Pricing Cyber Security Insurance

Abstract

Cybersecurity breaches may be correlated due to geography, similar infrastructure, or use of a third-party contractor. We show how a logistic regression may be used to estimate the probability of an attack where breaches may be correlated among firms up and down the supply chain. We also show how a Poisson regression may be used to estimate the number of records breached. Losses arising from cybersecurity breaches have an unknown distribution. We propose the stock price reaction to a breach as an objective measure of the loss in wealth sustained by the firm due to a breach. This loss measure reflects the immediate and long-term effects of a breach, including reputational effects and other intangible impacts that are otherwise more difficult to quantify. We examine stock returns for 258 cybersecurity breach announcements over 2011-2016 in order to obtain the empirical loss distribution. We find a five-day abnormal return of -1.44%. Seventy-one percent of these 258 announcements result in a negative abnormal return, and a gamma distribution provides an excellent fit to these losses. In addition to introducing a predictive model for correlated losses, our study shows how insurers can use either the empirical stock return distribution of losses or the per record cost of a breach in the pricing of cyberinsurance.