Lakhasly

Challenge 6: Incentivising Negative Behaviours
There is a possibility that cyber insurance may be actively encouraging negative behaviours for both businesses and cybercriminals. In terms of businesses, the empirical evidence collected as part of this paper highlights that the moral hazard phenomenon is not occurring at scale with cyber insurance. However, cyber insurers may be unintentionally facilitating the behaviour of cybercriminals by contributing to the growth of targeted ransomware operations.
The Moral Hazard
Some theoretical studies have argued that organisations are less likely to invest in risk prevention if they think that their cyber insurance policy will resolve (and/or cover the cost of) an incident
anyway. This phenomenon is known as the ‘moral hazard’.208 For boards or senior management
not inclined to defer to cyber security practitioners, cyber insurance could be viewed as a
replacement for more costly cyber security measures.209 If widespread, this could outweigh the
potential positive benefits of cyber insurance by actively encouraging insecure practices and
behaviours. It could also drive up insurance premiums, placing an increased financial burden on
companies who do invest in cyber security and practice secure behaviours.210
However, research for this paper did not find strong empirical evidence indicating that the
moral hazard is a significant issue for cyber insurance. While some insurers did suggest they
had seen instances of businesses – particularly SMEs – treat cyber insurance as a substitute for
increasing investment in cyber security,211 most interviewees suggested that while the moral
hazard could potentially occur, it is not often seen. This chimes with findings from DCMS’s ‘Cyber
Security Breaches Survey 2019’, which suggested that organisations consider cyber insurance
as complementary to – rather than a substitute for – other forms of cyber risk management.212
This is primarily because cyber insurance policies do not cover all the potential impacts of cyber risk.
For instance, financial coverage from a cyber insurance policy will not cover long-term reputational
costs that can result from a data breach or ransomware attack, particularly if customer data is
affected.213 As one financial services provider stressed, ‘there’s no amount of cyber insurance
pay-out that can remedy a severe loss of reputation’.214 While this argument rests to some extent
on the assumption that policyholders understand cyber risk, purchasers of cyber insurance do
appear to have a greater understanding of the economic impacts of cyber incidents.215 Moreover,
the moral hazard issue may be attenuated by some of the scepticism around cyber insurance –
specifically, that financial limits are too low to cover the costs of an incident and that organisations
are not certain their policy will pay out.216
In sum, the moral hazard – as theoretically conceived – is not a significant challenge for the
cyber insurance sector, at least no more so than it is for other insurance lines.