Full Title of Reference
Rainer Bohme, Cyber-Insurance Revisited, Internet Security Alliance (2005). Web
Cyber-insurance is considered as appropriate means to absorb financial losses caused by computer security breaches. Since insurance markets at the same time create incentives to construct more secure systems, they are regarded as particularly desirable tools. However, this paper argues that the typical market structure in IT businesses may thwart the formation of a proper insurance market for cyber-risks: The worldwide dominance of a few system platforms leads to correlated losses, which require premium surcharges and are thus hard to insure. This paper refers to an indemnity insurance model to evaluate the conditions under which coverage for cyber-risks can be granted despite monocultures of installed platforms. Different premiums for users of dominant and alternative platforms are also addressed. Acting as a counterweight to the market leader's strong economies of scale, a cost advantage for users of less widespread platforms could foster a more balanced market structure.
Cybersecurity is primarily a problem of incentives. All kinds of technical solutions exist to solve security issues, but due to a lack of incentives, these solutions are not employed enough. Computer security requires the consideration of both technical means as well as economic principles.
Economist Hal Varian identiﬁes the situation of responsibility attribution as the main source of weak security. He argues that, in a ﬁrst step, liability for losses due to security breaches should be transferred to the party who could reduce the risk most easily. Accordingly, manufacturers would be liable for vulnerabilities in their products, but also network nodes—up to the end user— could be called to account if they do not comply with their maintenance duties. Cyber-risks should be made transferable, so that parties can buy insurance coverage against possible losses. Insurance companies are likely to differentiate premiums according to different classes of risk, which creates concrete incentives to invest in secure technology.
The case for cyber-insurance
With insurance it becomes possible to express the value (not the cost!) of security measures in monetary metrics. Further implications, such as comparability and the ability to apply well-understood decision methods, are corollaries of this improved quantiﬁcation. This avoids over-spending up to military level and simultaneously reduces the usage of poorly designed and thus inefficient solutions, which are widely in used out of irrational reasons (subjective feeling of security, visibility of security).
Insecure software products are underpriced by the market and reveal their true costs in terms of negative externalities. Thus, network security appears to have properties of a public good: Insecure nodes not only risk the sanity of their own systems, but also compromise the security of all users, for instance by spreading worms unintentionally and by irresponsibly tolerating distributed attacks from their computers. Since these public costs are not attributed to the responsible parties, individuals have no incentive to upgrade the security of their systems.
Focus of this paper
Cyber-insurances are quite useful to tackle information security risks. However, most literature focuses on the perspective of individual insurance holders. This paper, on the contrary, analyzes the situation from the perspective of insurance companies that have to bear the entirety of risks, with special regard to the particular market structure of the IT industry.
Principles of Insurance
An insurance contract (policy ) binds an insurance company in the occurrence of contractually defined loss events to pay a specified amount (claim ) to the insurance holder. In return, the insurance holder pays a ﬁxed sum (premium ) to the insurance company. Since claim amounts usually depend on the dimension of losses, insurance companies oﬀer uncertain future payoffs for a certain premium at present. This constellation generates three interesting phenomena studied in the literature: adverse selection (bad risks are more likely to demand coverage than good ones), moral hazard (insurance holders behave careless as they do not have to bear the losses), and calculation of premiums.
Takeaways and Implications From the Paper's Analysis
The economic perspective to information security in general, and the idea of cyber-risk insurance in particular, are promising approaches to identify and tackle current security issues, leading to a reliable communication infrastructure for the information society. This paper—as well as many others—attempts to point out that proven concepts from “oﬄine economics” do not always apply seamlessly to “online economics”. We show in particular that losses generated by security breaches must not be treated in the same way as traditional indemnity insurance risks, because the structure of today’s installed computer systems produces unwanted correlation of claims.
The emerging of an insurance market for cyber-risks is presumed to have a number of positive consequences, although an ultimate evaluation of the expected effects on welfare and growth are suggested to be subject to future research: (1) improved quantification of the security value of technical measures; (2) additional incentives to run current systems more securely and to develop ever more secure systems; (3) motivation to innovate for suppliers of alternative solutions due to reduced indirect costs. However, before these desirable consequences come into eﬀect, a number of preconditions have to be fulfilled. First, a binding regulation of the responsibility and liability for security breaches is a key element for the development of a wide market for cyber-insurance . Second, the analysis in this paper shows that coverage for a large part of the market cannot be supplied because of correlated claims due to the market structures in the IT industry.
A careful interpretation of the preliminary ﬁndings suggests that correlation of claims may indeed hinder the development of a mature market for cyber- insurance. Policies attempting to support cyber-insurance should simultaneously consider supporting a diversity of systems. Regulatory interventions, such as compulsory insurance, even if limited to certain segments, imply a change to the existing market mechanisms and could eventually lead to a shift in market structure.