Flo Greatrix, RISCS Policy Impact Officer

A new report by James Sullivan (RUSI) and Jason Nurse (University of Kent) has been recently published as part of their RISCS Funded project: ‘Incentivising cybersecurity through cyber insurance’. It considers the opportunities of and challenges in using cyber insurance to incentivise cyber security practices. 

James Sullivan
Dr Jason Nurse

The following policy questions have emerged from the preliminary stages of this research project, based on an extensive literature review. These questions serve to guide the next stage of the project and to prompt new conversations about how cyber insurance might better incentivise cyber security practices. 

  • What is the role of the cyber insurance market in the context of cyber risk management for large, medium and small organisations? 
  • To what extent can cyber insurance companies act to incentivise better cyber security practices and systems within businesses? What, if any, are the conditions required for this to occur? 
  •  To what extent can cyber insurance negatively influence cyber security practices or systems in businesses (for example, how real is the issue of moral hazard or concerns such as the ‘race to the bottom’)?
  •   If cyber insurance can have a positive impact on businesses, how can the positive influences be best championed? 
  • What is the role of government in maximising any positive impacts of cyber security from cyber insurance? How could it alleviate any concerns? 
  •  Are there other insurance classes that may provide lessons for the cyber insurance ecosystem, particularly as it relates to influencing better risk-management behaviours?
  •  Are there differences in the way cyber insurers approach assessing risk and underwriting policies? If so, do different approaches have different impacts on cyber security practices?

Through this project, the research team hope to provide valuable insight for policymakers currently seeking ways to optimise the potential impact of cyber insurance on cyber security. Improving cyber security across society will generate positive outcomes, not only for the organisations, but for whole-of-society resilience.

The full paper is available on the RUSI website at this link: https://rusi.org/publication/emerging-insights/cyber-security-incentives-and-role-cyber-insurance