Cyber-Insurance: Missing Market Driven by User Heterogeneity

In this paper, we explain why existing cyber-insurance contracts condition their premiums only on a client’s general features (such as the number of employees, sales volume) but do not reflect the client’s security practices. Indeed, we show that even if a competitive insurer can monitor (and enforce) security requirements for a vast majority of his clients, with only a minor fraction of the clients being able to subvert monitoring, no equilibrium contract would include security requirements. We consider arbitrary risk-averse users, whose costs of improving security are given by an arbitrary convex function. In our model, a user’s probability to incur damage (from being attacked) depends on both his own security and network security: thus, security is interdependent. We introduce two user types (normal and malicious), and allow one of the user types (malicious users) to be able to subvert insurer monitoring, even when security levels of normal users are perfectly enforceable (zero cost) for insurers. This asymmetric information causes adverse selection problem (i.e., malicious users will buy insurance, which leads to higher insurer costs). We prove that no matter how small the fraction of malicious users is, equilibrium contract that specifies user security does not exist. Thus, we demonstrate, in a general setting, a failure of cyber-insurance market to underwrite contracts conditioning user premium on user security.