Incentivising Cyber Risk Management Behaviours: The Role of Cyber Insurance

Dates: April 2020 – March 2021  

 Lead researchers: James Sullivan, RUSI and Dr Jason Nurse, University of Kent  

Overview

This project considers whether insurance could provide a significant lever to promote a step change towards better cyber risk management in organisations. It has two objectives: • To develop a clear understanding of the positive outcomes that cyber insurance could have in improving cyber risk management practices, and consequently, to define how these outcomes may be championed to better direct secure behaviours in organisations, particularly SMEs. • To research the extent to which knowledge from the other, more mature insurance portfolios – such as property, natural hazards, maritime, terrorism and health, may be leveraged to advance thinking and practice in cyber insurance.  

The ‘emerging insights’ paper sets out key policy research gaps. It explores why the uptake of cyber insurance has been so low, the role of cyber insurance in improving cyber security behaviours and practises, scepticism on the value of cyber insurance and how cyber insurance can learn from other insurance sectors. Following 50 stakeholder interviews with the insurance industry, SMEs and large businesses, academics and Government stakeholders, the team conducted workshops to explore the role of cyber insurance in business and its ability to incentivise security practices.

The occasional paper found that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope. Although several means by which cyber insurance can incentivise better cyber security practices are identified, they have significant limitations. Interviewees consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise. While some mature insurers are moving in the right direction, cyber insurance as a whole is still struggling to move from theory into practice when it comes to incentivising cyber security. 

Policy implications

It is hoped that the research findings can help decision makers to navigate cyber risk management approaches, understand challenges with incentives in the context of cyber insurance, and provide clear and actionable recommendations that can be adopted by policymakers and practitioners alike. The RUSI occasional paper contains 13 direct, actionable recommendations relating to cyber risk management and the role of cyber insurance which could be adopted by policymakers and practitioners, with particular relevance to the DCMS market incentives programme.  

 Find out more

Methods

Interviews, workshops, literature review, data analysis  

Funders: RISCS 

Follow on work: The researchers have received further funding from NCSC to investigate the relationship between cyber insurance and ransomware and will soon be publishing a literature review on the state of play of cyber insurance.  

Skills

Posted on

December 9, 2021