Cyber risk management: an actuarial point of view

In recent decades, companies worldwide have faced a new kind of risk, namely cyber risk, that has emerged as one of the top challenges in risk management. Insurance has only recently been applied to the cyber world, and it is increasingly becoming part of the risk management process, posing many challenges to actuaries. One of the main issues is the lack of data, particularly financial data. This paper points out the peculiarities of cyber insurance contracts compared with the classical nonlife insurance contracts from both the insurer’s and the insured’s perspectives. The main actuarial principles that are fundamental to any valuation in a cyber context are discussed. An illustrative example is proposed where the Chronology of Data Breaches data set provided by the Privacy Rights Clearing House is analyzed in depth. The most suitable distributions to represent the frequency and the severity of the reported cyber incidents are examined and the value-at-risk measure is estimated. Then, two exemplifying cases offer the assessment of both the premium required by the insurer and the indifference premium the insured is willing to pay. Despite certain limitations, this research could offer useful information on this particular kind of insurance policy