Cybercrime insurance: what is insurable and how are risks distributed fairly?

Melchior Mattens MSc AAG
melchior.mattens@arcturus.nl 

Cybercrime is no longer a new phenomenon as more and more companies and individuals are getting into trouble. Why are non-life insurers not responding more easily to the need for insurance, especially for individuals? In this article Melchior Mattens shows where cyber criminality pinches with the principles of insurance and shines a light on the route to an adequate premium setting. 

Melchior-Mattens

Melchior Mattens MSc AAG
melchior.mattens@arcturus.nl 

Ever-growing problem

Cybercrime is no longer a new phenomenon and more and more people are getting into trouble – according to Dutch police figures there have been almost 7000 cases reported (until August 2020) this year. In recent years in particular, the number of victims of cybercrime has been increasing. As a result, the social demand for professional support from insurers is rising fast. The insurance market already offers coverage, but many insurers are still looking for what role they could play in helping customers in this area. Because what is insurable? And how do you set a good premium for that?

number of records cybercrime

Figurer 1: development of the number of cybercrimes.
Data 2020 until august. Source: data.politie.nl

What is insurable?

Insuring against crime is traditionally a complex matter, because you are dealing with moral hazard: when people know they are insured, they may become (slightly) more careless. This carelessness increases the risk, so criminals can then profit from it. In this way, criminal activities are financed indirectly by insurance money. The most well-known example of this is burglary risk. However, home burglary has been under regular contents cover, so apparently the moral-hazard effect is not so bad: the average insured person does not secure his home less good than the average uninsured.

Moral hazard also plays a role in cybercrime. One difference with home burglary, however, is that cyber criminals can actually demand any ransom amount that they want, whereas there is only so much to steal from a house as the burglars can carry. As a result, the damage burden can be much higher than in the traditional covered forms of crime. If insurers were willing to contribute to this, there could be an incentive for the cyber criminals to increase the demanded ransom structurally. An insured person has become a much more interesting potential target than the uninsured. Of course, an insurer doesn’t want that and should not make crime worth the matter.

Therefore, the first insurers that now offer cyber coverage for individuals (e.g. standard in contents insurance) do not offer cover for the payment of ransom, but for support of cyber experts in case of a (computer) virus infection. In addition, there is a strong effort on prevention: the insurer shares tips, tricks and recent developments in the field of cybercrime with the customer. This makes it easier to avoid problems and means the insured is not on his own if bad luck strikes. In the case of virus infection, assistance is provided by cyber experts; they may be able to repair some of the damage or prevent worse. After all, not all virus infections are such that the computer or data and photos can no longer be recovered from the hackers.

Next to assistance, cyber insurance can also include insured benefits for online scams by webshops and hacking of bank accounts and credit cards. Moral hazard seems less relevant to these risks.

What is an adequate premium?

The risk is not stable, but statistics are indeed needed to assess the risk. How does the frequency of different types of cybercrime develop? This is measured in The Safety Monitor, a biennial population survey conducted by the Central Bureau of Statistics (CBS).  Figure 2 breaks down cyber criminality to the four main components.

composition cybercrime

Figuur 2 Number of offenses per 100 inhabitants by type of cybercrime.
* 2018 is interpolated because of missing data CBS.

The population survey indicates that the 4,700 crimes reported in 2019 (Figure 1) are estimated to be only the tip of the iceberg. With an estimated 23 crimes per 100 inhabitants in 2019, this amounts to a real number of more than 4 million cyber crimes per year in the Netherlands. Insurable offenses include hacking, purchase fraud and identity fraud. Based on the estimation by the survey, there are about 14.5 of these insurable offenses per 100 inhabitants per year in the Netherlands. The subdivision of these 14.5 offenses over to the three insurable types is shown in figure 3.

insurable crimes frequency

Figure 3: Percentage share of insurable cybercrime offenses.

By 2020 it is likely that the number of registered crimes will more than double compared to 2019 (figure 1).

These figures can be extrapolated to the future with some caution. With this, one is able to derive an estimate of the claim frequency for the insurable cyber risks. Based on the maximum cover amount, claim handling management and other policy clauses, an estimate of the average claim size can be made. The combination of claims frequency and average claim size can be used to determine an average premium.

Another issue with crime is the unpredictability of the risk. This plays a major role in terrorism: once a country or region has found an appropriate response to a certain type of attack, terrorist organizations develop a new way to achieve their goals. For insurers this implies that the future risk can never be adequately estimated by studying historical data. This also plays a role in cybercrime: on the one hand due to the rapid technological development, on the other hand due to the criminal innovation power. Criminals are constantly looking for new ways as soon as virus protectors have been developed against their current method. An adequate risk premium for the occurrence of these unknown unkowns therefore remains necessary to cover the risk for the insurer.

 

Premium differentiation possible?

Customer-specific risk factors can hardly be estimated at the moment. A uniform premium is a first step in a young market, but there may be good reasons for moving towards a differentiated system over time. This includes:

  • Prevention: some people have invested in good antivirus software;
  • Age: Risk awareness and knowledge is not evenly distributed across age groups, and some age groups are more popular targets for cyber criminals.
  • Behaviour: some people are relatively more often looking for much more risk, for example downloading certain (illegal) files;
  • Job or position: some people are in (business) positions, making them relatively easy to approach and / or making them an attractive target for criminals.
  • Tailor-made cover: parts that are priced separately.

As dynamic as the world of cybercrime is, the key to properly assessing risks is data. One learns by doing: insurers who are the first to start insuring cyber risk will be the first to have the data to arrive at good premium differentiation. By properly breaking down this burden of claims according to types of claims (use of experts and compensation) and linking this to risk characteristics of the population, traditional actuarial pricing methods such as GLM are very useful. This makes premium differentiation possible in the long term.

The insurer has something to offer

Overall, developments in the field of cybercrime are moving very quickly. It seems like a matter of time before other insurers will want to enter this market as well. For many people it is a great nightmare to be held hostage by hackers. Good support will therefore be worth something. Fortunately, traditional actuarial pricing methods will also be very useful in this field and therefore it won’t be long till the cyber insurance market becomes a mature market.