Cyber Insurance and Post-Breach Services: A Normative Analysis

Abstract

Cyber insurance is becoming an essential tool for managing cybersecurity risks. In this study, we analyze how having the option to subscribe to cyber insurance services affects firms’ risk prevention and mitigation decisions. We model the scenario where the firm purchases cyber insurance in a competitive insurance market and compare it against the case when it does not purchase cyber insurance. When there is a breach, cyber insurance can help cover mitigation expenses and breach losses. Consistent with the prior literature, we find that in most cases cyber insurance exacerbates ex ante moral hazard by decreasing expected risk prevention. However, it enhances ex post efforts by increasing expected risk mitigation, which can lead to more positive outcomes for the insured firm. The mechanism involves designing the contract with a delicate calibration of the coverage of breach losses and the coinsurance rate. Moreover, the findings highlight the importance of a healthy risk mitigation service market in managing cybersecurity risks. Funding: This research was supported in part by the Hong Kong SAR General Research Fund project [16502417]. Supplemental Material: The e-companion is available at https://doi.org/10.1287/serv.2021.0120 .