Assessing Different Levels of Time Retention for Business Interruption Coverage on Cyber Insurance
Abstract
As a consequence of the digitalization in companies, cyber-related risk has
increased substantially. Cyber insurance has, therefore, emerged as a tool to
mitigate cyber risk. Cyber risk behaves differently compared to more traditional
risks such as business interruption and property damage. These are relatively
immobile, whereas cyber risk is fast-paced and has an inherent ability to
simultaneously impact multiple entities, as well as having the potential to cause
extensive damage in a short period of time, regardless of traditional limitations of
risk such as geographical location and being contingent on tangible assets. Elements
of traditional insurance policies, such as waiting periods and risk estimation, may
thus be inadequately adapted to cyber risk.
This thesis, therefore, explores the effect time retention, i.e., waiting period, have
on the expected utility of cyber insurance during a business interruption caused by
a cyber incident. Through in-depth interviews with industry professionals, and
analyzes of cyber policies, questionnaires, and underwriter guidelines, we
developed a model which derived the expected utility of cyber-related business
interruption coverage. The model was used to analyze and evaluate the current
conditions of cyber-related business interruption.
The findings from the model illustrate that cyber-related business interruption
coverage and current time retention levels for cyber insurance is neither welladjusted
nor suitable adapted to the present cyber risk exposure.
Description
Masteroppgave(MSc) in Master of Science in Business, Accounting and Business Control - Handelshøyskolen BI, 2020