4 min

Cyber insurance: a game where information must be shared

The measurement of cyber risk is currently imprecise due to the fragmentation of information, which prevents the creation of robust financial dykes.

Cyber risks - Olivier Lopez - 25 November 2021
Olivier Lopez

Olivier Lopez is Professor at Sorbonne Université in applied mathematics, director of its Institute of Statistics (ISUP) since 2016. Fully qualified member of the French institute of actuaries, his research topics are focused on the use of statistical methodology to quantify risk, especially in insurance. He is co-chair, since 2018, of a research project from Risk Foundation on actuarial models for cyber insurance. He also is scientific director of Detralytics since 2021.

View all posts

Insurance is a game of asymmetric information, and mastering this information is key to building a viable economic model. It is through good knowledge of the risk that future costs can be anticipated. Insurance is indeed a special industry, characterised by the “inversion of the production chain”: the service—payment of an indemnity—is only produced after the act of purchase and depends on the consumer’s behaviour. Building an insurance product and then managing the associated risk is essentially a problem of prediction. Expertise and models use the information available to quantify the probability of a claim occurring.

This notion of a mathematical game could lend credence to the vision of insurance as a theatre of conflict, or at the very least, of an opposition between two parties with opposing interests. Insurer and insured are each making a bet on the future, and the price results from a balance between their respective analyses. In this anticipation exercise, each party makes its prediction on the basis of different information, hence the asymmetry. The insured party is generally considered to be the better off. It is well aware of its degree of exposure to risk: it is precisely this knowledge and the fear it arouses that has triggered the act of insurance. Nor is it unaware of its own behavioural habits, which may or may not result in a claim, or make it worse. Seen from this angle, the underwriting questionnaire appears to be a parry by the insurer, which is trying to approach the level of risk knowledge of its insured.

This vision of an ‘insurer versus insured’ battle obscures the real benefits of cooperation. The latter is always necessary, if only through prevention, in which insurers are major players: the best way for an insurer not to have to pay a claim is for it not to happen. As for the insured party, it generally prefers to avoid experiencing a feared event. But beyond prevention, the case of cyber insurance shows us how vital this collaboration is. Because the game here is more complex. In addition to our two traditional participants, a malicious ecosystem invites itself as a third player, pushing its own pawns with its own rules.

This flexibility of the attackers makes the risk very complex to identify. This is the first problem: prediction becomes more difficult, and it is no longer clear that the insured has a better knowledge of the risk. In particular, an SME lacking the necessary technical expertise is unable to consider an issue as complex as the “probabilisation” of an attack. It sometimes even expects the insurer to play the role of “expert”, through the diagnosis made at the time of subscription and its support during the life of the contract. The insurer, whose portfolio covers a large number of entities, would have the possibility of achieving a global understanding of the risk, when each of the individual players can only have a blurred and truncated vision.

Nevertheless, this risk learning is far from easy. The insurer must consolidate the information needed to quantify the cyber risk, and this is not a matter of course. Collecting all kinds of irrelevant data risks drowning the insurer, especially with regard to so-called exposure data; and collecting too much intrusive data on an insured’s security scheme is expensive. Worse, if the insurer were to become a repository of sensitive data on many actors, it would become a prime target for the malicious cyber ecosystem. Cooperation between insurer and insured in this area of information sharing is essential because the interest is mutual, and this exchange must be efficient and parsimonious.

Let us go further and argue that this cooperation should not be limited to a bilateral exchange between an insurer and its client. It must involve all the benevolent players in the cyber world. As mentioned, cyber is not a two-player game. At best, it is a two-sided game, with criminals adapting to changes in the practices of other participants. However, the malicious side is heavily into information sharing. Ransomware-as-a-service (RaaS)—with its genuine customer services for users of hacking software—is a good example. This ability to cooperate gives a huge advantage to the malicious side, preventing convergence to an economic equilibrium. Within the “benevolent” camp, competition between commercial players (especially insurers) must not be based on the retention of information. If each player keeps its knowledge of the risk to itself in the hope of keeping an advantage over its peers, it can only participate in a collective defeat from which the criminals will be the only beneficiaries. No single actor—even one with a global footprint—has sufficient data to assess the height of the wave that a major cyber phenomenon could represent. The challenge is to anticipate this height in order to build the necessary financial dykes.

Cooperation does not mean agreement or collusion. Competition between insurers remains necessary. But for it not to be a simple competition between losers, it must be based on a better vision of risk reinforced by the sharing of information. Such mechanisms already exist in the natural risks sector. To develop offers that are better adapted to the needs of our industry, each player must be able to fully deploy its models (mathematical, economic, and commercial). The development of an environment conducive to correct risk measurement is a prerequisite for this innovation.

Send this to a friend