This study investigates whether cyber loss events occurring in the United States are spatially correlated and if so, which socioeconomic factors are associated with the spatial correlation. We analyze 3132 counties of the 50 U.S. states from 2005 to 2020 using the largest existing dataset of cyber risks and socioeconomic data. While previous literature found no or little spatial correlation at the state level, we are the first to document that such correlation exists at the county level; positive Moran’s I indicates that more exposed (i.e., a relatively large number of cyber events and losses) and less exposed counties are clustered. Spatial regressions show positive direct and negative indirect effects of county-level population and average income on loss frequency and severity. Large and wealthy counties thus tend to be more exposed to cyber risk events, but their geographically neighboring counties are less affected. We further investigate relatively exposed regions (California and the Northeast Coast) and three risk types (malicious, unintended, and privacy risks) and show consistent spatial effects for the key variables of population size and average income. Our findings can aid risk managers, cyber insurers, and policymakers to geographically differentiate cyber risk, recognize relatively more exposed regions, and develop more effective risk management strategies.

We examine how corporate risk management can be used to address a firm’s vulnerability to cyber risk. We use a large, novel dataset on cyber risk and corporate risk management to analyse US insurers’ cyber loss events during the period of 2000–2021. Our analysis includes information on whether insurers have implemented an enterprise risk management (ERM) programme and whether they report applying cyber risk management (CRM). The results illustrate that the implementation of CRM measures may have no significant effect on cyber risk mitigation. However, we determine that the likelihood (frequency) of a cyber loss event decreases by 3.9% (6.8%) as ERM programmes mature year on year. We also find that an insurer can benefit from implementing both CRM and ERM through a lowered event likelihood (frequency) of 3.8 percentage points on average (3.7 percentage points) per year compared to solely implementing an ERM programme.

This study explores how optimism bias influences decision-making in cyber risk management by developing a novel model that reflects utility loss aversion, a factor previously unexplored in this context. We find that decision-makers with self-protection as reference point are less likely to invest in other cyber risk management measures, providing support for optimism bias observed in the cyber-insurance market. We also show that decision-makers with higher loss aversion tend to not invest in other cyber risk management measures. Our results help to explain the lack of demand for cyber-insurance and have important implications for corporate risk management and public policy on cyber risk. They also help better understand cyber risk events which can trigger huge systemic consequences for economies and societies.

We examine the optimal reinsurance and asset allocation strategies for an insurer who minimizes the ruin probability and faces a systemic surplus shock. Analytically tractable solutions are obtained when this shock occurs at an uncertain time. We then demonstrate that the systemic surplus shock results in a nonstandard form of market incompleteness, which alters both qualitative and quantitative features of existing strategies without the surplus shock. In particular, a specific form of the marginal value for the insurer’s minimized ruin probability plays a key role in the characterization of optimal policies with the systemic surplus shock.

Tropical cyclones (TCs) have been one of the major natural hazards in South Korea. Increasing TC threats with significant losses have been observed over the last two decades, raising demand for better TC risk assessment in this region. However, it is observed in the literature that a comprehensive framework to help understand event features, changing climate landscape and corresponding loss results is hardly studied. To fill this gap, we propose a three-step approach to quantifying TC risks. Using historical TC records, geographic information, and socioeconomic factors, we first cluster patterns of TC hazards (i.e., track, wind speed, and precipitation) affecting South Korea. We then predict TC hazards and regional economic losses per cluster, and subsequently examine the temperature trend at the grid level, which we use to study the impact of climate change on loss prediction. The results highlight that the annual TC losses are expected to increase by 14 and 45% in the years 2050 and 2100, respectively, compared to that in 2020 and that the TC season in South Korea may last longer in future. Our findings can be useful for (re)insurers and policymakers to develop risk management schemes for regions in Korea that are more vulnerable to TC risks.

We examine how CEOs’ political orientation can affect risk-taking behavior and firm performance in U.S. property-liability insurance companies. Using information on political donations made by CEOs to measure their political identity, we document a strong relationship between CEOs’ political conservatism and risk-averse behavior in insurers’ decision-making. We find that the more Republican leaning (or more politically conservative) a CEO is, the less risk a property-liability insurer tends to take in the capital market and underwriting business. We also provide evidence that insurers managed by Republican-oriented CEOs are more likely to achieve better financial profitability. The overall findings lead to the conclusion that property-liability insurers with politically conservative CEOs tend to have lower variability in their asset investments and underwriting business but are more likely to generate sufficient corporate value to satisfy their shareholders and policyholders. Unlike other relevant studies, our research attempts to address impacts of corporate governance and potential causality issues and shows that an insurer with a politically conservative CEO and more board members having multiple directorships is likely to take more risks. Our findings can offer important implications for property-liability insurers’ leadership in managing corporate risks and core business activities.

We use the world’s largest publicly available dataset of operational risk to model cyber losses and show that the Tweedie model best fits the cyber loss severity in the financial industry. Three key determinants of loss severity are firm size, contagion risk and legal liability. We also measure the size of risk based on the estimation results and show a large degree of heterogeneity across financial firms. The results are particularly relevant with respect to the recent discussion on simplifying operational risk capital requirements and reiterate the importance of considering individual firm characteristics when modelling operational losses.

We consider quantile regressions for adequate cyber-insurance pricing across heterogenous policyholders and calculation of claims cost associated with data breach events. We show that the impact of a firm's revenue is stronger (weaker) in the lower (upper) quantile of the cost distribution. This result suggests that mispricing may occur if small and large firms are priced using the average effect estimated by the traditional least squares approach. Using a novel dataset, our study is the first to take firm-specific security information into account. We find that firms with weaker security levels than the industry average are more likely to be exposed to large-cost events. Regarding data breaches, small or mid-size loss events are related to higher cost per breached record. We compare the premiums of a quantile-based insurance pricing scheme with those of a two-part generalized linear model and the Tweedie model to explore the usefulness of the quantile-based model in addressing heterogeneous effects of firm size. Our findings provide useful implications for cyber insurers and policymakers who wish to assess the impacts of firm-specific factors in pricing insurance and to estimate the cost of claims.

This paper proposes a dynamic process of portfolio risk measurement to address potential information loss. The proposed model takes advantage of financial big data to incorporate out-of-target-portfolio information that may be missed when one considers the value at risk (VaR) measures only from certain assets of the portfolio. We investigate how the curse of dimensionality can be overcome in the use of financial big data and discuss where and when benefits occur from a large number of assets. In this regard, the proposed approach is the first to suggest the use of financial big data to improve the accuracy of risk analysis. We compare the proposed model with benchmark approaches and empirically show that the use of financial big data improves small portfolio risk analysis. Our findings are useful for portfolio managers and financial regulators, who may seek for an innovation to improve the accuracy of portfolio risk estimation.

This study proposes a measure of the data breach risk’s probable maximum loss, which stands for the worst data breach loss likely to occur, using an alternative approach to estimating the potential loss degree of an extreme event with one of the largest private databases for data breach risk. We determine stationarity, the presence of autoregressive feature, and the Fréchet type of generalized extreme value distribution (GEV) as the best fit for data breach loss maxima series and check robustness of the model with a public dataset. We find that the predicted data breach loss likely to occur in the next five years is substantially larger than the loss estimated by the recent literature with a Pareto model. In particular, the comparison between the estimates from the recent data (after 2014) and those for the old data (before 2014) shows a significant increase with a break in the loss severity. We design a three-layer reinsurance scheme based on the probable maximum loss estimates with public–private partnership. Our findings are important for risk managers, actuaries, and policymakers concerned about the enormous cost of the next extreme cyber event.