Dingchen Ning

Cyber risk insurance has been introduced for more than two decades in the United States, yet the insurance market for cyber risk is tiny amounting to 1% ($6.5 billion) of premiums in the U.S. property-casualty insurance market in 2021. In this paper, we analyze what constrains the insurance industry from providing larger capacity. We argue that cyber risk is special in that it is both information-intensive to underwrite and heavy-tailed. It leads to the tension between the need to raise large amounts of external capital to finance heavy-tailed risks and the high compensation demanded by capital providers due to information frictions. Hence, the suppliers are large insurance groups with a deep internal capital market, and their capacity is constrained. We start by providing empirical evidence that the cyber risk insurance market is dominated by large insurance groups and that, compared to other types of insurance, cyber insurance relies heavily on the groups’ internal capital market. Then, using an exogenous shock on the tax treatment of the non-U.S. affiliated reinsurance in 2017, we establish the causal inference that insurers primarily rely on the internal capital market to supply cyber risk insurance.

This is the first paper to jointly analyze the three main cyber loss datasets (Advisen, SAS OpRisk and PRC), yielding the most comprehensive cyber loss data yet considered in the literature. We first study the problem of report delay bias by applying a two-stage model and document a faster rate of increase for cyber risk frequency compared with the original data. Based on these results, we then focus on the time dynamics of cyber risk frequency and severity, where we separately study the properties of full distribution and tail of loss severity. We find the loss distribution of cyber events shifts leftwards for both monetary loss and non-monetary loss (such as accounts/records breached) in the recent period, but the trend of tail risk is different for these two types of loss. The tail risk of non-monetary loss is increasing, while the other is not, although they both exhibit heavy-tailedness over time. Our results are important for cyber risk management and understanding the insura- bility of cyber risk