LAUSR

This work analyzes and extends insurance dynamics in the context of cyber risk. Cyber insurance contracts, when used as a means to manage residual cyber risk, could behave differently from other traditional (e.g., property) insurance. One important difference arises from the complexity involved in the post-breach decision of whether and how a firm should optimally plan to claim indemnity in the event of a cyber breach. We define different types of cyber breaches leading to different claiming scenarios, whose roots lie in the impact of secondary loss caused by certain but not all types of breaches. We build a model to capture the impact of secondary loss in structuring the use of cyber insurance and then combine the backward analysis of myriad breach scenarios to derive the overall optimal decision to purchase cyber insurance. We demonstrate that the optimal purchase decision depends on the mix of the types of cyber breaches that a firm faces. Numerical experiments corroborate market observation of limited use of cyber insurance after 20 years from when these products became available.