特刊:网络风险与网络保险
声明:本系列文章基于原期刊目录和摘要内容整理而得,仅限于读者交流学习。如有侵权,请联系删除。
期刊介绍:“Geneva Papers on Risk & Insurance- Issues and Practice” 创刊于1976年,是日内瓦协会主办的一本国际学术期刊,聚焦保险经济学的前沿热点问题,旨在为保险学术界和业界专业人士之间的交流提供桥梁,提升保险业的专业知识。该刊为季刊,每年4期,每期发表文章10篇左右,2022-2023年影响因子为1.6。
●
New advances on cyber risk and cyber insurance
● Insurance and enterprise: cyber insurance for ransomware
●How cyber insurance influences the ransomware payment decision: theory and evidence
●Coordination of cyber security risk management in the U.K. insurance sector
● Cyber loss model risk translates to premium mispricing and risk sensitivity
● Modelling and predicting enterprise-level cyber risks in the context of sparse data availability
● Modelling maximum cyber incident losses of German organisations: an empirical study and modified extreme value distribution approach
● Risk mitigation services in cyber insurance: optimal contract design and price structure
New advances on cyber risk and cyber insurance
网络风险与网络保险研究的新进展(本期社论)
Martin Boyer(蒙特利尔大学),Martin Eling(圣加仑大学)
摘要:This is the third special issue of The Geneva Papers on Risk and Insurance—Issues and Practice devoted to cyber risk and cyber insurance (previous issues were published in April 2018 and October 2020). Interest in the topic of cyber risk and cyber risk insurance has been increasing over the last years, both in industry and academia. We document a steady growth of academic research on cyber risk and cyber risk insurance (see Fig. 1 in “Appendix 1”), not only in computer science but also increasingly in business and economics (see Fig. 2 in “Appendix 2”). There have also been top publications in finance, economics and management journals focussing on market reactions to cyber risk events (Kamiya et al. 2021; Foerderer and Schuetz 2022; Florackis et al. 2023) and potential systemic risks arising from such events (August et al. 2022; Eisenbach et al. 2022; Crosignani et al. 2023). Yet, insurance is not a major component of this research.
With this special issue, we contribute to this emerging field of literature with seven articles. Two of them focus on ransomware insurance, while three consider cyber loss modelling. The remaining two consider cyber risk management in general, with one paper looking at the coordination of cybersecurity management and the other at risk mitigation and optimal contract design for cyber insurance As in the two previous special issues, the articles come from different methodological backgrounds and focus on different industries. This editorial summarises the papers included in this special issue and then highlights some potential avenues for future research. The goal of the issue is to not only present new contributions on one of the timeliest topics in research and practice but also to stimulate future research on cyber risk and cyber risk insurance.
这是《日内瓦风险与保险论文——网络风险与网络保险的问题与实践》的第三期特刊(前几期分别于2018年4月和2020年10月出版)。近年来,工业界和学术界对网络风险和网络风险保险的关注一直在增加。我们记录了关于网络风险和网络风险保险的学术研究的稳步增长(见“附录1”中的图1),不仅在计算机科学领域,而且在商业和经济学领域也逐渐增多(见“附件2”中的表2)。金融、经济和管理期刊上也有一些顶级出版物关注市场对网络风险事件的反应(Kamiya等人,2021;Foerderer和Schuetz,2022;Florackis等人,2023)以及此类事件引发的潜在系统性风险(August等人,2022;Eisenbach等人,2022年;Crosignani等人,2023)。然而,保险并不是这项研究的主要组成部分。
通过这期特刊,我们为这一新兴领域的文献贡献了七篇文章。其中两篇专注于勒索软件保险,三篇关注网络损失建模。剩下的两篇论文涉及一般的网络风险管理,其中一篇论文着眼于网络安全管理的协调,另一篇论文则着眼于网络保险的风险缓解和最优合同设计。与前两期特刊一样,这些文章来自不同的方法背景,侧重于不同的行业。这篇社论总结了本期特刊中的论文,然后突出了一些未来研究的潜在方向。此特刊的目标不仅是介绍研究和实践中最热门的主题之一的新贡献,而且也是促进未来对网络风险和网络风险保险的研究。
原文链接:
https://link.springer.com/article/10.1057/s41288-023-00294-w
Insurance and enterprise: cyber insurance for ransomware
保险与企业:勒索软件的网络保险
Tom Baker(宾夕法尼亚大学),Anja Shortland(伦敦国王学院)
摘要:Selling insurance gives insurers an incentive to manage insured risks.The“insurance-as-governance” literature demonstrates that insurers often make insurance conditional on ex ante risk reduction or mitigation. But insurance governs in support of enterprise, not security for its own sake. Tight underwriting inhibits enterprise—not only for insured businesses but also for the business of insurance. This paper highlights ex post loss reduction as a form of insurance-based governance. Drawing on interviews with industry insiders, we explore how insurers addressed the evolving problems of moral hazard, uncertainty and correlated losses since the 1990s. We find that cyber insurance developed sophisticated remedies to contain liabilities and quickly restore affected IT systems, but largely left security decisions to the insured. This facilitated enterprise in the short run but undermined security in the longer term: funding and expediting ransom payments encourages further attacks. As businesses improved their resilience, cybercriminals adapted and ransoms escalated, calling insurability into question. Yet there remains little appetite for imposing restrictive conditionality in this highly competitive market. Instead, insurers have turned to governments to contain criminal threats and cushion catastrophic losses.
销售保险可以激励保险公司管理保险风险。“保险与治理”文献表明,保险公司通常以事前风险降低或缓解为条件进行保险。但保险是以支持企业为目的的治理,而不是出于自身安全考虑。严格的承保拘束了企业——不仅对被保险的业务,而且对保险业务也是如此。本文强调了作为一种基于保险的治理形式的事后损失减少。通过与行业内部人士的访谈,我们探讨了自20世纪90年代以来,保险公司如何解决道德风险、不确定性和相关损失等不断演变的问题。我们发现,网络保险开发了复杂的补救措施来控制责任并快速恢复受影响的IT系统,但在很大程度上将安全决策留给了被保险方。这在短期内为企业提供了便利,但在长期内破坏了安全:资助和加快赎金支付助长了进一步的袭击。随着企业恢复能力的提高,网络犯罪分子适应了形势,赎金不断增加,使得可保险性受到质疑。然而,在这个竞争激烈的市场上,施加限制性条件的意愿仍然很小。相反,保险公司已经转向政府来遏制犯罪威胁,减轻灾难性损失。
原文链接:
https://link.springer.com/article/10.1057/s41288-022-00281-7
How cyber insurance influences the ransomware payment decision: theory and evidence
网络保险如何影响勒索软件的支付决策:
理论与实证
Anna Cartwright(牛津布鲁克斯大学), Edward Cartwright(德蒙特福特大学), Jamie MacColl(英国皇家联合服务研究所), Gareth Mott(肯特大学), Sarah Turner(肯特大学), James Sullivan(英国皇家联合服务研究所), Jason R. C. Nurse(肯特大学)
摘要:In this paper, we analyse how cyber insurance influences the cost–benefit decision-making process of a ransomware victim. Specifically, we ask whether organisations with cyber insurance are more likely to pay a ransom than non-insureds. We propose a game-theoretic framework with which to categorise and distinguish different channels through which insurance may influence victim decision making. This allows us to identify ways in which insurance may incentivise or disincentivise payment of the ransom. Our framework is informed by data from semi-structured interviews with 65 professionals with expertise in cyber insurance, cybersecurity and/or ransomware, as well as data from the U.K. Cyber Security Breaches Survey. We find that perceptions are divided on whether victims with insurance are more (or less) likely to pay a ransom. Our model can reconcile these views once we take into account context specifics, such as the severity of the attack as measured by business interruption and restoration and/or the exfiltration of sensitive data.
本文分析了网络保险如何影响勒索软件受害者的成本效益决策过程。具体来说,我们要研究的是,与未投保的组织相比,投保了网络保险的组织是否更有可能支付赎金。我们提出了一个博弈论框架,用于分类和区分保险可能影响受害者决策的不同渠道。这样,我们就能确定保险可能激励或抑制支付赎金的方式。我们的框架参考了对 65 位具有网络保险、网络安全和/或勒索软件专业知识的专业人士进行的半结构式访谈数据,以及英国网络安全漏洞调查的数据。我们发现,对于有保险的受害者是否更有可能(或更不可能)支付赎金,人们的看法存在分歧。一旦我们考虑到具体情况,例如根据业务中断和恢复和/或敏感数据外流来衡量攻击的严重程度,我们的模型就能调和这些(存在分歧的)观点。
原文链接:
https://link.springer.com/article/10.1057/s41288-023-00288-8
Coordination of cybersecurity risk management in the U.K. insurance sector
英国保险部门的协调网络安全风险管理
摘要:The increasing threat of cyberattacks has resulted in increased efforts by both the U.K. government and regulatory authorities to coordinate efforts to influence cybersecurity risk management practices in the U.K. insurance sector, focusing on cyber risk underwriters. This paper provides an evaluation of these arrangements. It first provides a descriptive overview of the key U.K. regulatory authorities and the evolution of their efforts over the past decade, as well as the scope for broader collaborations with industry and member-based associations and international organisations. It then evaluates the effectiveness of these efforts by providing a multi-method study of the incidence, nature and evolution of cost of data breaches, investment in computer systems and software intangible assets at risk of cyberattack, and a content analysis of annual reports of both U.K. regulators and a sample of U.K. insurers. The findings suggest that while both the total costs of data breaches and the size of investment in computer systems and software intangibles at risk of cyberattack have gradually increased over time, the degree of engagement with cyber as a reporting issue by both cyber insurers and financial regulators has not. It is concluded that while these efforts have been apparently successful in avoiding a large-scale, systemic cyberattack on the U.K. insurance industry, there are significant gaps and overlaps in the system of cyber regulatory oversight.
由于网络攻击的威胁日益严重,英国政府和监管机构加大了协调力度,以影响英国保险部门的网络安全风险管理实践,重点关注网络风险承保人。本文对这些安排进行了评估。本文首先概述了英国主要监管机构及其在过去十年中的工作演变,以及与行业协会、会员协会和国际组织开展更广泛合作的范围。然后,本报告通过对数据泄露的发生率、性质和成本的演变,对面临网络攻击风险的计算机系统和软件无形资产的投资,以及对英国监管机构和英国保险公司样本年度报告的内容分析等多种方法进行研究,评估了这些工作的有效性。研究结果表明,随着时间的推移,尽管数据泄露的总成本以及对面临网络攻击风险的计算机系统和软件无形资产的投资规模都在逐渐增加,但网络保险公司和金融监管机构将网络作为报告问题的参与程度却没有增加。本文的结论是,虽然这些工作显然成功地避免了英国保险业遭受大规模、系统性的网络攻击,但网络监管体系仍存在重大漏洞和重叠。
原文链接:
https://link.springer.com/article/10.1057/s41288-023-00287-9
Cyber loss model risk translates to premium mispricing and risk sensitivity
网络损失模型风险转化为保费错误定价
和风险敏感性
Gareth W. Peters (加州大学圣巴巴拉分校); Matteo Malavasi,(麦考瑞大学); Georgy Sofronov (麦考瑞大学); Pavel V. Shevchenko (麦考瑞大学); Stefan Trück (麦考瑞大学); Jiwook Jang (麦考瑞大学)
摘要:In this paper we focus on model risk and risk sensitivity when addressing the insurability of cyber risk. The standard statistical approaches to assessment of insurability and potential mispricing are enhanced in several aspects involving consideration of model risk. Model risk can arise from model uncertainty and parameter uncertainty. We demonstrate how to quantify the effect of model risk in this analysis by incorporating various robust estimators for key model parameters that apply in both marginal and joint cyber risk loss process modelling. Through this analysis we are able to address the question that, to the best of our knowledge, no other study has investigated in the context of cyber risk: is model risk present in cyber risk data, and how does is it translate into premium mispricing? We believe our findings should complement existing studies seeking to explore the insurability of cyber losses.
本文主要从模型风险和风险敏感性两个方面研究网络风险的可保性问题。通过考虑模型风险,我们增强了对可保险性和潜在定价错误的标准统计方法。模型风险可能来自于模型的不确定性和参数的不确定性。通过结合应用于边际和联合网络风险损失过程建模的关键模型参数的各种稳健估计量,我们展示了如何量化模型风险在这一分析中的影响。通过这一分析,我们能够解决一个问题,据我们所知,没有其他研究在网络风险的背景下探讨过这个问题:网络风险数据中是否存在模型风险,它如何转化为保费定价错误?我们相信我们的发现应该可以补充现有的探索网络损失可保险性的研究。
原文链接:
https://link.springer.com/article/10.1057/s41288-023-00285-x
Modelling and predicting enterprise-level cyber risks in the context of sparse data availability
稀疏数据可用性背景下的企业层面
网络风险建模和预测
Daniel Zängerle (达姆施塔特工业大学); Dirk Schiereck (达姆施塔特工业大学)
摘要:Despite growing attention to cyber risks in research and practice, quantitative cyber risk assessments remain limited, mainly due to a lack of reliable data. This analysis leverages sparse historical data to quantify the financial impact of cyber incidents at the enterprise level. For this purpose, an operational risk database—which has not been previously used in cyber research—was examined to model and predict the likelihood, severity and time dependence of a company’s cyber risk exposure. The proposed model can predict a negative time correlation, indicating that individual cyber exposure is increasing if no cyber loss has been reported in previous years, and vice versa. The results suggest that the probability of a cyber incident correlates with the subindustry, with the insurance sector being particularly exposed. The predicted financial losses from a cyber incident are less extreme than cited in recent investigations. The study confirms that cyber risks are heavy-tailed, jeopardising business operations and profitability.
尽管网络风险在研究和实践中受到越来越多的关注,但定量的网络风险评估仍然有限,主要原因是缺乏可靠的数据。本分析利用稀疏的历史数据来量化企业层面网络事件的财务影响。为此,我们研究了一个操作风险数据库(以前没有在网络研究中使用过),以模拟和预测公司网络风险暴露的可能性、严重程度和时间依赖性。所提出的模型可以预测负时间相关性,表明如果前几年没有网络损失报告,个体的网络风险暴露会增加,反之亦然。结果表明,网络事件发生的概率与子行业相关,其中保险行业的风险尤其大。网络事件预计造成的财务损失并不像最近的调查所述那样极端。本研究证实了网络风险是厚尾分布的,危及业务运营和盈利能力。
原文链接:
https://link.springer.com/article/10.1057/s41288-022-00282-6
Modelling maximum cyber incident losses of German organisations: an empirical study and modified extreme value distribution approach
对德国组织的最大网络事故损失进行建模:
一项实证研究与修正极值分布方法
Bennet von Skarczinski(普华永道会计师事务所), Mathias Raschke(Ecclesia Re), Frank Teuteberg(奥斯纳布吕克大学)
摘要:Cyber incidents are among the most critical business risks for organisations and can lead to large financial losses. However, previous research on loss modelling is based on unassured data sources because the representativeness and completeness of op-risk databases cannot be assured. Moreover, there is a lack of modelling approaches that focus on the tail behaviour and adequately account for extreme losses. In this paper, we introduce a novel ‘tempered’ generalised extreme value (GEV) approach. Based on a stratified random sample of 5000 interviewed German organisations, we model different loss distributions and compare them to our empirical data using graphical analysis and goodness-of-fit tests. We differentiate various subsamples (industry, size, attack type, loss type) and find our modified GEV outperforms other distributions, such as the lognormal and Weibull distributions. Finally, we calculate losses for the German economy, present application examples, derive implications as well as discuss the comparison of loss estimates in the literature.
网络事故是组织面临的最重要的业务风险之一,能够导致巨大的财务损失。然而,先前关于损失建模的研究是基于不确定的数据来源,因为操作风险数据库的代表性和完整性无法得到保证。此外,还缺乏侧重尾部行为并充分考虑极端损失的建模方法。在本文中,我们介绍了一种新颖的“温和的”广义极值(GEV)方法。基于对5000 家受访的德国组织的分层随机抽样,我们对不同的损失分布进行建模,并通过图形分析和拟合优度检验将其与经验数据进行比较。我们区分了不同的子样本(行业、规模、攻击类型、损失类型),并发现我们的修正 GEV 优于其它分布,如对数正态分布和Weibull分布等。最后,我们计算了德国经济的损失,介绍了应用实例,得出了一些结论,并讨论了文献中损失估计的比较。
原文链接:
https://link.springer.com/article/10.1057/s41288-023-00293-x
