"Scrabble Series Insurance" by ccPixs.com is licensed under CC BY 2.0
My PhD research was animated by the idea that cyber insurance would positively influence cybersecurity outcomes in firms. The idea can be illustrated via an analogy to the insurance that covers your home. Some insurers offer a discount if you install an burglar alarm system or even cover the cost of implementing it. Similarly, the contract may contain exclusions if you do not lock your front-door when you left the house. In this way, property insurance changes the incentive structure around how policyholders secure their home.
Cyber insurance could influence security decisions in the same way. Insurers might offer discounts if firewalls are installed, subsidise the cost of intrusion detection systems, or exclude losses resulting from unpatched systems. Thus, a healthy cyber insurance market could better align cybersecurity incentives. Indeed, this optimism caught the attention of policy-makers, as exemplified by a series of workshops organised by the US Department of Homeland Security and reports authored by the EU’s cybersecurity agency.
For the first chunk of my PhD, I too was optimistic about cyber insurance. This started to crack after I interned at a leading insurance broker and began research interviews with cyber underwriters. Turning my expereinces into academic evidence was difficult, not least because it involves proving a negative, namely that cyber insurance was not influencing cybersecurity.
I assembled as much evidence as possible in an article titled “Does Insurance Have a Future in Governing Cybersecurity?”. The title suggests a forward looking answer, which in retrospect we do not provide. We merely show that cyber insurance had minimal ex-ante impact on cybersecurity when the piece was written. Later work has backed up our point though. I attended a workshop on cyber insurance as goverance, at which an insurance law professor described our argument as the “emerging consensus”, citing both our work and also authors who later published concurring works.
In 2021, I returned to this idea in a paper titled “How Cyber Insurance Shapes Incident Response: A Mixed Methods Study”, which was more optimistic about the ex-post impact. This topic remains close to my heart and I continue to follow researchers actively working in this space.