Cybersecurity insurance and risk-sharing

In today's interconnected digital world, cybersecurity risks and resulting breaches are a fundamental concern to organizations and public policy setters. Accounting firms, as well as other firms providing risk advisory services, are concerned about their clients' potential and actual breaches. Organizations cannot, however, eliminate all cybersecurity risks so as to achieve 100% security. Furthermore, at some point additional cybersecurity measures become more costly than the benefits from the incremental security. Thus, those responsible for preventing cybersecurity breaches within their organizations, as well as those providing risk advisory services to those organizations, need to think in terms of the cost-benefit aspects of cybersecurity investments. Besides investing in activities that prevent or mitigate the negative effects of cybersecurity breaches, organizations can invest in cybersecurity insurance as means of transferring some of the cybersecurity risks associated with potential future breaches. This paper provides a model for selecting the optimal set of cybersecurity insurance policies by a firm, given a finite number of policies being offered by one or more insurance companies. The optimal set of policies for the firm determined by this selection model can (and often does) contain at least three areas of possible losses not covered by the selected policies (called the Non-Coverage areas in this paper). By considering sets of insurance policies with three or more Non-Coverage areas, we show that a firm is often better able to address the frequently cited problems of high deductibles and low ceilings common in today's cybersecurity insurance marketplace. Our selection model facilitates improved risk-sharing among cybersecurity insurance purchasers and sellers. As such, our model provides a basis for a more efficient cybersecurity insurance marketplace than currently exists. Our model is developed from the perspective of a firm purchasing the insurance policies (or the risk advisors guiding the firm) and assumes the firm's objective in purchasing cybersecurity insurance is to minimize the sum of the costs of the premiums associated with the cybersecurity insurance policies selected and the sum of the expected losses not covered by the insurance policies.