The Economic case of CyberInsurance

1
The Economic case of Cyber-Insurance

• - Jay P Kisan, Ruperto P Majuca, William J
  Yurcik
• University of Illinois at Urbana Champaign

By Radhika Kodur Computer Science Dept., USC
2
Contents

• Economic Arguments.
• E-Commerce Losses.
• Expenditure on Cyber insurances and Amount of
  coverage.
• How Cyberinsurance increases IT safety ?
• Cyberinsurance, self-Insurance and
  Self-Protection-Relationships.
• Optimal-Level.
• How Cyberinsurance increases Social Welfare ?
• Calculating cyber insurance premiums.
• Potential drawbacks of Cyberinsurance.
• Solutions to Risk Assessments
• Conclusion.
• References.

3
Economic Arguments

• The Insurance Industry can play a pivotal role
  in securing cyberspace by creating risk transfer
  mechanisms, working with government to increase
  corporate awareness of cyber risks and
  collaborating with leaders in the technology
  industry to promote best practices for network
  security.
• There are three Economic Arguments for
  Cyberinsurance (CI) -
• CI results in higher security investment
  increasing the level of safety for information
  technology infrastructure.
• CI facilitates standards for best practices to be
  set at socially optimal levels.
• The CI solves a market failure and increases
  societal welfare.

4
E-Commerce Losses

• E-commerce losses may be either
• Direct losses from the attack or intrusion.
• Business interruption (loss of productive time)
  and reputation losses.
• Third party liability (Damages assoc. With
  privacy , defamation , etc.).
• These are the potential losses which are the
  risks against which the firm wants to have
  coverage .

5
Cyberinsurance

• Nine Insurance Coverage's
• Web Content Liability.
• Professional Liability.
• Network Security third party liability.
• (Intangible/Information) Property loss.
• Loss of eRevenue.
• Cyber-extortion.
• Cyber-terrorism.
• Pubic relations Funds.
• Criminal reward Funds.

6
Expenditure on Cyber insurances and Amount of
coverage.

• Suppose if the firm has an income in good state
  as (I1e),
• and an income in bad state as (I0e), then it
  has a probability P of cyber attack that it
  will lose Le (I1e) - (I0e).
• With the purchase of cyber insurance worth ? per
  dollar of cover , the insurer pays S in the
  event of Cyber loss.
• In the Bad state which occurs with probability P,
  the firm has a utility assoc. with its income in
  the good state minus the loss and the expenditure
  for insurance plus the amount the insurer will
  pay in the event of loss. i.e.
• U (I1e - Le ?S S)

7
Expenditure on Cyber insurances and Amount of
coverage.

• In the good state( with probability 1-p), the
  firm has utility associated With its income in
  the good state minus the expenditure on insurance
  i.e. U(I1e ?S) .
• Hence , the firm purchases coverage that it
  maximizes its Expected Utility from both the good
  states and bad states.
• S arg max EU PU (I1e - Le ?S
  S)(1-p)U(I1e ?S) .

8
Expenditure on Cyber insurances and Amount of
coverage.

• By purchasing insurance coverage of amount S, a
  firm moves from E to F.
• Makes the insured Pay ?S for insurance premium.
• Firm Moves to Point E , if it has no insurance.
• Point F for ? P, if it has a full insurance.
• Point P for ? gt P, if it has a partial insurance.

9
How Cyberinsurance increases IT safety ?

• There are three ways a firm can protect itself
  against damages
• Self-Protection.
• Self-Insurance.
• Out-Sourced insurance i.e. Cyberinsurance.

10
Self-Protection

• In Cyber-security , self-protection may take the
  following forms
• Authentication processes.
• Anti-Virus Software.
• Firewalls.
• Virtual private networks.
• Intrusion detection systems.
• Vulnerability Scans.
• System backups.
• Official Security policies explicitly stating
  unacceptable behaviors.

11
Self-Insurance

• The following measures reduce the size of a loss
  in cyber security case
• IT staffs who restore data and normal functions.
• Software backup strategies.
• Disaster recovery planning.
• Any investment or purchase of equipments or
  services that reduce the potential loss.

12
Cyberinsurance, self-Insurance and
Self-Protection-Relationships

• Cyberinsurance and self-protection are
  Complements i.e. Cyberinsurance increases
  self-protection.
• Cyberinsurance and self-insurance are
  substitutes i.e. an increase in expenditures on
  one would decrease the amount spent on the other.
• Self-insurance decreases self-protection (the
  moral hazard problem).

13
Cyberinsurance, self-Insurance and
Self-Protection.
Figure 2
14
Self-insurance and Cyberinsurance as substitutes.

• A firm has a choice between self-insurance
  (assoc. with the bowed-out transformation curve)
  and cyber-insurance( assoc. with the straight
  lines representing the insurance prices).
• Transformation curve is bowed-out because of the
  Law of diminishing marginal returns". Each
  additional dollar of good-state income invested
  on self-insurance is less productive than the
  previous dollar invested.

15
Self-insurance and Cyberinsurance as substitutes.

• Starting at point E, a firm facing an actuarial
  fair price would move from E toward S1 (Via
  Self-Insurance) or from S1 to point F (Via
  Cyber-Insurance).

16
Self-insurance and Cyberinsurance as substitutes.

• If the insurance prices increase , the firm would
  have a self-insurance up to point S2 and
  Cyberinsurance up to F. The distance between S1
  and S2 i.e. A is an increase in the amount of
  Self-insurance. B represents the decrease in the
  amount of cyber-insurance.

17
Optimal-Level

• Let P be the probability of a cyber-attack,
• x - the amount of precaution,
• L - the Monetary value of the loss from a
  cyber-attack ,
• And W- the cost of precaution (per dollar unit)
  then
• The expected social costs equals
• SC WXP(X)L.

18
Optimal-Level

• In Figure The Socially-optimal level , X is
  achieved by striking a balance between the gain
  from the additional investment in security and
  the cost assoc. with extra security.
• W -P'(X)L
• (Marginal social Cost) ( Marginal Social
  Benefit)

19
Implementing Optimal level

• The optimal level in theory can be implemented
  through use of a liability rule under any of the
  following three regimes
• No liability regime
• Strict liability regime
• Negligence rule

20
Negligence rule

• In case of Negligence rule, the optimal level of
  precaution is x.
• When Xi lt X-Forbidden zone( Precaution by the
  potential user is deficient .So, injurer at
  fault).
• When Xi gt X -permitted Zone (Injurer not at
  fault).

21
Negligence rule

• In cyber security cases ,if both potential
  injurer and victim can take precaution then a
  negligence rule with a legal standard of
  efficient care results in efficient precaution.
• Example- Health Care Industry.

22
How Cyberinsurance increases Social Welfare ?

• The current level of uncertainty under
  traditional policies results in under investment
  in insurance ,and results in insufficient amount
  of profits and insufficient level of risk sharing
  through out the society .
• The absence of market for bearing new internet
  risks lowers the welfare of those who find it
  advantageous to transfer those risks. Hence, The
  Creation of Cyberinsurance solves a market
  failure and results in higher welfare for
  society.
• The amount of welfare gains assoc. with the
  introduction of Cyberinsurance can be calculated
  in dollar terms for varying levels of risk
  aversion and the probability of a cyber-attack
  occurring.
• Dollar estimate of Cyberinsurance, welfare gains
  can be done by comparing the market value of
  income for no Cyberinsurance era to the with
  Cyberinsurance era.

23
General Methodology for Measuring Welfare gains
from Cyberinsurance.

• Firm starts at point E (without Cyberinsurance)
  and is assoc. with lower indifference curve.
• Firm can go upto point F by buying cyber
  insurance at the price ? per dollar of cover.
• In the above situation , the firms pay the
  insurer for the coverage and if the attack
  occurs, the Cyberinsurer pays the insured .
• AB is the measurement of welfare change (the
  difference between the y-axis intercepts of the
  budget lines tangent to those level curves.)

24
General Methodology for Measuring Welfare gains
from Cyberinsurance.

• Get data on good income.(I1e) and bad income(I0e)
  states.
• Get data on p (the probability of an attack) and
  ?(premium per dollar of cover), and calculate
  A.A is assumed to be actuarially fair premium.
• Assume a particular parametric form of the
  utility function , and then calculate U. Also,
  Calculate the gains for varying levels of risk
  aversion coefficient .
• risk aversion coefficient
• Calculate I.
• Calculate B and subtract from A. and the result
  is welfare gains.

25
Example
26
(No Transcript)
27
(No Transcript)
28
Calculating cyber insurance premiums

• In this paper total premium that the insured
  would be willing to pay at varying levels of risk
  aversion and attack probabilities is calculated
  by the Cochrane(1997) theories.
• The premiums can be calculated as
• (Im - p)(1-s) P.I0e (1-s) (1-P).I1e(1-s )
• Where Im P.I0e (1-P).I1e
• p Im P.I0e (1-s) (1-P).I1e(1-s ) 1/ (1-s)
  

29
Premiums , welfare gains
30
Potential drawbacks of Cyberinsurance

• High Cost.-Premiums can range from 5000 -
  60,000 per 1 Million of coverage making it
  beyond reach for small and middle sized
  companies.
• Underwriting qualifications lack standardization
  and remain complex and time-consuming.
• Scant precedent.-absence of decades of
  information.
• Uncertainty and Lack of actuarial or event data
  for all types of losses present in problems
  assoc. with calculation of risks and premium
  pricing.
• Takes Both time and stability to develop the
  statistical data for actuarial data tables.
• New ventures are developed at a very fast pace,
  flaws in software change dynamically , and new
  attacks are released daily. Future risks are
  unknown as both hacking and anti-hacking tech. is
  getter better.

31
Solutions to Risk Assessments

• Partnering of insurance providers with security
  service providers.
• Co-ordination of regulations and standardization
  of the policies for cyber breach related
  coverage's. Help of National assoc. of Insurance
  Commissioners (NAIC) can be taken.
• In Oct , 2001 CIPB (Critical infrastructure
  protection board) was established by president
  Bush .It was partnered with insurers to pool the
  data existing in insurance and government
  departments for developing the actuarial tables .
• Cyberinsurance institute has found two non-profit
  organizations (RAND and CERT) which are forefront
  on insurance standard developing methods for
  assessment of threats and vulnerabilities.
• The federal government should make compulsory
  Adoption of Cyberinsurance for cyber-activities.

32
My Conclusion

• Yes, the advent of internet has bought so many
  new erisks that a traditional insurance fails to
  cover. The creation of new insurance products
  like Cyberinsurance should result in better IT
  security.

33
References

• http//infosecon.net/workshop/pdf/42.pdf
• http//209.87.231.94/Business_Services/Insurance/C
  yber_Insurance.html
• www.financialexpress.com