This book provides an introduction to the theory and practice of cyber insurance. Insurance as an economic instrument designed for risk management through risk spreading has existed for centuries. Cyber insurance is one of the newest sub-categories of this old instrument. It emerged in the 1990s in response to an increasing impact that information security started to have on business operations. For much of its existence, the practice of cyber insurance has been on how to obtain accurate actuarial information to inform specifics of a cyber insurance contract. As the cybersecurity threat landscape continues to bring about novel forms of attacks and losses, ransomware insurance being the latest example, the insurance practice is also evolving in terms of what types of losses are covered, what are excluded, and how cyber insurance intersects with traditional casualty and property insurance. The central focus, however, has continued to be risk management through risk transfer, the key functionality of insurance.
The goal of this book is to shift the focus from this conventional view of using insurance as primarily a risk management mechanism to one of risk control and reduction by looking for ways to re-align the incentives. On this front we have encouraging results that suggest the validity of using insurance as an effective economic and incentive tool to control cyber risk. This book is intended for someone interested in obtaining a quantitative understanding of cyber insurance and how innovation is possible around this centuries-old financial instrument.