The cyber insurance adoption process and its challenges
Now that we have established a clear picture of the cyber insurance ecosystem, we seek to better understand how cybersecurity and cyber insurance decisions are taken within this ecosystem. This section focuses on what happens at the company level. Section 2.2.1 examines organisational decision-making involving cybersecurity and cyber insurance within all types of companies. Section 2.2.2 then does a deep dive on the decision-making process within SMEs specifically. In each instance, we consider the policy implications.
General company-level decision-making process for cybersecurity and cyber insurance
Companies must make key investment decisions concerning cybersecurity measures (including cyber insurance) on a regular basis, but there is a lack of research directly investigating how companies make these decisions, as identified by Weishaupl et al. (2018). In particular, a recent literature review by Heidt et al. (2019) highlighted the scarcity of studies analysing IT-related security decision-making that take contextual factors into account, notably behavioural, environmental, and organisational ones. They found that these contextual factors are often overlooked because the majority of research in this area is quantitative in nature. They thus argue that it is important for research to consider such contextual factors (Heidt et al., 2019, p. 6145).
We drew on the Burke and Litwin (1992) Performance and Change Model, shown in Figure 2.2, in order to examine the drivers of IT-related decision-making, including the role of the contextual factors mentioned above. The Burke and Litwin Model is a general model describing the many factors that drive change within an organisation and serves as a useful starting point. The model illustrates how behaviour within companies can be influenced by a complex system of twelve factors. All the pathways between the factors are bidirectional, and therefore all factors, from company structure to motivation in the workplace, can feed into
Figure 2.1: The cyber insurance ecosystem
Figure 2.2: Burke and Litwin Performance and Change Model (adapted from Burke and Litwin, 1992)
organisational change in many different ways. The model ranks them in order of influence, with the most important factors at the top. The external environment is therefore the dominant factor in the model, having a significant impact on a company’s mission and strategy, organisational culture, and leadership, and through them, on the other factors as well.
We can apply this model in a cybersecurity context. In order to identify the key roles and influential drivers of cybersecurity and cyber insurance specifically, we conducted 11 in-depth interviews with practitioners inside companies. This included individuals responsible for making cybersecurity decisions within a company as well as those involved in the sale/marketing of cybersecurity-related products and services (including cyber insurance). Those interviewed were from companies of different sizes, a mix of larger companies and
SMEs. We then carried out a qualitative analysis to identify and understand the influential drivers of cybersecurity-related decision-making within companies at board and senior management level.
We found that the decision-making process at company level involves a complex ecosystem in its own right. These systems can vary dramatically between companies, depending upon size, maturity, and sector. There is no universal ‘one size fits all' structure for cybersecurity and cyber insurance decision-making within companies. There are also many different factors, both internal and external, that can influence companies’ cybersecurity decision-making and cyber insurance adoption. Any cybersecurity services, products, and interventions need to account for this variation between companies in the decision-making process.
There are many different processes influencing cybersecurity-related decisions inside a company. For example, cyber insurance adoption often seems to be driven outside of the technical teams (for example, from finance). Companies often have complex (and non-universal) structures involving numerous boards, committees, teams, and departments, each reflecting their own motivations, priorities, and ways of doing things.
In keeping with Weishaupl et al. (2018), we found evidence that companies can perceive cybersecurity-related decision-making (and related processes) to be time-consuming and tedious. For example, even the process of acquiring an insurance quote (and gathering the associated company information needed to obtain it) and the renewal process are seen as effortful. This can have a detrimental impact upon cyber insurance adoption, and is further compounded by a lack of awareness around cyber risk and cyber insurance coverage. Companies also expressed a mistrust of insurers, with concerns in regards to lack of transparency surrounding coverage. Resource and financial constraints also play a role.
Cyber insurance adoption appears to be largely influenced by legislation and other policy aspects. In keeping with Weishaupl et al. (2018), our findings suggest that there may be a disconnect between the existing academic literature that sometimes regards cybersecurity decision-making as intrinsically motivated, and the emerging literature (such as this current study) that shows that companies may be more motivated to invest in cybersecurity because they need to do so to comply with legislation.
Legislation as a driver for cyber insurance also fits within the Burke and Litwin Model. As previously mentioned, this model suggests that the most dominant influence on organisational performance and change is the external environment . This could include factors such as legislation (e.g. the introduction of the GDPR) and media coverage of cyber risk—both of which were mentioned by those we interviewed as drivers of cyber insurance uptake. Therefore, in much the same way as Burke and Litwin, we found that external factors appear to have a strong influence on cybersecurity decision-making within companies.
Many approaches to cybersecurity assume a rational decision-making process. However, human decision-making and perception of risk does not always follow rational processes (Evans, 2003). This will be discussed further in Chapter 3. Many approaches also assume accurate calculations of benefit and risk—but this is unlikely at best, due to the current lack of data on cyber risk and how to measure it (Eling and Schnell, 2016).
Our findings suggest that companies may be responsive to more detailed cyber insurance policy wording regarding the specific terms and conditions of coverage (e.g. inclusions and exclusions). However, greater precision can make it difficult for policies to take into account the changing nature of the cybersecurity environment. Therefore a balance is needed between providing enough detail to reassure and/or guide companies, whilst maintaining enough room for policies to take into account new developments in cybersecurity risk and protection. Further research is required to investigate the most appropriate level of specificity. Legislation surrounding the standardisation of cyber insurance policy wording could help to reassure companies, and also address confusion over what policies cover (and clarify the perceived ‘grey area’ between traditional insurance policies and cyber policies).
Given companies’ lack of confidence in insurers, policymakers should foster practices that could help build trust between insurers and insured companies. To achieve greater awareness around cyber risk and improve cybersecurity practices, policymakers can help partially overcome the issues involving the absence of good cyber incident data by promoting greater information sharing. There is a need for further investigation into the most appropriate ways to implement this.