Assessing Different Levels of Time Retention for Business Interruption Coverage on Cyber Insurance

Abstract

As a consequence of the digitalization in companies, cyber-related risk has increased substantially. Cyber insurance has, therefore, emerged as a tool to mitigate cyber risk. Cyber risk behaves differently compared to more traditional risks such as business interruption and property damage. These are relatively immobile, whereas cyber risk is fast-paced and has an inherent ability to simultaneously impact multiple entities, as well as having the potential to cause extensive damage in a short period of time, regardless of traditional limitations of risk such as geographical location and being contingent on tangible assets. Elements of traditional insurance policies, such as waiting periods and risk estimation, may thus be inadequately adapted to cyber risk. This thesis, therefore, explores the effect time retention, i.e., waiting period, have on the expected utility of cyber insurance during a business interruption caused by a cyber incident. Through in-depth interviews with industry professionals, and analyzes of cyber policies, questionnaires, and underwriter guidelines, we developed a model which derived the expected utility of cyber-related business interruption coverage. The model was used to analyze and evaluate the current conditions of cyber-related business interruption. The findings from the model illustrate that cyber-related business interruption coverage and current time retention levels for cyber insurance is neither welladjusted nor suitable adapted to the present cyber risk exposure.