Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk?

Posted: 10 Mar 2017  

Sasha Romanosky

RAND Corporation; Carnegie Mellon University - Heinz College of Information Systems and Public Policy

Lilian Ablon

RAND Corporation

Andreas Kuehn

RAND Corporation

Therese Jones

RAND Corporation

Date Written: March 7, 2017

Abstract

Cyber insurance is a broad term for insurance policies that address first and third party losses as a result of a computer-based attack or malfunction of a firm’s information technology systems. For example, one carrier’s policy defines computer attacks as, “A hacking event or other instance of an unauthorized person gaining access to the computer system, [an] attack against the system by a virus or other malware, or [a] denial of service attack against the insured’s system.”

Despite the strong growth of the cyber insurance market over the past decade, insurance carriers are still faced with a number of key challenges: how to develop competitive policies that cover common losses, but also exclude risky events?; how to assess the variation in risks across potential insureds; and how to translate this variation into an appropriate pricing schedule?

In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components: The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant’s security posture; and the rate schedules which define the algorithms used to compute premiums.

Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise).

In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm’s asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.

Keywords: Cyber Insurance, Cyber Liability, Pricing Cyber Risk

Suggested Citation

Romanosky, Sasha and Ablon, Lilian and Kuehn, Andreas and Jones, Therese, Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk? (March 7, 2017). Available at SSRN: https://ssrn.com/abstract=2929137

Sasha Romanosky (Contact Author)

RAND Corporation ( email )

1776 Main Street
P.O. Box 2138
Santa Monica, CA 90407-2138
United States

Carnegie Mellon University - Heinz College of Information Systems and Public Policy ( email )

Pittsburgh, PA 15213-3890
United States

Lilian Ablon

RAND Corporation ( email )

1776 Main Street
P.O. Box 2138
Santa Monica, CA 90407-2138
United States

Andreas Kuehn

RAND Corporation ( email )

1776 Main Street
P.O. Box 2138
Santa Monica, CA 90407-2138
United States

Therese Jones

RAND Corporation ( email )

1776 Main Street
P.O. Box 2138
Santa Monica, CA 90407-2138
United States

Paper statistics

Abstract Views
3,613