Published in: Journal of Cybersecurity, Volume 5, Issue 1 (2019). doi: 10.1093/cybsec/tyz002
Posted on RAND.org on April 30, 2019
Data breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars. Consequently, the market for insuring against these losses has grown rapidly in the past decade. While there exists much theoretical literature about cyber insurance, very little practical information is publicly available about the actual content of the polices and how carriers price cyber insurance premiums. This lack of transparency is especially troubling because insurance carriers are often cited as having the best information about cyber risk, and know how to assess—and differentiate—these risks across firms. In this qualitative research, we examined cyber insurance policies filed with state insurance commissioners and performed thematic (content) analysis to determine (i) what losses are covered by cyber insurance policies, and which are excluded?; (ii) what questions do carriers pose to applicants in order to assess risk?; and (iii) how are cyber insurance premiums determined—that is, what factors about the firm and its cybersecurity practices are used to compute the premiums? By analyzing these policies, we provide the first-ever systematic qualitative analysis of the underwriting process for cyber insurance and uncover how insurance companies understand and price cyber risks.