More Like this

1. The County Fair Cyber Loss Distribution: Drawing Inferences from Insurance Prices

   https://doi.org/10.1145/3434403  

   Woods, Daniel W. ; Moore, Tyler ; Simpson, Andrew C. ( April 2021 , Digital Threats: Research and Practice)

   null (Ed.)

   Insurance premiums reflect expectations about the future losses of each insured. Given the dearth of cyber security loss data, market premiums could shed light on the true magnitude of cyber losses despite noise from factors unrelated to losses. To that end, we extract cyber insurance pricing information from the regulatory filings of 26 insurers. We provide empirical observations on how premiums vary by coverage type, amount, and policyholder type and over time. A method using particle swarm optimisation and the expected value premium principle is introduced to iterate through candidate parameterised distributions with the goal of reducing error in predicting observed prices. We then aggregate the inferred loss models across 6,828 observed prices from all 26 insurers to derive the County Fair Cyber Loss Distribution . We demonstrate its value in decision support by applying it to a theoretical retail firm with annual revenue of $50M. The results suggest that the expected cyber liability loss is $428K and that the firm faces a 2.3% chance of experiencing a cyber liability loss between $100K and $10M each year. The method and resulting estimates could help organisations better manage cyber risk, regardless of whether they purchase insurance. 

   more » « less
2. Will Catastrophic Cyber-Risk Aggregation Thrive in the IoT Age? A Cautionary Economics Tale for (Re-)Insurers and Likes

   https://doi.org/10.1145/3446635  

   Pal, Ranjan ; Huang, Ziyuan ; Lototsky, Sergey ; Yin, Xinlong ; Liu, Mingyan ; Crowcroft, Jon ; Sastry, Nishanth ; De, Swades ; Nag, Bodhibrata ( June 2021 , ACM Transactions on Management Information Systems)

   null (Ed.)

   Service liability interconnections among networked IT and IoT-driven service organizations create potential channels for cascading service disruptions due to modern cybercrimes such as DDoS, APT, and ransomware attacks. These attacks are known to inflict cascading catastrophic service disruptions worth billions of dollars across organizations and critical infrastructure around the globe. Cyber-insurance is a risk management mechanism that is gaining increasing industry popularity to cover client (organization) risks after a cyber-attack. However, there is a certain likelihood that the nature of a successful attack is of such magnitude that an organizational client’s insurance provider is not able to cover the multi-party aggregate losses incurred upon itself by its clients and their descendants in the supply chain, thereby needing to re-insure itself via other cyber-insurance firms. To this end, one question worth investigating in the first place is whether an ecosystem comprising a set of profit-minded cyber-insurance companies, each capable of providing re-insurance services for a service-networked IT environment, is economically feasible to cover the aggregate cyber-losses arising due to a cyber-attack. Our study focuses on an empirically interesting case of extreme heavy tailed cyber-risk distributions that might be presenting themselves to cyber-insurance firms in the modern Internet age in the form of catastrophic service disruptions, and could be a possible standard risk distribution to deal with in the near IoT age. Surprisingly, as a negative result for society in the event of such catastrophes, we prove via a game-theoretic analysis that it may not be economically incentive compatible , even under i.i.d. statistical conditions on catastrophic cyber-risk distributions, for limited liability-taking risk-averse cyber-insurance companies to offer cyber re-insurance solutions despite the existence of large enough market capacity to achieve full cyber-risk sharing. However, our analysis theoretically endorses the popular opinion that spreading i.i.d. cyber-risks that are not catastrophic is an effective practice for aggregate cyber-risk managers, a result established theoretically and empirically in the past. A failure to achieve a working re-insurance market in critically demanding situations after catastrophic cyber-risk events strongly calls for centralized government regulatory action/intervention to promote risk sharing through re-insurance activities for the benefit of service-networked societies in the IoT age. 

   more » « less
3. A Semantic Approach for Automating Knowledge in Policies of Cyber Insurance Services

   https://doi.org/10.1109/ICWS.2019.00018  

   Joshi, Ketki ; Pande Joshi, Karuna ; Mittal, Sudip ( July 2019 , 2019 IEEE International Conference on Web Services (ICWS))

   With the rapid adoption of web services, the need to protect against various threats has become imperative for organizations operating in cyberspace. Organizations are increasingly opting to get financial cover in the event of losses due to a security incident. This helps them safeguard against the threat posed to third-party services that the organization uses. It is in the organization’s interest to understand the insurance requirements and procure all necessary direct and liability coverages. This helps transfer some risks to the insurance providers. However, cyber insurance policies often list details about coverages and exclusions using legalese that can be difficult to comprehend. Currently, it takes a significant manual effort to parse and extract knowledgeable rules from these lengthy and complicated policy documents. We have developed a semantically rich machine processable framework to automatically analyze cyber insurance policy and populate a knowledge graph that efficiently captures various inclusion and exclusion terms and rules embedded in the policy. In this paper, we describe this framework that has been built using technologies from AI, including Semantic Web, Modal/ Deontic Logic, and Natural Language Processing. We have validated our approach using industry standards proposed by the United States Federal Trade Commission (FTC) and applying it against publicly available policies of 7 cyber insurance vendors. Our system will enable cyber insurance seekers to automatically analyze various policy documents and make a well informed decision by identifying its inclusions and exclusions. 

   more » « less
4. Dynamic modeling of public and private decision‐making for hurricane risk management including insurance, acquisition, and mitigation policy

   https://doi.org/10.1111/rmir.12215  

   Guo, Cen ; Nozick, Linda ; Kruse, Jamie ; Millea, Meghan ; Davidson, Rachel ; Trainor, Joseph ( June 2022 , Risk Management and Insurance Review)

   We develop a computational framework for the stochastic and dynamic modeling of regional natural catastrophe losses with an insurance industry to support government decision‐making for hurricane risk management. The analysis captures the temporal changes in the building inventory due to the acquisition (buyouts) of high‐risk properties and the vulnerability of the building stock due to retrofit mitigation decisions. The system is comprised of a set of interacting models to (1) simulate hazard events; (2) estimate regional hurricane‐induced losses from each hazard event based on an evolving building inventory; (3) capture acquisition offer acceptance, retrofit implementation, and insurance purchase behaviors of homeowners; and (4) represent an insurance market sensitive to demand with strategically interrelated primary insurers. This framework is linked to a simulation‐optimization model to optimize decision‐making by a government entity whose objective is to minimize region‐wide hurricane losses. We examine the effect of different policies on homeowner mitigation, insurance take‐up rate, insurer profit, and solvency in a case study using data for eastern North Carolina. Our findings indicate that an approach that coordinates insurance, retrofits, and acquisition of high‐risk properties effectively reduces total (uninsured and insured) losses.

    

   more » « less
5. Effective Premium Discrimination for Designing Cyber Insurance Policies with Rare Losses

   https://doi.org/10.1007/978-3-030-32430-8_16  

   Khalili, M. ; Zhang, X. ; Liu, M. ( October 2019 , Conference on Decision and Game Theory for Security (GameSec))

   null (Ed.)

   Cyber insurance like other types of insurance is a method of risk transfer, where the insured pays a premium in exchange for coverage in the event of a loss. As a result of the reduced risk for the insured and the lack of information on the insurer’s side, the insured is generally inclined to lower its effort, leading to a worse state of security, a common phenomenon known as moral hazard. To mitigate moral hazard, a widely employed concept is premium discrimination, i.e., an agent/insured who exerts higher effort pays less premium. This, however, relies on the insurer’s ability to assess the effort exerted by the insured. In this paper, we study two methods of premium discrimination that rely on two different types of assessment: pre-screening and post-screening. Pre-screening occurs before the insured enters into a contract and can be done at the beginning of each contract period; the result of this process gives the insurer an estimated risk on the insured, which then determines the contract terms. The post-screening mechanism involves at least two contract periods whereby the second-period premium is increased if a loss event occurs during the first period. Prior work shows that both pre-screening and post-screening are generally effective in mitigating moral hazard and increasing the insured’s effort. The analysis in this study shows, however, that the conclusion becomes more nuanced when loss events are rare. Specifically, we show that post-screening is not effective at all with rare losses, while pre-screening can be an effective method when the agent perceives them as rarer than the insurer does; in this case pre-screening improves both the agent’s effort level and the insurer’s profit. 

   more » « less