New RUSI report showcases the gap between theory and reality for a still unsophisticated cyber insurance market

A new report released by the Royal United Services Institute (RUSI), authored by Jamie McColl, Jason Nurse, and James Sullivan, analyzes the role of the cyber insurance industry as an enabler and facilitator for public policy makers aiming to increase the cyber maturity of a given economy ().

The question of the role of cyber insurance as part of a national cyber security strategy has been discussed in the academic cyber risk literature for at least 20 years. While the early literature on cyber insurance, that did not have a mature market to observe, postulated that through the minimum security standards necessary to get a cyber policy, potential cross-financing between cyber insurance and cyber security (money spent on cyber security reduces the cyber insurance premium, and the Know-How of cyber insurer that aid their clients in an incident case, cyber insurance is an extremely powerful in the hands of a theoreitcal social planner.

However, as the report lays out, this welfare enhancing effect of cyber insurance has not fully, if at all, materialized. Among the factors contributing to this gap between theory in practice is the (1) the competition between carriers, that especially for small businesses requires easy to understand, yet rather superficial self-questionaries and, therefore, rather weak cyber security requirements to get cyber insurance, (2) the lack of structured data and exchanges within the industry to better price and model cyber damages, and (3) the moral hazard and incentivization of cyber criminals, especially through the coverage and payments of ransomware demands.

Besides the challenges, the report makes, partly based on already published academic work (e.g. ; ), policy recommendations that can help cyber insurance fulfill its potential. The report is not only a great analysis of the research history and current challenges of the cyber insurance market, but helps a wide audience to avoid a lot of misconceptions about the current state-of-the-art of the cyber ecosystem, which is far less organized and technical than many would suspect. We will also add the report in our suggested list of readings.


Daniel Kasper

Daniel Kasper is the principal of Cyber Economics.