune 24, 2014

Estimated Cost from Global Cyber Activity

Data source: McAfee, 2013

Upper Bound$1 Trillion

Lower Bound$300 Billion

Ø Natural Cat Losses< $200 Billion

Data source: Munich Re, 2014

Cyber Risk – Big Threat to Global Economy

Average Information Security Budget (PWC, 2014)

2009

2013

$ 2.7 million

$ 4.3 million+15% p.a.

Cyber Insurance

Mature Markets

> 10%

1%

Insurance Gross Premium Growth p.a. (Swiss Re, 2014 | Betterley, 2013)

Cyber Risk – Big Market Opportunities

Contribution – Cyber Risk Insurability

25 relevant and high-quality studies

published between 2002 and 2014

Literature Review

SAS OpRisk Global Data:22,075 operational loss incidents between 1971 and 2009

Cyber Risk Data

Classification of risks in terms of actuarial, market, and societal conditions(see Berliner, 1982)

Is Cyber Risk Insurable?

Failures of hardware, software, and integrated systems

Systems Failure

Catastrophes, legal issues, service dependence

External Events

Failures of processes due to poor process design /controls

Failed Internal Processes

Unintentional and intentional actions as well as failure to act

Actions of People

1%

Data source: SAS OpRisk Global Data

Allocation of Cyber Risk Incidents to Cyber Risk Categories

90%

4%

4%

90% of Incidents Related to People

Undetermined

31%

15%

42%

Vulnerable Code

Misconfigured System

End-user Error

Targeted Attack

6%

6%

Dat

a so

urce

: IBM

, 20

13

(1) Randomness of Losses

Independence and Predictability

(2) Maximum Possible Loss Manageable

(3) Average Loss per Event Moderate

(4) Loss Exposure Large Loss Exposure (5) Information

AsymmetryNo Moral Hazard and Adverse Selection

(6) Insurance Premium Cost Recovery / Affordability (7) Cover Limits Acceptable (8) Public Policy Consistent With Societal

Values (9) Legal Restrictions Allow for Coverage

Actuarial

Insurability Criteria Requirements Assessment

Market

Societal

The Insurability Framework

?

??

Important Role of Insurers Put a Price Tag on Cyber Risk

Need for Increasing Product Value Lower Deductibles, Higher Caps

Need for More Re-Insurance Capacity Diversification

Need for a Reduction of Ambiguity Towards Cyber Risk Coverage

Industry Data-Sharing to Enhance Systematic LearningIndustry Surveys Help Capture Dynamic Changes

Insurers

Regulators

Outlook

Implications for the Insurance Industry

Increasing Cyber Risk Insurance Demand Expected

Followed by Increasing Availability and Competition

Significant Potential for Future Research

Copyright 2006 John Klossner | www.jklossner.com

Cyber Risk – We’re Talking About Dave

Insurability of Cyber Risk: An Empirical Analysis

Christian Biener, Martin Eling, and Jan Hendrik WirfsUniversity of St. Gallen, Switzerland

Institute of Insurance Economics

IIS 50th Annual Seminar in LondonJune 24, 2014

Berliner, B., 1982, Limits of Insurability of Risks, Englewood Cliffs, NJ: Prentice-Hall.

Betterley, R.S., 2013, Cyber/Privacy Insurance Market Survey 2013: Carriers deepen their risk management services benefits—Insureds grow increasingly concerned with coverage limitations.

Cebula, J.J. and Young, L.R., 2010, A Taxonomy of Operational Cyber Security Risks, Technical Note CMU/SEI-2010-TN-028, Software Engineering Institute, Carnegie Mellon University.

IBM, 2013, The 2013 IMB Cyber Security Intelligence Index, http://www-935.ibm.com/services/us/en/security/infographic/cybersecurityindex.html.

McAfee, 2013, The Economic Impact of Cybercrime and Cyber Espionage.

Munich Re, 2014, 2013 Natural Catastrophe Year in Review.

Ponemon Institute, 2014, 2014 Cost of Data Breach Study: Global Analysis

PWC, 2014, The Global State of Information Security® Survey 2014.

SAS OpRisk Global Data, 2010, http://www.sas.com/resources/product-brief/sas-oprisk-globaldata-brief.pdf.

Swiss Re, 2014, Swiss Re Economic Research and Consulting.

References