We’re proud to announce a special issue on Cyber Risk and Insurance with editors Firasat Khan from the Metropolitan State University, Minnesota and Tirthankar Ghosh from the University of West Florida, Florida.
Businesses and organizations are increasingly aware of the level of cyber risk they face and cyber risk has consistently ranked as a top risk for businesses and organizations. Cyber risk insurance promises to provide increased assurance of business continuity through risk transfer but the rapidly changing landscape of cyberattack surfaces, vectors, and resulting impact, introduces unique challenges that should be better understood by practitioners and researchers alike.
Total cyber risk insurance premiums, just in the United States, are at $3-4B today and are forecasted to rapidly rise to $15-20B in the next decade by most estimates, and a similar growth in cyber risk insurance is expected globally. The bulk of the growth is from small business reacting to major stand-alone instances of cyber breaches and failures. A key question that remains a concern is what would happen if there were a widespread cyber incident that impacted hundreds or thousands of insured firms simultaneously. The relatively low loss ratio today ensures the cyber insurance market is growing – but what happens if a major widespread catastrophe would come to pass? How the insurance industry would be impacted is an open question.
While the intersection of cyber risk and insurance is a complex domain to navigate, the Insurance Core Principles (ICPs) developed by the International Association of Insurance Supervisors (IAIS) do present widely accepted principles, standards, and guidance for the insurance sector. The National Association of Insurance Commissioners (NAIC) have recently published helpful guidance outlining ICPs that relate to cyber risk (Supervision of cyber risk, Enterprise risk management, and Information sharing and cooperation). Cyber incident and breach experience and emerging applied knowledge need to be reconciled with accepted insurance principles. Application of the appropriate framework of understanding and applying responsive insurance products is very much needed.
This DTRAP special issue on Cyber Risk and Insurance seeks to highlight recent developments in how organizations should evaluate their cyber risks, review that their controls are appropriate, and ensure appropriate insurance coverage. The latter is particularly relevant in light of clients complaining of denied claims under their cyber insurance coverage when the coverage might not have been adequate in the first place.
Topics include:
- Cyber Risk Assessment
- Cyber Risk Mitigation
- Cyber Risk Modeling
- Cyber Risk Reporting and Dashboards
- Cybersecurity Controls and Standards
- Cybersecurity Compliance
- Cybersecurity Metrics and Measurements
- Cybersecurity Maturity Models
- Cybersecurity Economics and Shared Responsibility in Cyber Market
- Cyber Insurance
- Cyber Value-at-Risk (CVaR)
- Business Interruption
Expected contributions – We welcome two types of research contributions:
- Research manuscripts reporting novel methodologies and results (up to 25 pages).
- Experience papers (field notes) that report on lessons learned from addressing specific issues within the scope of the call. These papers should be of interest to the broad cyber risk management community. (10+ pages plus an optional appendix).
Important dates and timeline:
Initial submission: August 30, 2019
First review: November 30, 2019
Revised manuscripts: December 31, 2019
Second review: February 15, 2020
Camera-ready manuscripts: March 30, 2020
Publication: May 30, 2020