Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses

2018 ◽  
Vol 43 (02) ◽  
pp. 417-440 ◽  
Author(s):  
Shauhin A. Talesh
Keyword(s):  
Risk Management ◽  
Cyber Security ◽  
Participant Observation ◽  
Legal Regulation ◽  
Insurance Companies ◽  
Organizational Sociology ◽  
Cyber Insurance ◽  
Privacy Laws ◽  
Cyber Risk ◽  
Management Services

While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars' research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.

scholarly journals Optimal Investment in Cyber-Security under Cyber Insurance for a Multi-Branch Firm

Risks ◽  
2021 ◽  
Vol 9 (1) ◽  
pp. 24
Author(s):  
Alessandro Mazzoccoli ◽  
Maurizio Naldi
Keyword(s):  
Risk Management ◽  
Cyber Security ◽  
Management Strategies ◽  
Limited Liability ◽  
Optimal Investment ◽  
Cyber Insurance ◽  
Risk Management Strategies ◽  
Cyber Risk ◽  
Investment Choices ◽  
Very High

Investments in security and cyber-insurance are two cyber-risk management strategies that can be employed together to optimize the overall security expense. In this paper, we provide a closed form for the optimal investment under a full set of insurance liability scenarios (full liability, limited liability, and limited liability with deductibles) when we consider a multi-branch firm with correlated vulnerability. The insurance component results to be the major expense. It ends up being the only recommended approach (i.e., setting zero investments in security) when the intrinsic vulnerability is either very low or very high. We also study the robustness of the investment choices when our knowledge of vulnerability and correlation is uncertain, concluding that the uncertainty induced on investment by either uncertain correlation or uncertain vulnerability is not significant.

scholarly journals Cyber operational risk scenarios for insurance companies

2019 ◽  
Vol 24 ◽  
Author(s):  
R. Egan ◽  
S. Cartagena ◽  
R. Mohamed ◽  
V. Gosrani ◽  
J. Grewal ◽  
...  
Keyword(s):  
Cyber Security ◽  
Operational Risk ◽  
Social Engineering ◽  
Insurance Companies ◽  
List Type ◽  
Operational Risks ◽  
Life Insurer ◽  
Cyber Risk ◽  
The Impact ◽  
Over Time

AbstractCyber Operational Risk: Cyber risk is routinely cited as one of the most important sources of operational risks facing organisations today, in various publications and surveys. Further, in recent years, cyber risk has entered the public conscience through highly publicised events involving affected UK organisations such as TalkTalk, Morrisons and the NHS. Regulators and legislators are increasing their focus on this topic, with General Data Protection Regulation (“GDPR”) a notable example of this. Risk actuaries and other risk management professionals at insurance companies therefore need to have a robust assessment of the potential losses stemming from cyber risk that their organisations may face. They should be able to do this as part of an overall risk management framework and be able to demonstrate this to stakeholders such as regulators and shareholders. Given that cyber risks are still very much new territory for insurers and there is no commonly accepted practice, this paper describes a proposed framework in which to perform such an assessment. As part of this, we leverage two existing frameworks – the Chief Risk Officer (“CRO”) Forum cyber incident taxonomy, and the National Institute of Standards and Technology (“NIST”) framework – to describe the taxonomy of a cyber incident, and the relevant cyber security and risk mitigation items for the incident in question, respectively.Summary of Results: Three detailed scenarios have been investigated by the working party:∙Employee leaks data at a general (non-life) insurer: Internal attack through social engineering, causing large compensation costs and regulatory fines, driving a 1 in 200 loss of £210.5m (c. 2% of annual revenue).∙Cyber extortion at a life insurer: External attack through social engineering, causing large business interruption and reputational damage, driving a 1 in 200 loss of £179.5m (c. 6% of annual revenue).∙Motor insurer telematics device hack: External attack through software vulnerabilities, causing large remediation / device replacement costs, driving a 1 in 200 loss of £70.0m (c. 18% of annual revenue).Limitations: The following sets out key limitations of the work set out in this paper:∙While the presented scenarios are deemed material at this point in time, the threat landscape moves fast and could render specific narratives and calibrations obsolete within a short-time frame.∙There is a lack of historical data to base certain scenarios on and therefore a high level of subjectivity is used to calibrate them.∙No attempt has been made to make an allowance for seasonality of renewals (a cyber event coinciding with peak renewal season could exacerbate cost impacts)∙No consideration has been given to the impact of the event on the share price of the company.∙Correlation with other risk types has not been explicitly considered.Conclusions: Cyber risk is a very real threat and should not be ignored or treated lightly in operational risk frameworks, as it has the potential to threaten the ongoing viability of an organisation. Risk managers and capital actuaries should be aware of the various sources of cyber risk and the potential impacts to ensure that the business is sufficiently prepared for such an event. When it comes to quantifying the impact of cyber risk on the operations of an insurer there are significant challenges. Not least that the threat landscape is ever changing and there is a lack of historical experience to base assumptions off. Given this uncertainty, this paper sets out a framework upon which readers can bring consistency to the way scenarios are developed over time. It provides a common taxonomy to ensure that key aspects of cyber risk are considered and sets out examples of how to implement the framework. It is critical that insurers endeavour to understand cyber risk better and look to refine assumptions over time as new information is received. In addition to ensuring that sufficient capital is being held for key operational risks, the investment in understanding cyber risk now will help to educate senior management and could have benefits through influencing internal cyber security capabilities.

scholarly journals Analysing IoT Cyber Risk for Estimating IoT Cyber Insurance

2019 ◽  
Author(s):  
Petar Radanliev ◽  
Rafael Mantilla Montalvo ◽  
Razvan Nicolescu ◽  
Michael Huth ◽  
Stacy Cannady ◽  
...  
Keyword(s):  
Impact Assessment ◽  
Cyber Security ◽  
Industry 4.0 ◽  
Assessment Model ◽  
Theory Approach ◽  
Academic Literature ◽  
Cyber Insurance ◽  
Cyber Risk ◽  
Quantitative Impact ◽  
Grounded Theory Approach

This paper is focused on mapping the current evolution of Internet of Things (IoT) and its associated cyber risks for the Industry 4.0 (I4.0) sector. We report the results of a qualitative empirical study that correlates academic literature with 14 - I4.0 frameworks and initiatives. We apply the grounded theory approach to synthesise the findings from our literature review, to compare the cyber security frameworks and cyber security quantitative impact assessment models, with the world leading I4.0 technological trends. From the findings, we build a new impact assessment model of IoT cyber risk in Industry 4.0. We therefore advance the efforts of integrating standards and governance into Industry 4.0 and offer a better understanding of economics impact assessment models for I4.0.

Cyber risk management in SMEs: insights from industry surveys

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Felicitas Hoppe ◽  
Nadine Gatzert ◽  
Petra Gruner
Keyword(s):  
Risk Management ◽  
Cyber Security ◽  
Future Research ◽  
Management Process ◽  
Content Type ◽  
Security Culture ◽  
Current State ◽  
Enterprise Risk ◽  
Risk Management Process ◽  
Cyber Risk

PurposeThis article aims to gain insights on the current state of small- and medium-sized enterprises’ (SMEs’) cyber risk management process and to derive future research directions.Design/methodology/approachThis is done by collecting market insights from 37 recent industry surveys and structuring them based on the steps of the risk management process. From this analysis, major challenges are derived and future fields of research identified.FindingsThe results indicate that deficiencies in risk culture as well as the strained market for IT experts are the major obstacles with respect to the implementation of cyber risk management in SMEs, and that these challenges are similar across countries. The findings suggest that especially the relationship between cyber security culture and cyber risk management should be investigated further, and that a stronger link between the research streams on enterprise risk management and cyber risk management would be desirable.Originality/valueThis paper contributes to the literature by providing a systematic overview on the current state of SMEs' cyber risk management from a market perspective. The findings provide support for the existing academic literature by emphasizing the central role of cyber security culture (perception, knowledge, attitude) for a successful cyber risk management, which however should be addressed in more depth in future (empirical) research.

Cyber Insurance as a Way of Cyber Risks Management

2019 ◽  
Vol 7 (5) ◽  
pp. 35-42
Author(s):  
Александр Суворов ◽  
Aleksandr Suvorov ◽  
Мария Матанцева ◽  
Mariya Matanceva ◽  
Евгения Плотникова ◽  
...  
Keyword(s):  
Cyber Security ◽  
Insurance Industry ◽  
Security Level ◽  
Controversial Issues ◽  
It Infrastructure ◽  
Software Products ◽  
Cyber Insurance ◽  
Risk Insurance ◽  
Commercial Organization ◽  
Cyber Risk

A review of the cyber insurance domain has been carried out with a description of classical terms from the insurance industry. Have been considered two the most comprehensive today definitions of cyber risk in authors’ opinion. A diagram of processes for cyber risk management using insurance has been presented, and the place of cyber-risk among other company’s risks has been demonstrated, i. e. the context of cyber risk among the risks of any commercial organization has been shown. A typical cyber insurance process has been described, and a scheme of cyber insurance processes has been developed. A brief description of problem areas and controversial issues in cyber insurance, with which cyber-risk insurance practices may face, has been presented, as well as a table showing at which stage of cyber-insurance the specific problems may arise. Has been provided the basic economic utility function, which formalizes decision making for agents with a different attitude to risk. Standards in cyber security, and various software products that can be used as a tool for assessing the security level of an enterprise’s IT infrastructure have been presented, and it has been demonstrated how these products can help in cyber risk assessment. Different methods used at each stage of cyber insurance have been shown.

scholarly journals Cyber Insurance Ratemaking: A Graph Mining Approach

Risks ◽  
2021 ◽  
Vol 9 (12) ◽  
pp. 224
Author(s):  
Yeftanus Antonio ◽  
Sapto Wahyu Indratno ◽  
Rinovia Simanjuntak
Keyword(s):  
Graph Mining ◽  
Risk Model ◽  
Critical Issue ◽  
Insurance Companies ◽  
Infection Rates ◽  
Network Characteristics ◽  
Cyber Insurance ◽  
Competitive Prices ◽  
Unweighted Network ◽  
Cyber Risk

Cyber insurance ratemaking (CIRM) is a procedure used to set rates (or prices) for cyber insurance products provided by insurance companies. Rate estimation is a critical issue for cyber insurance products. This problem arises because of the unavailability of actuarial data and the uncertainty of normative standards of cyber risk. Most cyber risk analyses do not consider the connection between Information Communication and Technology (ICT) sources. Recently, a cyber risk model was developed that considered the network structure. However, the analysis of this model remains limited to an unweighted network. To address this issue, we propose using a graph mining approach (GMA) to CIRM, which can be applied to obtain fair and competitive prices based on weighted network characteristics. This study differs from previous studies in that it adds the GMA to CIRM and uses communication models to explain the frequency of communications as weights in the network. We used the heterogeneous generalized susceptible-infectious-susceptible model to accommodate different infection rates. Our approach adds up to the existing method because it considers the communication frequency and GMA in CIRM. This approach results in heterogeneous premiums. Additionally, GMA can choose more active communications to reflect high communications contribution in the premiums or rates. This contribution is not found when the infection rates are the same. Based on our experimental results, it is apparent that this method can produce more reasonable and competitive prices than other methods. The prices obtained with GMA and communication factors are lower than those obtained without GMA and communication factors.

Obtaining reasonable assurance on cyber resilience

2019 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Filip Caron
Keyword(s):  
Risk Management ◽  
Real World ◽  
Cyber Security ◽  
Design Methodology ◽  
Content Type ◽  
Security Controls ◽  
Conceptual Designs ◽  
Testing Techniques ◽  
Traditional Process ◽  
Cyber Risk

PurposeThe purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.Design/methodology/approachThe paper starts with an identification of the applicable cyber-testing techniques and evaluates their applicability to generally accepted assurance schemes and cyber-security guidelines.FindingsCyber-testing techniques are providing insight in the effectiveness of the actual implementation of cyber-security controls, which may significantly deviate from the conceptual designs of these controls. Furthermore, cyber-testing techniques could provide concise input for cyber-risk management and improvement recommendations.Originality/valueThe presented cyber-testing techniques could complement traditional process-oriented assurance techniques with specialized technical analyses of real-world implementations that focus on the adversaries’ viewpoint.

scholarly journals RISK MANAGEMENT IN THE FINANCIAL SECTOR OF UKRAINE IN THE CONTEXT OF CYBER THREATS AND POST-PANDEMIC ECONOMIC RECOVERY

2021 ◽  
pp. 19-27
Author(s):  
Nazar Demchyshak ◽  
Anastasiia Shkyria
Keyword(s):  
Risk Management ◽  
National Security ◽  
Cyber Security ◽  
Financial Sector ◽  
Cyber Attacks ◽  
Cyber Threats ◽  
The World ◽  
Cyber Threat ◽  
Security Index ◽  
Cyber Risk

Purpose. The aim of the article is substantiation of approaches of domestic and foreign scientists to risk management in the financial sector of Ukraine in the context of cyber threats and the need to ensure national security and post-pandemic economic recovery. Methodology of research. General scientific and special methods of scientific research are used in the article, in particular: induction, deduction, scientific abstraction - to reveal the essence of the concepts of "cyber threat", “cyber security" and "digitalization"; statistical and graphical methods - to assess the current situation in the field of cyber defence in the world and the national cyber security index; methods of analysis and synthesis - in substantiating the conclusions of the research. Finding. Definitions of cyber risk, approaches to its interpretation and classification were considered. The importance of cyber security in the digitalization of the national economy was argued. The Strategy of Ukrainian Financial Sector Development until 2025 is analysed. The world statistics of frequency and losses due to cyber-attacks are studied and the cyber threats that caused the greatest losses in Ukraine are identified. The analysis of Ukraine’s positions in the National Cyber Security Index 2020 is carried out. The directions of cyber threat prevention that can be useful for Ukrainian companies are substantiated. Originality. The author’s definition of the term "cyber risk" is proposed, in which special attention in focused on the effects of cyber threats. The importance of cyber risk management in the conditions of inevitability of digitalization in the financial sector of Ukraine is substantiated. Approaches to the prevention of cyber-attacks, the implementation of which is necessary for the successful digital transformation of Ukraine, are proposed. Practical value. The results of the research will contribute to the formation of an effective risk management system in the financial sector of Ukraine in terms of digitalization of the financial space and post-pandemic recovery of the national economy. Key words: national security, cyber risk, cyber threat, cyber defence, digitalization, post-pandemic recovery, fintech.

scholarly journals ROADMAP FOR THE INTRODUCTION OF CYBER INSURANCE IN UKRAINE

2021 ◽  
pp. 217-226
Author(s):  
N.V. Prykaziuk ◽  
◽  
L.S. Gumenyuk ◽  
Keyword(s):  
Cyber Security ◽  
Customer Orientation ◽  
Cyber Attacks ◽  
Insurance Market ◽  
Insurance Companies ◽  
Insurance Markets ◽  
Cyber Insurance ◽  
Current State ◽  
Mechanism Of Interaction ◽  
Goals And Objectives

The article examines the process of implementing cyber insurance in the world and proposes a Roadmap for implementation in Ukraine. The key goals and objectives facing the insurance market of Ukraine and the regulator in order to achieve this goal are considered. Approximate deadlines for the necessary measures to prepare for the introduction of cyber insurance in the Ukrainian economy are outlined. The key features of regulations in the field of cyber security in the EU and Australia are highlighted and ways to adapt them in Ukraine are proposed. Promising means to increase the security of individuals and legal entities in the digital space on the example of the mechanism of interaction between insurers and expert organizations in Australia. The main vectors of cooperation between insurance companies and expert organizations in the field of cyber security in the Ukrainian and global insurance markets are listed. A system of interaction between the subjects of cyber-insurance relations with the positioning of the insured in the center of relations as a key participant in insurance has been developed, which proves the high customer orientation of this area of ​​insurance business. The current problems of the Ukrainian insurance market are substantiated and the ways of their solution through the mechanism of cyber insurance implementation are offered: modeling of the mechanism of estimation of losses from cyber attacks, monitoring of the current state of insurers, development of ways to minimize cyber incidents. The dynamics of cyber incidents in 2020 is analyzed and the correlation between the occurrence of global lockdowns caused by COVID-19 and the growth in the number of cyber attacks is revealed. Based on the analysis, it is proved that the introduction of cyber insurance in Ukraine is a necessary tool to protect all participants in insurance relations from cyber risks and for the development of the insurance market as a whole.

scholarly journals Legal problems of insurance protection against cyber risks in space activities

2021 ◽  
pp. 268-276
Author(s):  
Nataliia Krasilich
Keyword(s):  
State Regulation ◽  
Cyber Attacks ◽  
Insurance Companies ◽  
Cyber Insurance ◽  
Insurance Contracts ◽  
Cyber Threats ◽  
Risk Insurance ◽  
Cyber Risk ◽  
Space Activities ◽  
Insured Event

General global trends in space activities are largely related to the need to protect space information technology from possible cyber threats. The issue of cybersecurity in space activities needs to be thoroughly studied and resolved, as the current state of space activities and existing mechanisms of international and state regulation do not provide a sufficient solution. Disruption of the process of receiving and exchanging information through space information systems can lead to significant consequences. The growing number of cyber threats is becoming more common and destructive. Therefore, the assessment of cyber vulnerabilities in space systems is an important task that must be addressed both at the stage of creation and development, and in the operation of such systems. This, in turn, requires the availability of tools to address the above tasks and qualified personnel. One of the legal ways to protect against the negative effects of cyber threats, including in the field of space activities, may be cyber risk insurance, as a financial and legal mechanism for compensation, loss of losses caused by cyber attacks. In Ukraine, cyber insurance is in its infancy and needs to develop innovative approaches to further development, taking into account the accumulated positive experience of foreign countries in this area. At the moment, insurance companies are only developing the practice of cyber risk insurance and such insurance contracts are isolated. In the current environment, as a rule, the issue of cyber risk insurance is included in comprehensive property insurance contracts, liability insurance, financial risks, which significantly limits the compensation of damages. The main difficulty in the process of indemnification under a cyber risk insurance contract is to record the fact of the insured event, the amount of damage and prove the causal link between the insured event and the claimed losses, as the amount of damage must not only be calculated but also documented. Space information technologies, which are increasingly penetrating economic and social processes, necessitate the development of a segment of cyber insurance in the field of space activities, which will provide adequate insurance protection and compensation for damages to the insured due to cyber incidents. Cyber risk insurance issues should be reflected in national legislation.

Sign in / Sign up

Export Citation Format

Share Document