This special issue of The Geneva Papers on Risk and Insurance—Issues and Practice on Cyber Insurance is the second in three years (see volume 43 of The Geneva Papers published in 2018) to cover the emerging threat of cyber risks to firms, organisations, individuals and society as a whole. The first special issue published only four papers; the current special issue publishes eight. The increase in the number of articles in this special issue reflects the growing popularity of the topic not only amongst academics, but also amongst corporate researchers. The 2020 World Risk and Insurance Economics Conference, which was held virtually, had a session devoted to cyber risk, something that would have been unimaginable five years ago.Footnote 1

What is cyber risk? One definition that can be used is any attack using electronic devices that causes damage to an organisation or an individual, such as denial of service or the theft or destruction of data for organisations, individuals or otherwise. Such attacks take the form of malicious codes, malware, trojans, worms and phishing, to name but a few.Footnote 2 Cyber insurance usually covers only direct losses, even though indirect losses can be much larger. Whatever cyber risk is, it is certainly difficult to define precisely.Footnote 3

The eight papers included in the current special issue are divided according to three classifications. The first three papers examine the potential demand for cyber risk insurance by assessing the potential loss for firms and organisations that fall victim to a cyber event. The next three papers examine the supply side by presenting issues related to how contracts are written and interpreted by the courts, and how the writing and the interpretation of cyber contract clauses could have an impact on other insurance contracts. Lastly, the special issue concludes with two papers that examine how cyber risk applies to two industries: health insurance and information technology.

Before briefly summarising the papers in this issue, it feels appropriate to remind ourselves that the lack of proper data regarding cyber losses remains problematic in analysing the actual risk of cyber incidents, and to infer what the demand and supply of cyber insurance should be. Eling (2018) writes (p. 177):

Not only is the lack of data a major concern for insurance managers and empirical researchers, but the dynamic nature of cyber risk also carries an immense risk of change. It is thus far from clear whether the little historical data we have is indicative of future outcomes.

It was true in 2018 and it is still true today. Marotta et al. (2017) identified data issues (including the evaluation of frequency, estimation of damages and dependencies across risks) as the main research gap in the literature. That is why some of the papers in this issue use small data sets or rely on a more qualitative analysis of the issue.

This special issue’s first three papers examine the cost of cyber risk events, whether from a stock market perspective, as in the article by McShane and Nguyen, or through the development of new loss distribution techniques, as in the articles by Palsson, Gudmundsson and Shetty and Poyraz, Canan, McShane, Pinto and Cotter.

The paper chosen to lead this special issue, coauthored by Palsson, Gudmundsson and Shetty, examines the impact of cyber events on organisations using the Advisen cyber loss data feed. This source of data was used previously by Romanosky (2016). They apply a ʽrandom forestʼ algorithm approach in order to better quantify the risk of critical cyber losses. They conclude that phishing and malicious breach incidents are associated with much higher losses than cases of cyber extortion.

The approach used in McShane and Nguyen’s paper is similar to that in the finance literature in that the authors examine the American stock market’s reaction to cyberattacks (mostly data breaches) on publicly traded firms. Contrary to the results presented in Rasoulian et al. (2017), McShane and Nguyen find no significant stock market reaction to cyberattacks, on average, over the 10 years under examination. The story does not end there, however. Over time, McShane and Nguyen find that the market’s reaction to cyberattacks changes, with negative and significant reactions in 2011, 2012 and 2013. This suggests that cyberattacks and cyberattack damages are driven by causes that are outside of any simple frequency-severity model.

The third paper in the first set of papers, by Poyraz, Canan, McShane, Pinto and Cotter, is interested in measuring the monetary impact of large cybersecurity breaches that could lead to the illegal use of personally identifiable information (aka: PII mega data breaches). In the year ending in April 2020, it was reported that 8.5 billion records were compromised in data breaches, of which 80% were theft of customer-related personally identifiable information (PII).Footnote 4 The potential for misuse is high. The authors develop an original method to examine the potential loss associated with future breaches.

In the second set of three papers, the reader is drawn into the world of cyber insurance contract wording and the supply of cyber insurance. The contributions of Woods and Weinkle, Wrede, Stegen and Graf von der Schulenburg and Xie, Lee and Eling therefore examine the supply side of cyber insurance, with the first two particularly interested in the wording of contracts.

In their paper, Woods and Weinkle collect data from 56 cyber insurance policies to examine how deliberate cyberattacks on corporations and organisations are viewed with respect to so-called war exclusions in insurance policies (see also Romanosky et al. 2019). We also learn that ʽwarʼ is in the eye of the beholder as war exclusions differ by policy type and different market practices, giving rise to ambiguity in payment and the risk of contract non-performance (see Doherty and Schlesinger (1990) and Peter and Ying (forthcoming) for more on this topic) or subperformance (Asmat and Tennyson 2014). Woods and Weinkle conclude that cyber insurance coverage has been converging to a new equilibrium whereby losses due to war, in its traditional sense, are still excluded, but losses due to terrorism are not.

Wrede, Stegen and Graf von der Schulenburg also examine whether cyber insurance is covered in traditional insurance policies but focus exclusively on the German market. Their focus is on whether there is any ʽsilent coverageʼ of cyber losses embedded in other insurance contracts. This is important given the difficulty of defining what cyber risks are and, perhaps more importantly, how much reserve capital should be put aside to cover cyber risk incidents (Eling and Schnell 2016). They find that there is indeed some silent coverage of cyber-related losses in the great majority of the contracts they examine, such as business income insurance, liability insurance, fidelity insurance and D&O insurance. They conclude that the importance of silent coverage is such that cyber risk is becoming systemic.

In the paper by Xie, Lee and Eling, we remain with the supply side of cyber insurance, but we learn more about what motivates a property and casualty insurer to start offering cyber risk protection as a standalone (or a packaged) product. Making use of the National Association of Insurance Commissioners (U.S.) supplement on cybersecurity, which is available starting in 2015, the authors are able to use three years of data to study market development of this insurance line in the U.S. (see Pooser et al. (2018) for an earlier assessment). They find that, despite the absence of solid actuarial models, cyber risk insurance is extremely profitable, with industry loss ratios below 50% and more than half the insurers paying no claim in any given year. With an average loss ratio of 50% and a median paid claim ratio of 0, the authors rightly conclude that this is a very volatile line, making it suitable, perhaps, for services by reinsurers.

The last two papers in this special issue consist of studies that focus on two particular cases where cyber risk and cyber insurance could have an important impact. Leong and Chen examine the particular risk for health insurance companies of an attack against health Internet of Things (IoT) devices using a Chinese data set. Along with the examination of PII by Poyraz et al., Leong and Chen’s study on private health information allows us to cover what Greisinger (2016) calls the two most vulnerable types of data breach.Footnote 5

Lastly, Franke develops a questionnaire that can be used to measure the risk perception of risk managers in large corporations when it comes to IT service outages. The author presents three industry cases in detail: transportation, food and government services. IT service outages are a particular case of cyber risk that are not necessarily caused by a malicious act. IT service outages are similar to IT-related supply chain glitches, which Goldstein et al. (2011) attribute to some category of operational risk (see also the references therein). IT-related supply chain glitches cost firms, on average, \(0.75\%\) of their market capitalisation in the U.S., whereas Liu et al. (2016) find an abnormal return of \(-0.61\%\) in Japan. This is not a trivial amount given that Goode et al. (2017) estimate indirect costs of data breaches to be six times the direct cost.

As a final word, there are still many unknowns associated with cyber risk, many of them related to issues dealing with data, but some also from the point of view of modelling the demand for cyber risk insurance using approaches more embedded in economics. Is it a problem of risk aversion? Of ambiguity? Is it a question of trust in the insurance system and in the wording of the insurance contract? Hopefully, the eight papers published in this special issue will provide a springboard for more research on cyber risk and cyber insurance.