Recently, news concerning cyber attacks causing major issues has increased tremendously. In December Maastricht University’s network was encrypted by hackers using ransomware . This had led to the University network being unavailable to students and employees for two weeks and caused a lot of issues for students who were preparing for exams or wanted to see their grades. Consequently, on new years eve, Travelex was attacked by hackers using Sodinokibi software  to take advantage of an exploit on their Virtual Private Network system (VPN) which was supplied by software provider Pulse. This was caused by Travelex lacking to patch their VPN for this known cyber threat. Thus ignoring several notices from Pulse VPN to do so, since the patch to cover the leak was already made available in April 2019 . Most recently, it came to light that an exploit was being spread publicly on the internet, which could easily take advantage of a threat within Citrix (which uses Microsoft Remote Desktop Services infrastructure to deliver virtual applications and desktops to remote users). This caused several organizations (amongst which are municipalities, ministries and several hospitals) to shut down their Citrix servers. Hence, employees were not able to approach the network externally, which prevented employees from working outside of the office. Even though the threats within the Citrix and Pulse VPN software were known and communicated by their suppliers, a lot of companies and organizations failed to take action accordingly. In December 2019, it was said that around 3000 vulnerable Pulse Secure VPN servers were still unpatched . Hence, providing an incentive for companies to increase their level of cyber security becomes an important topic for companies However, it’s also an important matter for governments. In order to protect citizens’ data and to increase safety and welfare in society, they will also benefit from an extra incentive to companies to improve their levels of cyber security.
Insuring without protecting
Although the events mentioned above would suggest that companies take cyber threats as a threat to be reckoned with and more importantly to protect against, this is not always the case. Within the cyber security assessment of 2018, the Dutch Ministry of Justice and Security stated that most companies recognize the threat of cyber risk and a lot of these companies acquire insurance to mitigate the concerned risk . However, the ministry adds, most of these companies then do not improve their cyber security. Making it relatively easy for hackers to gain access to their network, servers and systems. A good example of not efficiently protecting the systems is the earlier mentioned incident at Maastricht University, which could have been prevented . In their more recent cyber risk assessment, published on 13-09-2019, the Dutch Ministry of Justice and Security sketched a dark but unfortunately accurate picture of the situation. “Disruption of society looms ahead”, adding that resilience is not in order in all areas . The main issues, addressed by the ministry, are the easy accessibility of advanced cyber attack capabilities, the foreign governments and the high dependence on IT due to the digitisation. Upon which they add the lacking of an alternative fall back for when a severe incident actually occurs. Cyber attacks have become a weapon which can be utilized to distort entire power grids and spread fear. The cabinet asserts that reinforcement of the resilience of citizens and organisations is necessary in order to capitalise on the opportunities that digitisation offers. The report addresses several incentives for companies and organizations to improve their resilience and consequently values these incentives as being sufficient. However, the reality is that development in cyber security resilience has lacked behind the required levels, the report also acknowledges this. Hence, besides the incentives of possible monetary and reputation loss, a direct monetary win should be provided as an incentive as well. This should not be the responsibility of the government, but rather be achieved through insurance policies. As with driving, where the amount of accidents determines the insurance rate you pay. It is generally known within marketing and psychology that besides the influence of a possible loss, a certain gain is a major incentive as well. This theory is known widely as the prospect theory, covering loss aversion and the certainty effect, both influencing the decision making process . The concept of loss aversion is also relevant since it provides the basic principle on which the insurance industry thrives.
Cyber Insurance policies
Given that cyber attacks have increased exponentially over recent years, it will not come as a shock that the insurance companies have tapped into this new insurance market. Even though the market is just relatively young and improvements are to be made, it has the possibility of becoming a well functioning and matured economic market. According to Kesan, Marjuca and Yursic in 2014, fixing some of the minor issues in the cyber insurance market will lead to higher security investments, thus raising the level of security in general . In addition, they conclude it will result in a higher overall societal welfare. Nowadays, most of the large insurance companies provide insurance policies against the losses concerned with cyber attacks. Companies such as AON, Centraalbeheer | Achmea and Allianz actively promote their insurance policies which are aimed to provide a safety net for the high costs associated with cyber risks. Typically these insurance policies will insure their client for costs covered within the following categories:
- Third party liability: costs caused to third parties, administrative fines from the Authority Personal Data, costs of internal research and costs due to defending against claims from third parties in the aftermath.
- Costs directly inflicted on the company: damages inflicted on the company due to down time, Cyber theft (hackers transferring money/assets from accounts), costs concerning the repairs to software and systems and maybe most importantly of all costs inflicted by paying the required ransom (most of the time up to a % of the insured amount).
- Crisis management costs: hiring cyber security experts, forensic specialists, judicial council and communication professionals in the aftermath of a cyber security incident.
Obviously there are different ways in which insurance companies provide packages consisting of a combination of the above mentioned categories. Where Allianz has an insurance policy which insures all the above, Achmea provides an opt in type of insurance which consists of the most basic costs and can easily be expanded by opting in for additional costs to be insured.
Although the above is a development which helps to protect companies against the risks of cyber threats, it has a side effect which causes clients to neglect, instead of improve, their cyber security. Commonly associated with the insurance industry are the concepts of Moral Hazard, adverse selection and imperfect information . If you have studied economics (even just in high school) this concept is probably known to you and the following explanation might also sound familiar, since it simplifies the concept and clearly explains it. When someone insures a bike at its buying price, the insured will more likely not lock the bike anymore. Since, if it gets stolen, they still get the whole amount repaid by the insurance company. The cyber insurance market is in need of a measure to be implied in order to minimize or eliminate the effect of moral hazard, adverse selection and imperfect information . Even though the market is just relatively young and improvements are to be made, it has the possibility of becoming a well matured economic market. According to Kesan, et al., fixing some of the minor issues in the cyber insurance market will lead to higher security investments, thus raising the level of security in general. Besides this, they conclude it will result in a higher overall societal welfare. Other security experts consider cyber insurance as a stimulant for cyber criminality . They base their opinion mainly on a specific aspect of cyber insurance policies, the insurance on the bribe to be paid. However, most cyber insurance policies only provide coverage for a percentage of the bribe or until a certain maximum. Upon the issues of moral hazard and adverse selection, attention should also be paid to the amount of the bribe and under which circumstances a bribe is covered . These issues can possibly be eliminated simultaneously by the introduction of dynamic priced insurance policies, based on the cyber risk assessment rather than the revenue of a client company.
Dynamic pricing of insurance policies
As shown by Chapados et al. , policies are used in other markets of insurance to provide an incentive to lower the risk of the insurance being invoked to minimize or even remove the effect of moral hazard. These policies can be implemented to reward clients who are not reporting claims and punish those who do, or to punish clients who behave recklessly. For example, in the car insurance industry, the price of a monthly insurance fee gradually goes down when you increase your driver skills and obtain claimless years. Although a new model has been implemented within car insurance to determine the monthly insurance fee, Usage Based Insurance (UBI). The UBI concept was introduced to the personal motor insurance market over a decade ago. Instead of basing insurance premiums on a vehicle’s make and model, the age of driver, their experience and history on the road, UBI assesses premiums based upon time of usage, distance driven, driving behavior and places driven to . User based insurance policies for drivers have become a principle which is being implemented more often and which car insurance providers are, understandably, enthusiastic about. It enables insurance companies to adjust the monthly insurance rate based on the driving behaviour of the driver, through this providing an incentive to drive safely, resulting in less accidents and claims. In order to effectively implement such a concept for cyber insurance three main issues occur which are to be confronted:
- Assessing security levels:
Acquiring an accurate insight into the cyber security level of the client. The first issue is immediately the easiest to tackle. A lot of companies and even governments provide risk assessment tests which give an insight into the level of cyber security at a company. Allianz for example, provides clients with the possibility to get an insight into their cyber security level by filling in a cyber risk assessment. However, this assessment is merely used to show the client which risk they are currently subjective to and serves as an incentive for the client to acquire a cyber insurance policy more than it motivates to increase the level of security. Besides insurance and cyber security companies, the government also offers a quick scan based on several questions to provide an insight in the level of protection. The test from the government, alike to that of insurance companies, only focuses on the prevention of cyber incidents. In addition to assessing the general security of a client, used to prevent unauthorized users from access to their network and applications, the risk assessments should take detection and awareness measures into account as well. To quote Robert Mueller (2012): “There are two types of companies, those that have been hacked, and those that will be”. As it turns out, he was right about this and priority should also be given to increasing the time of detection and the awareness amongst employees and the society in general.
- Matching benchmarks to cyber insurance rates:
Thus, setting base levels and pricing them accordingly. As Kesan et al.  expresses “cyber insurance can facilitate standards for best practices as cyber insurers seek benchmark security levels for risk management decision-making”. This is viewed to be one of the most important benefits of cyber insurance. Solving this issue and creating a framework of best practices to be implemented by client companies will result in a higher overall level of cyber security. A change would be necessary in the way insurance policies are viewed by the insurance companies. Switching from a revenue based fee to a risk assessment based fee. This in turn, will provide a fair and well weighted fee to clients, resulting in clients only needing to pay for the risk they endure and enabling clients to determine their own risk profile. This provides them to choose their level of risk adversity and the cyber insurance fee changing accordingly. This in turn can also lead to cutting out another economical issue of insurance, adverse selection.
- Continuously auditing cyber security levels:
In order to make sure the clients improve their cyber security and receive the benefits (in the form of a lower insurance rate), insurance companies should ideally continuously audit the changes in security levels. In order to perfectly match risk and the corresponding fee, a way of continuous auditing should be created. Continuous auditing is usually established by acquiring audit evidence and indicators from IT-systems, processes and control measures which are frequently or continuously gathered by the “third line of defense” from an organisation (internal audit department) . Such internal audit departments, confirms KPMG, are often assisted by analytical IT-tools in order to identify failing control measures within the systems and applications . Continuous auditing will provide the insurance companies with an up to date assessment of the level of risk present at a client. This would enable the insurance companies to price their policies fully dynamic on the risk assessment at the client. This form of acquiring information with regards to the level of cyber security however, is very time and cost consuming. A solution to this might be the implementation of applications which provides real time information. PwC launched an application for its client with this solution built-in. It continuously analyses processes, transactions and master data allowing for a real-time insight in the organizational control. The Continuous Monitoring Platform integrates different existing applications, systems and data sources into one platform. The Continuous Monitoring Platform is compatible with virtually all systems, applications and data sources . If insurance companies can create their own version of such a platform, or require their client to implement a Continuous Monitoring Platform offered by their accountant, this would significantly decrease the time and costs. Making the option of continuous auditing a viable one.
However, in the current situation, without access to such platforms, insurance companies are more likely to choose only to assess the risk once at the beginning of the contract and then annually update the risk assessment. When doing so, a collaboration with the accounting firms would again form a possibility, in order to acquire the information. Receiving the cyber security assessment constructed by the clients accountant, will enable the insurance company to acquire a professional insight in a cost efficient manner. This means that the insurance firm will not have to conduct their own risk assessment for the client. Thus, incorporating within the insurance agreement that sharing the previously conducted cyber risk assessment from the audit report is a requirement, enables the insurance firm to use this assessment. Another way would be to perform an annual audit of the cyber security, conducted by inhouse cyber experts from the insurance company. Both solutions are currently more practical options compared to continuous auditing, but obviously also provide less accuracy to insurance companies. Besides, it might lead to clients overpaying at the end of the year since their new measures have not been taken into account by the insurance company yet. Although, this most likely will not cause an issue to the insurance companies themselves.
Another way of receiving some assurance on the level of cyber security is deriving it from the certifications of the client, based on their internal control and certifications such as the ISO 27001. Unfortunately, this only provides a limited insight in the level of control of cyber security and can only be valued with a confirmation (they are ISO 27001 certified) or disconfirmation (they are not ISO 27001 certified). Hence, this would result in only two different fees for the cyber insurance and does not accurately base the fee on the level of cyber security.
Based on the above, it is expected that insurance companies will try to use the middle option, providing an accurate (although not real-time) insight in the level of cyber security. Additionally, whether an insurance company is using continuous or annual auditing, they should follow up on the recent advice from the World Economic Forum (WEF). Within their Cyber Security Guide, the WEF discusses its tenet that companies (in any industry), should foster internal and external partnerships in order to deal with the threats of Cyber Security together and globally . In doing so, the insurance companies and accounting/cyber security firms should form global alliances in order to optimally compete against cyber crime.
Call to action: implement dynamic priced cyber insurance policies to improve resilience amongst Dutch companies and organizations
If insurance companies want to be involved in increasing the general resilience of Dutch companies and organizations against cyber threats, their narratives need to be changed. The companies should not only motivate their clients to acquire insurance policies, but also actively provide monetary incentives to their clients to improve the clients cyber security levels. By pricing these insurance policies dynamically (raising prices for poor security and lowering them for high levels of security), a system is created where a client’s insurance rate is based on the risk the client endures instead of the revenue it generates or wants to insure. If the incentive of the moral high ground is not sufficient for the insurance companies to change their policies, benefits received from this different approach should be considered. Insurance fees will more accurately be paired to the risk of claims, solving the issues of moral hazard and adverse selection within the cyber insurance market. Which in turn, by decreasing the effect of adverse selection, will increase the amount of clients. Consequently increasing Dutch resilience and societal welfare, whilst maturing the cyber insurance market, which can be achieved by changing the way cyber insurance policies are priced. Hence, a key role in creating a more safe cyber environment benefiting business and society in the Netherlands is reserved for the insurance companies.
- NOS (2019) – “Hackaanval universiteit Maastricht was schot hagel dat te voorkomen was” Retrieved on: January, 2020 from: https://nos.nl/artikel/2316423-hackaanval-universiteit-maastricht-schot-hagel-dat-te-voorkomen-was.html
- R. Tiwari & A. Koshelev – “Taking a deep dive into Sodinokibi ransomware” Retrieved on: January, 2020 from:
- P. Muncaster (2019) – “Travelex begins reboot as VPN bug persists” Retrieved on January, 2020 from: https://www.infosecurity-magazine.com/news/travelex-begins-reboot-as-vpn-bug/
- National Cyber Security Centre UK – “Citrix Alert” Retrieved on: January, 2020 from:
- Dutch Ministry of Justice and Security (2018) – “Cyber Security assessment Netherlands 2018” Retrieved on: January, 2020 from:
- Dutch Ministry of Justice and Security (2019) – “Cyber Security assessment Netherlands 2019” Retrieved on: January, 2020 from:
- Kahneman, D., & Tversky, A. (1979). Prospect Theory: An Analysis of Decision under Risk. Econometrica, 47(2), 263-291. Retrieved on: January, 2020.
- Kesan, J., Marjuca, R., & Yursic, W. (2014, June 5). Cyber insurance as a market-based solution to the problem of cyber security – a case study. Retrieved on: January, 2019 from: https://www.researchgate.net/profile/Jay_Kesan/publication/228669949_Cyberinsurance_as_a_market=based_solution_to_the_problem_of_cybersecurity_a_case_study/links/00b495248e89c569f9000000.pdf
- NOS (2019) – “Verzekeraars vergoeden losgeld bij gijzelsoftware, werkt misdaad in de hand” Retrieved on: January, 2020 from:
- Rothschild, M., & E. Stiglitz, J. (1976, November). Equilibrium in competitive insurance markets: An essay on the economics of imperfect information. [The Quarterly Journal of Economics, 90(4):630–49]. Retrieved on: January, 2020 from: https://www.jstor.org/stable/1885326?origin=JSTOR-pdf&seq=21#metadata_info_tab_contents
- Gordon, L.A., Loeb, M.P., Sohail, T. (2003). A framework for using insurance for cyber risk management, Communications of the ACM 46, pp. 81-85.
- Chapados, N., Bengio, Y., Vincent, P., Ghosn, J., Dugas, C., Takeuchi, I., & Meng, L. (2001, December 8). Estimating car insurance premia: a Case Study in High-Dimensional Data Inference. Retrieved on: January, 2020 from:
- EY. (2016) – Introducing “ Pay How You Drive ” ( PHYD ) Insurance. Retrieved on: January, 2020:
- KPMG (2019) – “Continuous auditing en continuous monitoring” Retrieved on: January, 2020 from:
- PwC (2019) – “The continuous monitoring platform leverages existing systems and applications” Retrieved on: January, 2020 from:
- World Economic Forum (2020) – “The Cyber Security Guide for Leaders in Today’s Digital World” p. 12. Retrieved on: January, 2020