<p>We examine how risk interdependence—characterized by interdependent network security and spillover losses—affects investment in prevention of a risk averse and insured firm under three conditions: (1) the firm has private information about its level of preventive investment; (2) the insurer can observe this investment only by incurring a monitoring cost; and (3) the firm may be held liable for spillover losses. In equilibrium, firms will underinvest in prevention compared to when risks are independent. When spillovers are unobservable and highly likely, network externalities exacerbate the underinvestment problem. In contrast, when spillovers are observable or unlikely, network externalities do not materially affect the investment in prevention. The introduction of liability for spillover losses can mitigate the underinvestment problem when the spillover risk is substantial. We apply this framework to the case of cyber risk.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Prevention when losses are interdependent and claims are costly monitored: an application to cyber risks

  • M. Martin Boyer,
  • Elisabeth Vigneron

摘要

We examine how risk interdependence—characterized by interdependent network security and spillover losses—affects investment in prevention of a risk averse and insured firm under three conditions: (1) the firm has private information about its level of preventive investment; (2) the insurer can observe this investment only by incurring a monitoring cost; and (3) the firm may be held liable for spillover losses. In equilibrium, firms will underinvest in prevention compared to when risks are independent. When spillovers are unobservable and highly likely, network externalities exacerbate the underinvestment problem. In contrast, when spillovers are observable or unlikely, network externalities do not materially affect the investment in prevention. The introduction of liability for spillover losses can mitigate the underinvestment problem when the spillover risk is substantial. We apply this framework to the case of cyber risk.