Cyber Security Incentives and the Role of Cyber Insurance

This paper outlines the opportunities of and challenges in using cyber insurance to incentivise cyber security practices. Findings are based on a review of existing industry reports and academic research. The paper forms part of an independent research project by RUSI and the University of Kent that provides actionable policy recommendations on how to incentivise cyber security through cyber insurance. They derive from a series of interviews and workshops with insurers, businesses, cyber security providers, government and other key stakeholders. The current evidence about the ability of cyber insurance to improve cyber security practices is limited. While cyber insurers may be able to provide expertise to policyholders and increase their awareness of cyber risks, much of the existing evidence base is largely theoretical and there is still considerable scepticism from customers about the benefits of cyber insurance. The uptake of cyber insurance, particularly by small to medium enterprises (SMEs), remains low. Existing research suggests that some of the overarching factors explaining this are: the high cost of policies and the difficulties insurers face in pricing premiums appropriately; confusion over what types of incidents insurance policies cover (and the issue of ‘silent cyber’); and a lack of understanding of risks stemming from cyber incidents. There is the potential for the cyber insurance market to learn from other insurance markets to increase uptake, although understanding the depth of these connections requires further enquiry. The paper concludes by identifying several policy questions raised by the existing literature. These questions serve to guide the next stage of the project and to prompt new conversations about how cyber insurance might better incentivise cyber security practices.