On the limits of cyber-insurance

It has been argued that cyber-insurance will create the right kind of security atmosphere on the Internet. It will provide incentive (through lowered premiums) to firms to better secure their network thus reducing the threat of first party as well as third party damage, promote gathering and sharing of information security related incidents thus aiding development of global information security standards and practices, and finally, increase the overall social welfare by decreasing the variance of losses faced by individual firms via risk pooling as in other kinds of insurance. However, a unique aspect of cyber-risks is the high level of correlation in risk (e.g. worms and viruses) that affects both the insurer and the insured. In this paper, we present a discussion on the factors that influence the correlation in cyber-risks both at a global level, i.e. correlation across independent firms in an insurer's portfolio, and at a local level, i.e. correlation of risk within a single firm. While global risk correlation influences insurers' decision in setting the premium, the internal correlation within a firm influences its decision to seek insurance. We study the combined dynamics of these two to determine when a market for cyber-insurance can exist. We address technical, managerial and policy choices influencing both kind of correlations and welfare implications thereof.