Cyber Insurance and Post-Breach Services: A Normative Analysis

1. Introduction

According to GlobalData, worldwide spending on cybersecurity is expected to top $198 billion in 2025 from $125.5 billion in 2020.¹ As cyber-attacks continue to evolve, firms use a multitude of security countermeasures to address cybersecurity risks. Cyber insurance has emerged as an alternative risk management measure that sees strong growth in demand (Trice and Rupawala 2020). The global cyber insurance market was valued at $5.95 billion in 2019 and is projected to reach $32.47 billion by 2027, growing at an annual rate of 23.76% from 2020 to 2027 (Verified Market Research 2020). The U.S. market alone was estimated to be $2.26 billion in 2019 (Laux et al. 2020), offering an estimated 2,000 to 3,000 types of cyber insurance policies that cover a wide variety of services to mitigate cybersecurity risks, such as data compromise responses, systems recovery, cyber extortion, and public relations services (Romanosky et al. 2019).

Cyber insurance has been used to contain firms’ losses from cybersecurity attacks or security breach incidents in terms of first-party losses and third-party liability. For example, Capital One suffered a massive data breach affecting 100 million individuals in the summer of 2019. The company had $400 million of cyber insurance coverage, with a $10 million deductible. It eventually suffered a significantly reduced data breach cost in the low $100 million range after receiving the cyber insurance compensation that primarily covered customer support and legal support (Evans 2019, Surane and Nguyen 2019).

To appreciate the merits of cyber insurance, we must analyze its compatibility and interaction with other cybersecurity investment decisions. As demonstrated by countless real-world incidents, a firm’s decisions on cybersecurity are not restricted to ex ante breach incident prevention; ex post breach incident mitigation is an important step in minimizing the impact of a security breach.² Because ex post breach handling efforts are difficult to plan, firms often subscribe to such services from other service vendors, in which the spendings are reimbursed by cyber insurance. In the Capital One incident, the company’s vulnerability disclosure program detected the breach soon after it occurred (12 days compared with the average of 297 days in other security breach incidents), allowing the company to react to the incident swiftly (Otto 2019). The interaction between cyber insurance and a firm’s ex ante risk prevention effort and ex post risk mitigation effort is an important area of study, which is the focus of this research.

Similar to other types of insurance, cyber insurance could introduce ex ante moral hazard (Dou et al. 2020) because the insured firm might increase risk-taking actions (especially in risk prevention) with the knowledge that mitigation expenses and breach losses would be (fully or partially) compensated by the insurer, who might not always be able to observe the firm’s actions. However, previous studies have reached mixed conclusions about the influence of cyber insurance on a firm’s risk prevention effort (Gordon et al. 2003a, Bolot and Lelarge 2008).

Even less research has been conducted to connect how cyber insurance affects a firm’s risk mitigation efforts after a breach. In the economics literature, Ehrlich and Becker (1972) distinguished the insured’s action to reduce the size of loss (“self-insurance”) from the action to reduce the probability of loss (“self-protection”).³ For example, a sprinkler system serves as a self-insurance measure because it reduces the loss from fire. In contrast, a burglar alarm is a self-protection measure because it prevents illegal entries. Ehrlich and Becker (1972) found that insurance underwritten by external parties (“market insurance”) tends to substitute self-insurance, but it complements self-protection if the probability of loss is large. Self-insurance is a form of risk mitigation because it reduces the severity of an incident.

However, in this stream of economics research, the models are typically characterized by a single-period game in which the cost of self-insurance is incurred before the incident. Such single-period analysis fits settings where the options for post-event mitigation are limited. For example, sprinkler systems and fire engines are often the dominant options to mitigate the damage due to a fire. Banks mostly engage armed security guards to mitigate the potential losses in a robbery. In healthcare, even after purchasing insurance, patients face limited choices after being diagnosed with a disease. They mostly have to follow the treatment paths prescribed by the attending physicians. In these and many other similar settings where the number of post-event mitigation options is limited, it is reasonable to assume the decision maker would plan for the ex ante prevention and ex post mitigation efforts simultaneously.

Post-event mitigation is more nuanced in the cyberspace. Cyber-attack victims often play a heavy role themselves and can work concomitantly with third-party organizations in shaping the security breach outcomes (Katyal 2001). For example, in a distributed denial of service (DDoS) attack, the victim could deploy his or her own security operations center staff to stop traffic from the attacking IP addresses, engage an external service provider to help manage the traffic, or inform the Internet service provider and law enforcement agency to tackle the attack source. In a ransomware attack, the victim could invoke his or her own mirrored data copies, engage a cybersecurity consultant to help with decryption or data recovery, or simply pay the ransom. In these cases, the victims play an active role in implementing the risk mitigation measures after the breach. As cyber-attacks evolve over time, new tools and practices may emerge beyond the options available when a firm made a security plan or purchased cyber insurance, the decisions of which are often a routine and periodic exercise. The options for risk mitigation are dynamic and may be identified after the incident. Accordingly, a single-period analysis may not capture the essence of cybersecurity risk management. Here, we separate the decisions of ex ante risk prevention and ex post risk mitigation into two stages. This is our key point of departure from the literature.⁴

We construct a two-period model consisting of a firm making the risk prevention investment in the first period. If a security breach occurs in the second period, the firm undertakes risk mitigation spending to reduce the breach losses. We consider two scenarios: (1) the firm does not purchase cyber insurance (the base case in Section 3.1), and (2) the firm purchases cyber insurance (the cyber insurance case in Section 3.2). If the firm purchases cyber insurance, the insurance will cover some of the mitigation spending and breach losses. Compared with the base case, we scrutinize cyber insurance’s influences on the firm’s risk prevention investment, mitigation spending, mitigated loss, and wealth.

Our analysis shows that the fundamental difference in the unique setting of cyber insurance—that the insured firm expends effort on risk mitigation after a security incident—results in distinctive interactions among risk management strategies. Specifically, we find that cyber insurance encourages risk mitigation but mostly discourages risk prevention; that is, it aggravates ex ante moral hazard but enhances ex post effort. The ex ante moral hazard is consistent with what has been observed in the health insurance literature, where full insurance discourages preventive care because the cost of treatment is covered—the classical moral hazard problem.

Interestingly, our comparative statics analysis demonstrates that the scope of coverage⁵ and the coinsurance rate matter. When the scope of coverage of breach losses and the coinsurance rate are chosen properly, cyber insurance can decrease the insured firm’s overall risk and increase its expected wealth. The mechanism can be understood as follows. Intuitively, a greater depth of coverage (i.e., a lower coinsurance rate) and a broader scope of coverage tend to increase the firm’s expected wealth. However, if ex ante risk prevention is decreased too much, then the likelihood of a breach is significantly increased. As a result, the expected mitigated loss may increase. Hence, a delicate calibration of the scope of coverage of breach losses and the coinsurance rate can generate a desirable outcome, viz. compensating reduction in risk prevention by an increase in risk mitigation effort, leading to higher overall wealth and a lower expected mitigated loss for the insured firm.

Our analysis provides novel and normative insights into how cyber insurance affects a firm’s wealth by distorting its efforts in ex ante risk prevention and ex post risk mitigation. Although procuring cyber insurance may reduce risk prevention due to moral hazard (as in many other forms of insurance, such as health or car insurance), we show that in the cybersecurity setting, where post-breach risk mitigation is common, expected, and dynamic, cyber insurance can help motivate the firm to distribute its resources appropriately to maximize its own wealth and reduce the mitigated loss. This win (the insured firm)-win (the downstream customers)-win (the insurer) situation well substantiates the use of cyber insurance as a cybersecurity risk management initiative. The results also highlight the important role of services related to risk mitigation efforts in complementing the common in-house risk prevention efforts.

The rest of this paper is organized as follows. Section 2 reviews the literature. Section 3.1 describes and analyzes a baseline two-period model in which the risk prevention decision is made before the security incident and the risk mitigation decision is made after the incident. Section 3.2 adds cyber insurance to the baseline model. Section 3.3 presents the comparative statics. Section 3.4 presents numerical examples to illustrate our findings. Section 4 demonstrates the robustness of our results in the presence of a deductible, an indemnity limit, risk aversion, ex ante risk mitigation, and strategic hackers. Section 5 discusses our theoretical contribution and the managerial implications of our findings. Section 6 identifies a few future research directions and concludes the paper.

2. Literature Review

Our work is related to two streams of information security research: cyber insurance and moral hazard and risk management strategies, including risk prevention and risk transfer.

2.1. Cyber Insurance and Moral Hazard

Many prior studies have analyzed the slow uptake of cyber insurance, often from different perspectives, such as system interdependence (Kunreuther and Heal 2003), correlated risks (Bohme 2005, Bohme and Kataria 2006), information asymmetry (Bandyopadhyay et al. 2008), and information sharing and cyber insurance selection (Bodin et al. 2018). In recent years, we have seen gradual growth of the cyber insurance market. The closest related work is Ogut et al. (2011), who found that cyber insurance coverage and risk prevention spending can either be substitutes or complements, depending on whether the insurer can design a contract contingent on the firm’s risk prevention level. Bolot and Lelarge (2008) showed that cyber insurance can complement risk prevention strategies, but Gordon et al. (2003a) suggested that cyber insurance reduces a firm’s risk prevention efforts. Pal et al. (2014) showed that the merit of cyber insurance depends on its market structure.

In the insurance literature, most studies after Arrow (1963) and Pauly (1968) have focused on ex ante moral hazard (Rowell and Connelly 2012). Cyber insurance is different from general insurance in that the insured firm often needs to make ex post efforts to contain the losses. For example, after a data breach, a bank can reissue customers’ credit cards to minimize fraudulent transactions due to the lost card numbers. Such ex post mitigation efforts are critical in many security breach incidents, but it often requires good judgment from the victim on whether and how much to deploy them after the breach. For studies that investigate ex post decisions, the decisions are often simple and do not require proactive management of the damage after the incident. For example, Abbring et al. (2008) and Gramig et al. (2005) formulated ex post moral hazard as a binary decision variable, such as report versus not report or disclose versus not disclose. In health insurance, the concern is the abuse of health insurance after an illness. The objective is to induce consumers to adopt a healthy lifestyle to prevent illness (Bogetic and Heffley 1993). Instead of internalizing the prevention and mitigation decisions with insurance, this literature focuses on incentive plans to alter the insured’s lifestyles to reduce the ex post medical costs (Heffley and Miceli 1998).

Here, we do not consider incentive plans because they are uncommon in cyber insurance. Our analysis of risk mitigation and risk prevention in cybersecurity adopts the self-insurance (to reduce the severity of loss in a security incident) and self-protection (to reduce the probability of a security incident) concepts proposed by Ehrlich and Becker (1972). The point of departure here is that the risk mitigation decisions are made ex post, that is, after the security breach incident, instead of ex ante.

2.2. Management of Cybersecurity

Managing cybersecurity encompasses many forms of technical and managerial measures. The IT security risk management doctrine, commonly adopted in many organizations, prioritizes countermeasures based on which threats or risks are ranked the most dangerous (Loch et al. 1992). The protection effort should not exceed what is justifiable by the associated costs and expected losses (Gordon and Loeb 2002). In other words, protection does not need to be aimed at preventing all security breaches. Instead, firms typically operate under the notion of “acceptable” risks, where any decisions about reducing risks recognize a degree of residual risk that the firm is willing to accept (Whitman and Mattord 2012).

Recent studies have focused on the economic incentives of managing information security. This stream of research examines the related cybersecurity issues from multiple perspectives, including breach prevention (Cavusoglu et al. 2005, Mookerjee et al. 2011), risk transfer (Hui et al. 2012, Zhao et al. 2013), security risk disclosure and realization (Gordon et al. 2006, Wang et al. 2013), sharing of cybersecurity-related information (Gordon et al. 2003b), mandatory information security standards (Lee et al. 2016), contracting information security (Lee et al. 2013, Hui et al. 2019), intrusion detection and response (Yue and Cakanyildirim 2007), the portfolio with countermeasures (Kumar et al. 2008), a value-at-risk (VaR) approach to information security investment (Wang et al. 2008), a wait-and-see approach to risk prevention (Bohme and Moore 2009, Elliott et al. 2016), diffusion and disclosure of attacks (Mitra and Ransbotham 2015), and software liability and vulnerability (August and Tunca 2011). Although extensive, these studies do not consider post-breach risk mitigation as an essential element in cybersecurity risk management. The emergence of cyber insurance points to a need to understand its role in the interplay between cybersecurity risk prevention and post-breach loss mitigation.

3. Model and Analysis

Consider a two-period model in which the firm makes an investment at $t=0$ to prevent a cybersecurity breach that may happen at $t=1$. The investment is in risk prevention measures such as technical controls, security policy deployment, and user awareness training. An investment $s$ gives the firm risk prevention effectiveness $q(s)$, where $0<q(s)<1$. A higher risk prevention effectiveness lowers the breach probability, denoted as $1-q(s)$ (Gordon and Loeb 2002), where $q\prime (s)>0$ and $q″(s)<0$; that is, there is diminishing return to risk prevention investment. Realistically, it is difficult, if not impossible, to achieve perfect security in an organization. As the level of security increases, the effort needed to raise security further increases disproportionally.

If a security breach such as unauthorized access or a distributed denial-of-service attack occurs, an unmitigated loss will be incurred. The firm then moves to the post-breach period, $t=1$, and will engage in mitigation spending r on activities such as forensic tracing, legal consultation, incident response, or public relations management (Romanosky et al. 2019, Chubb.com 2022), which reduce the loss arising from the security breach. The final loss incurred is called the mitigated loss. We assume that the decision timeline spans one financial year, which is consistent with the typical annual budgeting cycle for cybersecurity risk management (PwC 2014). Figure 1 illustrates the decision timeline.

Conditional on breach occurrence, the mitigated loss suffered by the firm is

where $L$ is a random variable that denotes the unmitigated loss and $m(r)$ denotes the effectiveness of post-breach mitigation spending, $r$, with $0<m(r)<1$, $m\prime (r)>0$, and $m″(r)<0$. Here again, risk mitigation is subject to diminishing returns for the same reason that risk prevention is. Throughout this paper, we use uppercase letters to denote random variables and lowercase letters for other variables and functions.

Our definition of cybersecurity risk, which considers both the likelihood of an incident and the severity of the incident, is consistent with the definitions in the literature (Kaplan and Garrick 1981). Similar to Gordon and Loeb (2002), we assume that investment in preventive measures reduces the likelihood of a breach. In contrast, risk mitigation spending limits the size of the breach severity (i.e., losses).

To ease subsequent analysis, we assume that $q(s)$ and $m(r)$ have the following forms,

where the parameters $k_s$ and $k_r$ shape the concavity of the effectiveness functions. As shown in Figure 2, larger values of $k_s$ and $k_r$ indicate that $q(s)$ and $m(r)$ are more concave. In Online Appendix H, we prove that all of our key results continue to hold with general $q(s)$ and $m(r)$. Table 1 summarizes the notations used in our analysis.

Table 1. Notation Table

3.1. Base Model

In this subsection, we consider a base case where the firm addresses security risks without using cyber insurance. The firm’s expected final wealth at $t=1$ is

where $w_0$ denotes the firm’s initial wealth. The firm’s objective is to maximize its final expected wealth by choosing the optimal $s$ at $t=0$ and the optimal $r$ at $t=1$.

We solve the problem backward. At $t=1$, the firm does not suffer a damage if a breach does not occur. If a breach occurs, however, the true value of the unmitigated loss will be revealed; that is, the firm learns that $L=\mathcal{\ell }$. After post-breach mitigation, the firm suffers a mitigated loss, $[1-m(r)]\mathcal{\ell }.$ Given risk prevention investment, $s$, the firm’s wealth after the cybersecurity incident at $t=1$ is

Compared with the case without a breach, where $w_1=w_0-s$, the total financial impact of a breach at $t=1$ is $r+[1-m(r)]\mathcal{\ell }$, which comprises the risk mitigation spending and the mitigated loss.

Now, when a breach occurs, the firm chooses $r$ to maximize $w_1$. It will invest in post-breach risk mitigation until the additional dollar spent yields an exact dollar worth of benefit. We obtain the optimal risk mitigation spending by solving the first-order condition (FOC) of Equation (2):

The second-order condition is satisfied as $m^{″}(r)<0$. Solving (3) allows the firm to determine the optimal risk mitigation spending based on $\mathcal{\ell }$. We denote this optimal risk mitigation spending as $r^{*}(\mathcal{\ell })$. Substituting $m(r)=1-e^{-k_{r}r}$ into Equation (3) gives

where the subscript b denotes the base case. As expected, the optimal risk mitigation spending increases with the unmitigated loss. Substituting Equation (4) into Equation (2), the firm’s optimal wealth at $t=1$ in case of a breach is

Moving backward, at $t=0$, the actual value of $\mathcal{\ell }$ is not realized. So the firm has to decide based on the expected $r_b{}^{*}(L)$, which is a function of the random variable, $L$. Hence, we have

or

The first order condition is

or

The second-order condition is

because $q^{″}(s)<0$. Hence, the expected risk prevention effectiveness is

The equilibrium expected risk mitigation spending is

The equilibrium expected mitigated loss is

Taken together, the firm’s equilibrium expected wealth is

Proposition 1 summarizes the outcomes of the base model.

Proposition 1

(Baseline Outcomes Without Cyber Insurance). The equilibrium of the base model is characterized as follows.

• (a) Expected risk prevention investment $s_b{}^{*}=\frac{1}{k_s}\text{ln}\{\frac{k_s}{k_r}E\left[1+\text{ln}\left(k_{r}L\right)\right]\}$.

• (b) Expected risk prevention effectiveness $q\left(s_b{}^{*}\right)=1-\frac{k_r}{k_s}\frac{1}{E\left[1+\text{ln}\left(k_{r}L\right)\right]}$.

• (c) Expected risk mitigation spending for a given breach $r_b{}^{*}\left(\mathcal{\ell }\right)=\frac{1}{k_r}\text{ln}\left(k_r\mathcal{\ell }\right)$.

• (d) Expected risk mitigation spending $\left[1-q\left(s_b{}^{*}\right)\right]E\left[r_b{}^{*}\left(L\right)\right]=\frac{1}{k_s}\frac{E\left[\text{ln}\left(k_{r}L\right)\right]}{E\left[1+\text{ln}\left(k_{r}L\right)\right]}$.

• (e) Expected mitigated loss $\left[1-q\left(s_b{}^{*}\right)\right]E\left[\left\{1-m(r_b{}^{*}\left(L\right))\right\}L\right]=\frac{1}{k_s}\frac{1}{E\left[1+\text{ln}\left(k_{r}L\right)\right]}.$

• (f) Expected firm wealth $E\left[W_1{}^{**}\right]=w_0-\frac{1}{k_s}(1+\text{ln}\{\frac{k_s}{k_r}E\left[1+\text{ln}\left(k_{r}L\right)\right]\})$.

3.2. The Cyber Insurance Model

We now consider the case where the firm includes cyber insurance as an element of its risk management (Hurtaud et al. 2015, Cohn and Kelley 2017).⁶ Specifically, we examine how cyber insurance affects the firm’s risk prevention and post-breach risk mitigation expenses.

For simplicity, we assume perfect competition for the supply of cyber insurance such that the price is exogenous. This formulation is consistent with Rothschild and Stiglitz (1976). Because we do not incorporate benefits of insurance such as risk pooling and better connections with cyber resources,⁷ the price of cyber insurance, $p$, can be interpreted as the competitive market price for cyber insurance net of such benefits for a cyber insurance market to exist. However, because risk aversion alters the firm’s utility function and may directly affect resource allocation in risk management (the core focus of this study), we analyze its effects in an extension in Sections 4.3 and 4.4. Figure 3 illustrates the timeline of the cyber insurance model.

After purchasing the cyber insurance at price $p$, if a breach occurs at $t=1$, the insurance will cover some of the mitigation spending and losses. The firm’s expected final wealth evaluated at $t=0$ is

where $\kappa$ denotes the insurance coverage, which is a function of the cost of the breach, say, $x$, covered by the cyber insurance, that is, $\kappa =\kappa (x)$. The function $\kappa (x)$ is typically a linear or piecewise linear function.⁸ Here, we assume $\kappa (x)=\delta x$, where $0<\delta \le 1$. Following Feldman et al. (1997), we call $\delta$ the “depth” of coverage and $1-\delta$ the coinsurance rate. Hence, this analysis applies to coinsurance and full coverage (where $\delta =1)$. In Section 4, we include a deductible (d) and an indemnity limit ($i$) to the insurance policy and show that these additional complexities do not affect our general results.

In $\kappa (x)=\delta x$, x denotes the firm’s total insurable costs arising from a breach, which comprise the mitigation spending, $r$, and the types of losses covered by the insurance policy. The claim from the breach is typically less than the total expenses and losses, $r+[1-m(r)]\mathcal{\ell }$. For example, some cyber insurance products do not cover reputation damage (Hurtaud et al. 2015). We refer to the types of damage covered as the scope of coverage (Zoidze et al. 2013, van der Wees et al. 2016). Let the scope of coverage be denoted as $\beta$, where $0<\beta <1$. In general, a narrow scope (i.e., small $\beta$) means more exclusions in the cyber insurance contract. Taken together, $\kappa =\delta \{r+\beta [1-m(r)]\mathcal{\ell }\}$.

We again solve the problem by backward induction. At $t=1$, the potential loss unfolds. The firm will maximize

The first derivative with respect to r can be simplified to

The first term represents the marginal cost of risk mitigation spending. The second term is the marginal benefit of risk mitigation (i.e., loss reduction). Comparing this model with the base case, the marginal cost of risk mitigation is reduced from $1$ to $1-\delta$, and the marginal benefit of risk mitigation is reduced from $m\prime (r)\mathcal{\ell }$ to $(1-\beta \delta )m\prime (r)\mathcal{\ell }$. Hence, relative to the base case, the reduction in marginal cost is greater than the reduction in marginal benefit.

The first-order condition can be simplified to

We denote the optimal risk mitigation spending at this stage as $r_c{}^{*}(\mathcal{\ell })$. We use the subscript, $c$, to denote the cyber insurance model. With $m(r)=1-e^{-k_{r}r}$, it can be shown that

The only difference between Equation (16) and Equation (4) is the presence of the factor $\frac{1-\beta \delta }{1-\delta }$ in the natural log function of Equation (16). Because $\frac{1-\beta \delta }{1-\delta }>1$, Equation (16) is larger than Equation (4).

Proposition 2

(Ex Post Risk Mitigation). In the case of a security breach, the optimal (ex post) risk mitigation spending in the cyber insurance model is greater than the optimal (ex post) risk mitigation spending in the base model, that is, $r_c{}^{*}(\mathcal{\ell })\ge r_b{}^{*}(\mathcal{\ell })$.

Proposition 2 states that cyber insurance tends to encourage risk mitigation spending by reducing the marginal cost of risk mitigation; a proportion of every dollar spent on risk mitigation is now borne by the insurer. Although the marginal benefit of risk mitigation is also reduced because some of the benefits of risk mitigation are now shared with the insurer, incomplete coverage in scope (i.e., $\beta <1$) ensures that the insurer’s share of the benefits ($\beta \delta$) is smaller than its share of the costs ($\delta )$. Because the marginal cost of risk mitigation is reduced to a greater extent than the marginal benefit of risk mitigation for the firm, there is an overall increase in the ex post risk mitigation spending.

With Equation (16), we can compute the firm’s wealth at $t=1$ in case of a security breach as

Solving the problem backward, the firm’s expected final wealth at $t=0$ is

Differentiating with respect to s,

which gives

Equation (19) is similar to Equation (7), except that the term related to the optimal risk mitigation spending is multiplied by a factor of $\frac{1-\beta \delta }{1-\delta }$, and the size of the quantity in the outer natural logarithm function is scaled down by a factor of $(1-\delta )$. Online Appendix C explains why the risk prevention investment at $t=0$ is decreased, that is, $s_c{}^{*}<s_b{}^{*}$. This reflects the classic moral hazard problem in insurance and is consistent with the discussions in Gordon et al. (2003a).

Proposition 3

(Ex Ante Risk Prevention). The optimal risk prevention investment in the cyber insurance model is smaller than the optimal risk prevention investment in the base model, that is, $s_c{}^{*}$< $s_b{}^{*}$.

Therefore, the equilibrium risk prevention effectiveness is

$$q\left(s_c{}^{*}\right)=1-\frac{k_r}{k_s}\frac{1}{1-\delta }\frac{1}{1+E\left[\text{ln}\left(\frac{1-\beta \delta }{1-\delta }{k}_{r}L\right)\right]}.$$(20)

Hence, the equilibrium expected risk mitigation spending is

$$\left[1-q\left(s_c{}^{*}\right)\right]E\left[r_c^{*}\left(L\right)\right]=\frac{1}{k_s}\frac{1}{1-\delta }\frac{E\left[\text{ln}\left(\frac{1-\beta \delta }{1-\delta }{k}_{r}L\right)\right]}{1+E\left[\text{ln}\left(\frac{1-\beta \delta }{1-\delta }{k}_{r}L\right)\right]}.$$(21)

Online Appendix D proves the following proposition.

Proposition 4

(Expected Risk Mitigation Spending). The overall expected risk mitigation spending in the cyber insurance model is greater than the overall expected risk mitigation spending in the base model, that is, $[1-q(s_c{}^{*})]E[r_c^{*}(L)]>[1-q(s_b{}^{*})]E[r_b^{*}(L)]$.

Proposition 4 is not surprising because both the mitigation spending and the probability of a breach are increased (Propositions 2 and 3). Together with Proposition 3, Proposition 4 points to the tendency for cyber insurance to move resources from risk prevention to risk mitigation, which, incidentally, has been a recent recommendation by cybersecurity practitioners (Atici 2022).

The equilibrium expected mitigated loss with cyber insurance is

Online Appendix E proves the following proposition.

Proposition 5

(Expected Mitigated Loss). If the scope of coverage, $\beta$, is sufficiently small, then the overall expected mitigated loss in the cyber insurance model is smaller than the overall expected mitigated loss in the base model, that is, $[1-q(s_c{}^{*})]E[\{1-m(r_c^{*}(L))\}L]<[1-q(s_b{}^{*})]E[\{1-m(r_b^{*}(L))\}L]$.

For example, if $E[\text{ln}(k_{r}L)]=1$, the combinations of scope, $\beta$, and depth, $\delta$, where cyber insurance increases or decreases the mitigated loss, are depicted in Figure 4.

To complete the analysis, we substitute $s_c^{*}$ into Equation (17) to obtain the firm’s expected wealth:

Overall, our analysis suggests that cyber insurance encourages ex post risk mitigation because the insurer bears some of the mitigation costs (Proposition 2). However, the ex ante risk prevention investment is decreased because the firm becomes less concerned about the consequences of a security breach (Proposition 3). The net effect is an increase in the overall expected risk mitigation spending (Proposition 4). From a cybersecurity perspective, whether the expected level of mitigated loss is decreased depends on the cyber insurance’s scope and depth of coverage. Cyber insurance is more likely to decrease the expected mitigated loss if the scope of coverage is small (Proposition 5).

3.3. Comparative Statics

We present comparative statics with respect to $\beta$ and $\delta$ to examine how policy characteristics affect the equilibrium expected risk prevention, risk mitigation, mitigated loss, and the insured firm’s wealth. The derivations are available in Online Appendix F and Online Appendix G.

The comparative statics provide us with more in-depth insights into the mechanism that drives our propositions. Although $\beta$ and $\delta$ affect expected risk prevention in the same direction, they affect risk mitigation in opposite directions (highlighted in Table 2). A positive relationship between $\delta$ and risk mitigation spending is not surprising. A greater depth in insurance coverage means that the insurer bears more of the risk mitigation spending, decreasing the firm’s marginal cost of risk mitigation and thus encouraging risk mitigation spending.

Table 2. Comparative Statics

A less intuitive result is that a small $\beta$ (narrower insurance coverage) actually favors risk mitigation spending. This occurs because a small $\beta$ ensures that the marginal benefit of risk mitigation is not reduced (because of the coinsurance) to a degree that significantly cancels out the effects of the reduced marginal cost of risk mitigation. In other words, when $\beta$ is small, the firm can realize more direct risk mitigation benefit from its own spending, incentivizing it to increase its mitigation.

3.4. Numerical Examples

In this subsection, we present numerical examples to better visualize our findings. Because the effect of the concavity of $q(s)$ and $m(r)$ is not the focus of our analysis, for simplicity, we assume $k_s=k_r=1$. In other words, $q(s)=1-e^{-s}$ and $m(r)=1-e^{-r}$. We also assume that $L$ follows a uniform distribution, that is, $L\sim \mathit{\text{Uniform}}(0,{\mathcal{\ell }}_{\text{max}})$, where ${\mathcal{\ell }}_{\text{max}}$ is a firm characteristic. Depending on the nature, different firms may face a different value of ${\mathcal{\ell }}_{\text{max}}$ (e.g., the potential financial and reputation loss of a consumer bank could be significantly higher than an educational institution).

To choose parameters that mimic real-world settings, we refer to the 2013 breach incident of Target Corporation. According to Target’s 2013 annual report, its net asset was around $15 billion, and the total mitigated loss from the security breach was $300 million (Newman 2016). Obviously, the maximum potential loss could be much higher than the mitigated loss. Here, for convenience, we simply assume that the maximum potential loss is 10 times the mitigated loss, that is, $3 billion. We acknowledge that this upper bound of $L$ is chosen arbitrarily.

For the cyber insurance model, we need to make further assumptions on the value of the cyber insurance policy. In the Target case, the total expense related to the breach was $61 million, whereas the reimbursed amount was $44 million (Skariachan and Finkle 2014). So, the depth of coverage was roughly 44/61 ≈ 72%. Because the total mitigated loss was $300 million, we estimate the scope of coverage to be approximately 61/300 = 0.20.

According to Lerner (2019), the average cost of cyber liability insurance per $1 million of coverage is $1,500. Because Target had a coverage of $100 million (Newman 2016), we assume that the price paid for the coverage was approximately $150,000.

For ease of comparison, we scale the above numbers (except for percentages or proportions) down by a factor of ${10}^7$. Hence, in the following examples, we use these parameters: $w_0=1,500$, ${\mathcal{\ell }}_{\text{max}}=300$, $p=0.015$, $\beta =0.20$, and $\delta =0.72$. We emphasize that the purpose of analytical research is to provide theoretical contribution by explaining the different drivers behind the firm’s decisions and their welfare implications. This numerical illustration does not intend to provide an accurate or realistic estimation of the variables of interest.

3.4.1. Numerical Example for the Base Model.

If there is a breach at $t=1$ and the unmitigated loss turns out to be $\mathcal{\ell }$, the optimal (ex post) risk mitigation spending will be $r_b{}^{*}(\mathcal{\ell })=\text{ln}(\mathcal{\ell })$ according to Equation (4). By Equation (7), the optimal risk prevention investment is equal to $s_b{}^{*}=\text{ln}\{E[1+\text{ln}(L)]\}=1.7411$. By Equation (10), the equilibrium expected risk mitigation spending is $\frac{E\left[\text{ln}\left(L\right)\right]}{E\left[1+\text{ln}\left(L\right)\right]}=0.8247.$ By Equation (11), the equilibrium expected mitigated loss is $\frac{1}{E\left[1+\text{ln}\left(L\right)\right]}=0.1753$. Finally, by Equation (12), the equilibrium expected wealth of the firm is $1,500-(1+\text{ln}\{E[1+\text{ln}(k_{r}L)]\})=1497.26$.

3.4.2. Numerical Example for the Cyber Insurance Model.

If there is a breach at $t=1$ and the unmitigated loss turns out to be $\mathcal{\ell }$, the optimal (ex post) risk mitigation spending will be $r_c{}^{*}\left(\mathcal{\ell }\right)=\text{ln}\left(\frac{1-0.20\times 0.72}{1-0.72}\mathcal{\ell }\right)=\text{ln}\left(3.0571\mathcal{\ell }\right)$ according to Equation (16). The optimal risk prevention investment is equal to $s_c{}^{*}=\text{ln}\{(1-0.72)E[1+\text{ln}(\frac{1-0.20\times 0.72}{1-0.72}L)]\}=0.6471$ according to Equation (19). By Equation (21), the equilibrium expected risk mitigation spending is $\frac{1}{1-0.72}\frac{E\left[\text{ln}\left(\frac{1-0.20\times 0.72}{1-0.72}L\right)\right]}{1+E\left[\text{ln}\left(\frac{1-0.20\times 0.72}{1-0.72}L\right)\right]}=3.0479.$ By Equation (22), the equilibrium expected mitigated loss is $\frac{1}{1-0.20\times 0.72}\frac{1}{1+E\left[\text{ln}\left(\frac{1-0.20\times 0.72}{1-0.72}L\right)\right]}=0.1713$. Finally, by Equation (23), the equilibrium expected wealth of the firm is $1500-0.015-1-\text{ln}\{\left(1-0.72\right)E[1+\text{ln}(\frac{1-0.20\times 0.72}{1-0.72}L)]\}=1498.34$.

Table 3 compares the results of the numerical examples for the base model and the cyber insurance model. The numerical examples show that cyber insurance can increase the firm’s wealth and reduce the mitigated loss by increasing the firm’s risk mitigation spending that more than compensates for the decrease in risk prevention. This numerical example demonstrates that when the insurance parameters, in terms of scope and depth of coverage, are calibrated properly, it is incentive compatible for firms to procure cyber insurance as part of their risk management strategy.

Table 3. Comparison of the Base Model and Cyber Insurance Model

4. Extensions

This section establishes the genenalizability of our main results in the presence of (1) a deductible, (2) an indemnity limit, (3) risk aversion, (4) endogenous pricing, (5) ex ante risk mitigation, and (6) strategic hackers. Proposition 5, the numerical analyses presented in Figure 4 and Table 3, and the comparative statics presented in Table 2 suggest that whether the firm can benefit from cyber insurance with a reduced expected mitigated loss and an increased expected wealth depends on a careful design of the insurance policy characterized by the scope of coverage, $\beta$, and the depth of coverage, $\delta$. Because we do not expect this dependence on $\beta$ and $\delta$ to disappear with a deductible, an indemnity limit, risk aversion, ex ante risk mitigation, and strategic hackers, we focus only on their effects on Propositions 2–4, that is, the ex post risk mitigation spending, ex ante risk prevention spending, and overall expected mitigated loss.

4.1. Effects of Deductible

In the previous section, the size of a claim for a given breach is given by

In the presence of a deductible, d, if the mitigation spending and the mitigated loss combined are smaller than d, then there will be no claim; otherwise, the claim is $\kappa =\delta \{r+\beta [1-m(r)]\mathcal{\ell }\}-d$. In other words,

At $t=1$, the firm’s wealth in case of a breach is, therefore,

The maximization of $w_1$ at $t=1$ is the same as that in the base model if the total cost of the breach is not greater than $d$. On the other hand, if the total cost of the breach is greater than $d$, then the maximization problem is the same as that in the cyber insurance model (because the constant $d$ in the objective function does not affect the optimization with respect to $r$). Therefore, Proposition 2 holds only when the firm will make a claim. However, overall, it is still true that the expected ex post risk mitigation spending is greater with cyber insurance than without it, that is,

Online Appendix I proves that the optimal risk prevention investment $s^{*}$ is decreased, consistent with Proposition 3. Therefore, compared with the base model, $q(s^{*})$ is decreased and $[1-q(s^{*})]$ is increased. With $E[r^{*}(L)]$ also increasing according to Equation (24), it must be true that $[1-q(s_c{}^{*})] E[r_c{}^{*}(L)]>[1-q(s_b{}^{*})] E[r_b{}^{*}(L)]$, as suggested by Proposition 4.

4.2. Effects of an Indemnity Limit

In the presence of an indemnity limit, $i$, the total claim size is capped at $i$. From the previous section, we note that the size of a claim for a given breach is given by

With the indemnity limit, it becomes

At $t=1$, the firm’s wealth in case of a breach is, therefore,

The maximization of $w_1$ at $t=1$ is the same as that in the base model if the total uncapped claim size is greater than $i$ (because $i$ is just a constant term and does not affect optimization with respect to $r$). On the other hand, if the total uncapped claim size is smaller than $i$, then the maximization problem is the same as that in the cyber insurance model. Therefore, Proposition 2 holds only when the total uncapped claim size is smaller than $i$. However, overall, it is still true that the expected ex post risk mitigation spending is greater with cyber insurance than without it; that is, Equation (24) holds.

Online Appendix J proves that the optimal risk prevention investment $s^{*}$ is decreased, consistent with Proposition 3. Therefore, compared with the base model, $q(s^{*})$ is decreased and $[1-q(s^{*})]$ is increased. With $E[r^{*}(L)]$ also increasing according to Equation (24), it must be true that $[1-q(s_c{}^{*})] E[r_c{}^{*}(L)]>[1-q(s_b{}^{*})] E[r_b{}^{*}(L)]$, as suggested by Proposition 4.

4.3. Effects of Risk Aversion

In many situations, firms demonstrate risk aversion and are willing to pay for insurance to reduce the variability in a future outcome. In mathematical terms, risk-averse firms are willing to trade a certain amount of wealth for a reduced variance in wealth. Risk aversion results in a utility function that is concave in wealth, that is, $u(w)$, with $u^{\prime }(w)>0$ and $u″(w)<0$. Because of risk aversion,

in accordance with Jensen’s Inequality. Let $\text{E}[u(W)]=u(\text{CE}[W])$, where CE is the certainty equivalence of the utility, which is a constant. According to Equation (25), $\text{E}[u(W)]=u(\text{CE}[W])<u(\text{E}[W])$. Hence, $\text{CE}[W]<E[W]$. In other words, a risk-averse firm views the certain value $\text{CE}[W]$ as equally attractive to the risky outcome of $W$, even though it is smaller than $E[W]$. The difference between $E[W]$ and $\text{CE}[W]$ is known as the risk premium.

Because $u(w)$ is an increasing function of $w$, maximizing $w$ is the same as maximizing $u(w)$, unless $w$ (or rather, $W$) is random, in which case we will need to consider the distribution of the random variable. In our backward induction problem, at $t=1$, the unmitigated loss is known to be $\mathcal{\ell }$. Because there is no randomness, Proposition 2 is not affected by the introduction of risk aversion, that is, $r_c{}^{*}(\mathcal{\ell })>r_b{}^{*}(\mathcal{\ell })$. As a result, Equation (24) also continues to hold.

Online Appendix K.1 shows that as long as the firm’s wealth after a breach is not too low, Proposition 3 holds; that is, $s_c{}^{*}<s_b{}^{*}$, $q(s_c{}^{*})<q(s_b{}^{*})$, and $1-q(s_c{}^{*})>1-q(s_b{}^{*})$. Together with Equation (24), $[1-q(s_c{}^{*})]E[r_c{}^{*}(L)]>[1-q(s_b{}^{*})]E[r_b{}^{*}(L)]$, which is consistent with Proposition 4.

All analysis so far assumes that the insurance pricing is exogenous and that the firm will accept the insurance contract. We further extend the risk aversion analysis by considering endogenous insurance pricing that depends on the firm’s risk prevention investment and level of insurance coverage. Online Appendix K.2 presents one numerical example. As expected, Propositions 2−4 hold. However, this extension does not consider a scenario where the insurer can proactively incentivize the firm to invest in risk prevention responsibility. This brings us to our next extension.

4.4. Endogenous Pricing with Risk Aversion and Insurer-Incentivized Risk Prevention

This subsection is an extension of Section 4.3. Because the firm is risk averse, there is value creation when risk is transferred to the insurer, who is risk neural. We endogenize the insurer’s pricing decision to account for the possibility that the firm may control risk to prevent the cyber insurance price from becoming too high. The revised game sequence is presented in Figure 5, in which the risk prevention and insurance pricing decisions are separated into two stages. At $t=0$, the firm invests $s$ in risk prevention. Having the information on the risk prevention level, at $t=1$, the insurer computes the expected actuarially fair price of the cyber insurance in a competitive market,

and the firm accepts the price. At $t=2$, if there is a breach, the firm spends $r$ on risk mitigation to reduce the loss. If there is no breach, the firm does not need to do anything.

Because this problem is too complex to be solved analytically, we address it using exhaustive enumeration. The relevant plots for the analysis can be found in Online Appendix L. The results show the following.

Lemma 1.

With endogenous pricing depending on the firm’s risk prevention investment, reduction in ex ante risk prevention $s^{*}$ need not happen.

In 46% of the cases, $s_c^{*}<s_b^{*}$, which is consistent with Proposition 3. However, in 54% of the cases, $s_c^{*}\ge s_b^{*}.$ Lemma 1 is not surprising, because the firm can now signal its commitment to risk prevention to the insurer, who will then offer cyber insurance at a competitive price. To keep the cyber insurance price at a low level, the firm has the incentive to increase its investment in risk prevention. However, Proposition 2 continues to hold because the ex post risk mitigation decision is not affected by $s$. The numerical analysis confirms that Proposition 4 continues to hold in this extension. Furthermore, in line with Proposition 5, a smaller $\beta$ is associated with a lower expected mitigated loss (see Online Appendix Figure L.2 (d)).

Table 4 presents the equilibrium outcomes under different combinations of $\beta$ and $\delta$. The last row presents the outcomes in the base model. The highlighted cells show that for certain combinations of $\beta$ and $\delta$, cyber insurance can decrease the expected mitigated loss and increase the firm’s expected utility. The last column shows the equilibrium cyber insurance price.

Table 4. Equilibrium Outcomes with Cyber Insurance, Risk Aversion, and Endogenous Pricing

Because the insurer can always design a contract by specifying the needed scope and depth of the coverage, the numerical analysis presented in this section and Online Appendix L suggests that the purchase of cyber insurance can be incentive compatible, bringing higher utility to the firm. Depending on whether the insurer can observe the firm’s risk prevention effort and adjust the pricing accordingly, Proposition 3 may or may not hold.⁹ Yet even when the firm needs to raise risk prevention effort to enjoy a cheaper cyber insurance, the numerical result in Table 4 shows that its overall utility can be increased.

4.5. Ex Ante Risk Mitigation

We have so far assumed that all risk mitigation is done after a breach. Very often, firms can reduce the potential loss of a breach by advance planning before a breach takes place. For example, by devising a business continuity plan, the firm’s staff can respond effectively to minimize disruption to business in case of a breach. To capture this, we distinguish between two types of risk mitigation spending; $r_0$ is the ex ante risk mitigation spending at $t=0$, and $r_1$ is the ex post risk mitigation spending at $t=1$.

We first establish the baseline model without cyber insurance akin to the model in Section 3.1. After choosing an ex ante risk mitigation level, the firm’s expected final wealth evaluated at $t=0$ is

where $m_0(r_0)$ and $m_1(r_1)$ denote the effectiveness of ex ante risk mitigation and ex post risk mitigation, respectively. This model is similar to the model presented at the beginning of Section 3.1, except for the inclusion of the ex ante risk mitigation spending $r_0$ and its risk-mitigating effect in case of a breach through the additional factor, $[1-m_0(r_0)]$. At $t=1$, the firm maximizeswith respect to $r_1$. The first order condition,

Now, with cyber insurance, the firm’s expected final wealth evaluated at $t=0$,

The ex ante risk mitigation spending, $r_0$, is not covered by the cyber insurance. Hence, in case of a breach, the insurer only needs to pay

Comparing Equation (26) with Equation (28), we can see that the firm’s problem in the cyber insurance model with ex ante risk mitigation is identical to the base model when $p=0$ and $\delta =0$.

At $t=1$, in case of a breach, the firm will try to maximize

The first order condition with respect to $r_1$ is

The firm’s choice of optimal $s$ and $r_0$ at $t=0$ can then be obtained by backward induction. As shown in Online Appendix M, Propositions 2−4 continue to hold in the model with ex ante risk mitigation. It is interesting to note that cyber insurance has opposite effects on ex ante and ex post risk mitigation; it increases ex post risk mitigation but decreases ex ante risk mitigation, which is consistent with Ehrlich and Becker’s (1972) conclusion that market insurance and self-insurance (i.e., ex ante mitigation in this context) are substitutes.

4.6. Effects of a Strategic Hacker

So far, we have assumed that the hacker does not react to the firm’s risk management decisions. In reality, upon realizing the firm’s purchase of cyber insurance, the hacker may change his or her hacking behavior (Delman 2021). In this subsection, we extend the base model in Section 3.1 and the cyber insurance model in Section 3.2 by assuming that the hacker will decide his or her optimal hacking effort, $\epsilon$, after the firm’s risk prevention and cyber insurance decisions. The game sequence for the baseline model with a strategic hacker is presented in Figure 6.

The firm first decides the size of the risk prevention investment at $t=0$. At $t=1$, the hacker decides his or her optimal hacking effort, $\epsilon$, based on the utility function

where the effectiveness of risk prevention is now represented by $q_{+}(s)$. However, the probability of a successful attack is $[1-q_{+}(s)]q_{-}(\epsilon )$ instead of just $[1-q_{+}(s)]$, where $q_{-}(\epsilon )$ represents the hacking effectiveness and is concave in the hacker’s effort, $\epsilon$. $q_{+}(s)$ tends to increase the effectiveness of risk prevention, whereas$q_{-}(\epsilon )$ tends to decrease it, hence the choice of their corresponding subscripts. $g$ is a fraction that controls the amount of gain the hacker can get from a successful attack in terms of the mitigated loss suffered by the firm.

This formulation highlights the fact that an information asset is valued differently by the firm and the hacker. For example, a customer data set with credit card numbers may be valued much higher by the firm than by the hacker because collaboration with credit card companies may create cross-selling and other marketing opportunities. We also assume that the firm’s mitigation effort has an effect on the hacker’s gain. For example, if the firm notifies its customers of a breach as part of its mitigation effort, some of the affected customers would cancel their credit cards, and thus the number of stolen cards that are usable by the hacker decreases. Finally, $h$ is the marginal cost of hacking.

The game sequence for the cyber insurance model with a strategic hacker is presented in Figure 7. At $t=0$, the firm invests in risk prevention and purchases cyber insurance. At $t=1$, the hacker maximizes his or her expected utility as defined in Equation (30). At $t=2$, in case of a successful attack, the firm mitigates the loss. Some of the mitigation expenses and the losses suffered are borne by the insurer. The baseline and cyber insurance models with a strategic hacker are analyzed in Online Appendix N.

Using backward induction, Online Appendix N shows that Propositions 2, 3, and 5 continue to hold. However, Proposition 4 may not hold because the probability of a successful attack could decrease with cyber insurance in the presence of strategic hacking. This may or may not happen, depending on the nature of the strategic interaction between risk prevention and strategic hacking and the exact functional form of the hacker’s utility, which is beyond the scope of our analysis.

5. Theoretical Contribution and Practical Implications

5.1. Theoretical Contribution

Our study makes two novel theoretical contributions. First, we demonstrate that the notion of insurance aggravating ex ante moral hazard has a somewhat different meaning in the context of cyber insurance. Instead of promoting shirking as seen in traditional insurance, cyber insurance facilitates the reallocation of resources from risk prevention to risk mitigation, where the effect of ex ante moral hazard may be offset by more ex post effort. This reallocation of resources may lead to a preferred outcome of achieving greater wealth and a lower level of mitigated loss. Although prior studies have considered the interplay between cyber insurance and risk prevention, this is the first study to consider the real-world connection between cyber insurance and ex post risk mitigation and extensively modeling their relationship.

Second, we show that the firm is better off (in terms of both mitigated loss and wealth) when the insurance coverage is sufficiently deep and the scope is sufficiently narrow. This contradicts the typical wisdom that deep coverage exacerbates the moral hazard problem. Compared with the case with no cyber insurance, deep cyber insurance coverage encourages ex post effort because it reduces the marginal cost of risk mitigation, which helps reduce the mitigated loss. A narrower coverage puts pressure on the firm to exert appropriate risk prevention investment. Overall, this nuanced effect of cyber insurance may help incentivize firms to take actions to improve their welfare and reduce cybersecurity risks.

5.2. Practical Implications

From the managerial standpoint, our study advocates the importance of having a holistic view when managing cybersecurity risks. Effective cybersecurity risk management is rooted in the seamless integration of different risk management measures. As shown in our analysis, the optimal use of cyber insurance requires a balanced adjustment of risk prevention and risk mitigation efforts. A limited scope of coverage may reduce firms’ cybersecurity risks, echoing recent concerns from the industry that full coverage of ransom payment may actually lead to increased prevalence of ransomware (Delman 2021).

In managing cybersecurity risks, firms often overlook the importance of having sound planning for post-breach risk mitigation. According to a worldwide survey conducted by the Ponemon Institute and IBM in 2018, 77% of firms lack consistent organizational incident response plans.¹⁰ Anecdotal evidence indicates that improper incident response could be detrimental to firms. For example, poor incident response led to Singapore’s largest data breach incident in 2018 (Tham and Baharudin 2018). In the Target breach in 2013, the public relations crisis that followed after the company mishandled the breach incident led to a major reputation loss for Target (Temin 2013). To some degree, it is understandable why firms seem to be inadequate in planning for post-breach responses because the occurrence and nature of security incidents come in significant variations, making planning difficult. Thus, these post-breach responses often rely on a third-party company’s help in minimizing the damage of the incidents. This is where cyber insurance not only helps the breached firm to cover the risks but also plays an important role in fostering the breach recovery industry, perfecting the mechanism to manage the overall cybersecurity risks.

Indeed, with cyber insurance serving as an important guarantor for post-breach losses, the issue of ex post risk mitigation can be better addressed. Many cybersecurity insurers require the breached firms to immediately notify them about the breach so that further actions can be planned.¹¹ Some insurance policies also mandate which outside risk mitigation agencies (e.g., forensic investigators, public relations agency, legal counsel, etc.) a firm can engage after a security breach incident (OECD 2017, FERMA 2018). According to KPMG, the emerging industry trend is that clients are pushing insurers to offer broad-based, post-breach solutions instead of just an insurance product (Merrey et al. 2017). Connecting these anecdotal examples to our study, the latest industry development seems to support the notion of encouraging broader but more systematic services in addressing post-breach incident responses. One key enabler of this outcome is a healthy cyber insurance market.

For policy makers, although cyber insurance has long been regarded as a potentially important tool for managing firms’ cybersecurity risks, there is a lack of quality actuarial data. Since 2017, the National Association of Insurance Commissioners (NAIC) in the United States has mandated insurers who offer cybersecurity and identity theft policies to report critical policy-related information in their annual financial reports.¹² Such information provides the market with the required actuarial data for fair policy underwriting. For example, there has been a rise in cyber insurance claims in 2019 and 2020 because of the spread of ransomware attacks (Hussain and Cohn 2020, Laux et al. 2020). This trend not only corroborates the threat intelligence provided by cybersecurity vendors, it also indicates the degree to which the threats have materialized. Therefore, transparency in the cyber insurance market will play a key role beyond indirectly affecting a firm’s risk prevention effort in the future. When considering the problem for a longer period, a healthy and transparent cyber insurance market can provide further guidance on how firms should approach risk prevention and post-breach risk mitigation.

6. Conclusion

We analyze a two-period model that incorporates risk prevention, risk mitigation, and risk transfer (via cyber insurance) decisions for a firm. Specifically, we study how cyber insurance affects risk prevention, risk mitigation, and the firms’ utility. We show that cyber insurance can complement other risk management strategies and play an essential role in supporting an expanding role of risk mitigation services.

Our results point to several future research directions. First, our study has not considered risk propagation. In reality, cybersecurity risks may spread from one firm to another (e.g., ransomware attacks), which could potentially exemplify the role of cyber insurance. Second, we have not considered a scenario where cyber insurance influences a firm’s risk prevention decision via best practice guidance, a developing trend especially among smaller firms. It is not immediately clear whether this expanding role of cyber insurance will result in a net gain in social welfare. Third, the premium set for an insured firm may evolve over time as the insurer accrues more knowledge about the insured firm’s risk profile and the threat posed by attackers. A repeated game can better capture such a setting. Fourth, we assume that the risk prevention and risk mitigation functions are concave. Other functional forms could affect the analysis. Romanosky et al. (2019) presented a content analysis on 67 cyber insurance policies and analyzed the scope of their coverage and their pricing, which depended on factors such as business type, asset size, industry, claims history, and security. Future research should consider different types of cyber insurance pricing and how to optimally calibrate the insurance coverage. In particular, fully endogenizing pricing and the insurance parameters such as scope and depth in a general analytical model may provide further insights about the nuanced effects of cyber insurance and practical guidance on its configuration.