A history of cyber risk transfer

Cyber risk management involves balancing risk acceptance, avoidance, reduction, and transfer. Academic researchers have focused on risk reduction measures. Studies of cyber risk transfer are less common, mainly centering on cyber insurance. This emphasis on risk reduction overlooks the development of many real-world cyber risk transfer products in the last decade. Our study describes the emergence of products including: cyber (re)insurance, parametric insurance, warranties, and cyber cat bonds. We characterize how these solutions addressed four core challenges of transferring cyber risk: (1) tailoring coverage to the threat landscape; (2) managing solvency; (3) data collection for risk assessment; and (4) creating incentives for risk reduction. The result is an integrated history of cyber risk transfer describing how novel products and partnerships emerged to address failings in prevailing business models. Our descriptive study can help other researchers to understand real-world problems, providing a foundation for future research and a richer picture of the overall cyber risk transfer landscape, as well as a deeper understanding of the types of cyber risk that can - and cannot - be effectively transferred.