According to researchers, insurance companies often overestimate the risks they are underwriting since even widespread cyber attacks against client companies do not necessarily result in extensive compensation payouts.
Businesses are taking an increasingly active stance towards preparing for cyber threats, while information security and cyber insurances have become increasingly common. At the same time, companies providing such insurance policies hesitate to offer comprehensive cyber insurance to their clients.
The companies are afraid that compensation sums will rapidly grow in size, as the insured companies are networked with each other in many ways through their IT systems. This means that potential cyber-attacks could affect more than one company at a time.
However, a recent study posits that insurance companies have no need to exercise excess caution, as the risks originating in company networks and underwritten by insurers are not as substantial as the insurance companies speculate. The study, entitled ‘When Are Cyber Blackouts in Modern Service Networks Likely? A Network Oblivious Theory On Cyber (Re)Insurance Feasibility’, has been approved for publication in the ACM Transactions on Management Information Systems journal.
Risks accumulated via IT systems
Due to the fact that companies are networked via a range of IT systems and service chains, various risks associated with cybersecurity are often linked with each other. Such systems and chains are provided by large software companies, including Oracle, SAP, HP Enterprise and Fujitsu.
In the case of a cyber-attack targeted at one of these large software companies, the impact may radiate to all of the companies using the services provided by the original target. The financial losses incurred from attacks can add up to billions of dollars.
“A single email containing malware can paralyse an entire organisation. The effect can radiate out to other companies with which the initial target is networked,” says Ranjan Pal, one of the authors of the article and ECE faculty member at the University of Michigan, Ann Arbor.
“If all of these companies start to claim compensation, the cyber insurer easily incurs steep costs. This makes providers of cyber insurance cautious, so they maintain high liability components in their policies,” Pal explains.
Risk accumulated by insurance companies smaller than expected
On the basis of the networks as a whole made up by companies linked with each other, the researchers investigated how large a financial risk insurance companies are taking in the event of widespread and serious cyber attacks.
Through mathematical analysis, they demonstrated that the networked nature of IT systems actually only has a minor effect on the scope of the risk underwritten by an individual insurance company offering cyber-insurance policies. Even in the case of serious cyber attacks, the risk remained low.
“The study shows that the structure of business networks based to a great extent on IT systems has no significant effect on the financial risk of individual insurers,” says Professor of Computer Science Sasu Tarkoma from the University of Helsinki, who contributed to the project.
“Risk assessment is affected much more considerably by the market value of companies as well as their dependence on individual IT services,” Tarkoma says.
The researchers believe this finding could work towards reassuring insurance companies, since, from the perspective of insurers, the functioning of IT systems and the risk associated with them in business networks have been difficult to model.
“In fact, the selection of cyber insurance on offer could be expanded to cover also larger risks. This would make the selection more balanced and, above all, offer some peace of mind to people who are in need of insurance compensation in the event of attacks,” Tarkoma says.