Will the development of cyber insurance in Kazakhstan be able to reduce cybersecurity risks: the experience of the USA and the UK

At the present stage, digitalization is a strategic development priority for all countries of the world. According to the Digital 2022 global overview report , 62.5% of the world's population uses the Internet, which is 4% more than last year. The implementation of digital technologies for information and communication into the economy allows the state, business and society to interact with greater efficiency with less transaction costs. Digitalization of economic sectors, which is the main goal of the state program “Digital Kazakhstan,” allows the country to move from a post-industrial economy to an information economy. It began to be implemented in 2018, and today Kazakhstan has made significant progress in the field of digitalization. At the end of 2022, Kazakhstan entered the UN ranking of the 30 most digitized states. In the world rankings, Kazakhstan ranks 51st in the ICT Development Index and 58th in the Network Readiness Index. The volumes of IT services provided in Kazakhstan are constantly growing. Thus, in 2022, Kazakhstan provided services in this area with a total value of 946.2 billion tenge, which is 68% more in value terms than in 2021.

With such a significant increase in digitalization in 2022, only 24.5 billion tenge was allocated for activities in the field of cybersecurity. Despite the fact that this is 1.7 times higher than last year, Kazakhstan’s spending on cybersecurity is only 2.5% of total IT services. Against the backdrop of a significant increase in the digitalization of the economy with a relatively low level of protection, cybercrime is growing rapidly in Kazakhstan. Cybercrimes are criminal acts committed using computer networks, digital technologies or the Internet. They include a wide range of crimes that target computer systems, data or people using electronic devices.

Table 1.

compiled by the author based on data from the Ministry of Internal Affairs of the Republic of Kazakhstan

Simultaneously with the course towards digitalization, Kazakhstan began to keep statistics on cybercrimes in 2018, when 517 cases were registered. However, every year the statistics of this indicator grew all the time (see Table 1), and in 2023, according to the international conference Kaspersky Cyber Security Weekend, Kazakhstan took 7th place in the world in the number of cybercrimes. Thus, over the past few years, remote work and rapid digitalization have highlighted the issue of cybersecurity. As the search for approaches to cybercrime prevention, mitigation and recovery progresses, one tool that is gaining traction in many countries around the world is cyber insurance. In this regard, the issue of the need to attract specialists in the cyber insurance market becomes relevant for Kazakhstan. This review will examine the structure and analysis of existing cyber insurance markets.

The first cyber insurance policies appeared in the 1990s, as during this period businesses and organizations increasingly began to depend on computer networks and the Internet. The cyber insurance market first appeared and was most developed in the United States. It is well-seen amid the events of 2002, when the law on mandatory notification of data leaks and security breaches came into force in the states. Xiaoying Xie, Charles Lee, Martin Eling in their article (2020) study the US cyber insurance market from 2015 to 2017.

The authors define cyber risk as a risk with a high degree of impact due to strong information asymmetries, lack of data to assess this type of risk, and the high probability of catastrophic losses. However, the authors identify cyber insurance as a potentially leading industry in the property and casualty insurance industry. While the US cyber insurance market is still a developing one, it is also the largest market of such kind in the world.

Over the past ten years, the US insurance industry has operated under conditions of declining demand and excess underwriting opportunities. At the same time, low interest rates have depressed investment returns, forcing insurers to turn a profit from underwriting. First of all, the work of the authors consists of a regression analysis of the hypotheses they put forward. The cyclical nature of the global economy and high levels of competition have limited the growth and profitability of insurers. Faced with growth constraints, insurers are more likely to diversify their product lines to enter new markets or activities in which the firm already has the necessary expertise. Based on this theory, the authors put forward the first hypothesis, which is that insurers who face an obstacle to business growth will be more likely to engage in cyber insurance.

The authors' second hypothesis is based on the theory of competitive advantage. Established competitive advantages between industries are major determinants of decisions about diversification and the degree of optimal diversification, as well as the profitability of a firm in that industry. In case of cyber risks, interdependent losses and high global correlation are deterrents to participating in cyber insurance. However, insurers can gain competitive advantage by addressing other cyber insurance challenges, such as loss of claims data and information asymmetries. Accumulated underwriting data and underwriting experience are potential competitive advantages for cyber insurers, from which the authors conclude that creating a competitive advantage is a critical prerequisite for potential cyber insurers. Excess reinsurers play the most important role in the non-standard insurance market, providing coverage for large, problematic and unique risks. Since specialized cyber insurance was originally provided by excess reinsurers, they are expected to have more reliable claims data and greater underwriting experience than other insurers and reinsurers. The authors argue that excess reinsurers have a competitive advantage in assessing and analyzing cyber risks. In addition, such competitive advantages can be transferred through internal data exchange between insurers and reinsurers. Thus, the authors put forward the second hypothesis: excess reinsurers and their reinsurers are more likely to engage in cyber insurance. Additionally, the paper identifies the third hypothesis, which concludes that insurers that are most diversified across geographic regions are more likely to engage in cyber insurance.

It is noted that during the period under study, the number of participants in the cyber insurance market increased from 453 to 615. This growth is due to an increase in the number of insurance companies that offer packaged insurance (an insurance policy that includes the most common risks, the list of which is determined in advance) of cybersecurity and theft of personal data. At the same time, the number of companies that provide stand-alone insurance (an insurance policy that covers a specific risk put forward by the policyholder) for these risks remains unchanged. Over the specified period, the number of excess reinsurers increased from 55 to 78, which indicates an increase in their interest in cyber insurance. Among insurers that offer stand-alone cyber risk coverage, one third are excess reinsurers and about half are related. The authors note that despite the fact that in 2017 the share of cyber insurance in the overall insurance industry was only 0.34%, cyber insurance experienced enormous growth over the period studied, with premiums doubling. They conclude that cyber insurance will increasingly be viewed as a separate insurance product. It should be noted that about 60% of cyber insurance policies are issued by organizations using excess reinsurance services, which confirms the second hypothesis.

The regression analysis showed the following results: overcoming growth constraints is not the predominant motive for most insurers to penetrate the cyber insurance market, but it may stimulate some insurers who operate in areas related to cyber insurance. Thus, the first hypothesis is only partially confirmed. However, the second and third hypotheses were fully confirmed.

Most of the results for the control variables are consistent with the authors' expectations. Larger insurers are more likely to offer a cyber insurance policy (either packaged or stand-alone coverage). However, mutual insurers are less likely to offer stand-alone coverage and more likely to offer packaged coverage. This result supports both predictions about the relationship between the form of organization and cyber insurance supply, as packaged coverage satisfies policyholder demand. In addition, the results of the analysis showed that insurers with riskier assets are less likely to participate in the cyber insurance market. Insurers with higher financial strength ratings are more likely to offer packaged cybersecurity coverage. Insurers with higher insurance leverage (the equivalent of financial leverage in insurance) are less likely to offer cyber insurance, especially stand-alone cyber insurance coverage. Because of this it can be concluded that establishing cyber insurance as a separate product within the industry may require greater capital support.

As a new direction of insurance, cyber insurance has proven to be profitable at the industry level, with a maximum loss ratio (the ratio of losses to premiums collected) of 44.7% in 2016. Thus, for every dollar per insured event paid to customers, the entire cyber insurance industry receives approximately $2.2 of premiums. However, profitability is variable and loss ratios at the individual firm level vary widely. The average total loss ratio in the cyber insurance market was 0%, indicating that most insurers have yet to face a cyber claim. The size of the firm, joint organizational form and a degree of diversification show significant relationships with underwriting profitability. In addition, the authors found that short-term increases in loss ratios were more sensitive to claim severity than to claim frequency and were not driven by premium increases. The authors' findings support the potential for serious damages from catastrophic cyber events, especially during stand-alone insurance.

In a study (2021) MacColl, Nurse, Sullivan identify the main trends in the development of the cyber insurance market in the UK and identify the key factors limiting the development of this area.

First of all, the authors note that cyber insurance policies do not have any standards, but common characteristics include coverage of risks of first and third parties’ activities, business interruption, third party liability, loss of data and/or software, cyber extortion and regulatory notification costs. Cyber insurance is intended to transfer residual risk in situations where all other more traditional methods have failed. The authors' study found that cyber insurance increases risk awareness among businesses. Cyber insurers can frame a specific cyber risk for purchasers. They also can help develop strategies and processes to mitigate this formulated cyber risk.

Cyber insurance services can be divided into two types: post-incident and pre-incident services. Post-incident services, which provide cyber policy with access to expert knowledge and assistance during crises, have become a driver for the growth of the cyber insurance market. The most common post-incident cyber insurance service that reduces losses and the impact of an incident is legal support and other related services after a breach. The value of such services is especially important for SMEs, since they, unlike large enterprises, have less ability to recruit internal specialists who could somehow help reduce cyber risks. In addition, post-incident services such as insurance against loss of profits or benefits, insurance against data loss, assistance in responding to incidents after a breach, assistance in forensic analysis of breaches, assistance in reputation management after a hack are common in the UK cyber insurance policies.

It is important to note that post-incident services are provided as tools to minimize the impact of the policyholder's cyber risks. As such, they represent a reactive rather than a preventative measure to enhance cyber resilience. To prevent the occurrence of an insured event, a number of pre-incident services are available on the cyber insurance market. The authors identify these services as measures to provide cybersecurity. At the present stage, these services are becoming increasingly popular, as they protect not only policyholders, but also insurers by increasing incentives to purchase a cyber insurance policy. An analysis of British insurance companies identified the following main types of pre-incident services: staff training, services for assessing cyber risks and the level of vulnerability of the company, analysis of potential threats, access to a virtual chief information security officer (CISO), and password management solution. However, there are questions related to the effectiveness of this type of service. The authors' research showed that from all users of cyber insurance market services, only 28% of them purchased pre-incident services. Moreover, the needs of only 48% of them were satisfied. The authors note that the positive effect of cyber insurance has not yet been fully realized. Despite a fairly large number of successful cases, when it comes to incentivizing cybersecurity, cyber insurance is still at the stage of transition from theory to practice. Nowadays cyber insurance is more of a cyber resilience tool than a cyber risk mitigation tool. That is the reason why post-incident services prevail over pre-incident services, as recently presented statistics clearly indicate. The authors of the work carried out an analysis of the insurance industry, on the basis of which they identified key factors that prevent the full realization of the potential of the cyber insurance market. It includes the following aspects:

1. Dynamics of the cyber insurance market. Cyber insurance is one of the newest types of insurance and is still in its infancy. As a result, “no one knows how to do it right, a lot is still unclear.” There are inaccuracies and errors in cyber risk assessment, and the industry is experiencing difficulties in attracting specialists. The cyber insurance market has low entry barriers, which entails a high level of competition. And although competition can stimulate innovation and reduce consumer costs, it can also have a negative effect on the cyber insurance market: in pursuit of customers, some insurers may lower the requirements and standards for assessing cyber risks in order to “reduce friction in the transaction.”

2. Definition of minimum standards. Unlike more mature types of insurance, cyber insurance does not have standardized requirements, allowing policyholders to simply choose the insurer that asks the fewest questions and has less stringent security requirements.

3. Collection and modeling data of cyber risks. Cyber risks are difficult to quantify, which in turn limits insurers' ability to accurately assess an organization's risk profile or security practices. At the present stage, there is a limited amount of information about cybercrimes, which greatly complicates risk modeling and assessment. This is a result of both the newness of the industry and the lack of communication between cyber insurers to share experiences. A potentially larger issue is that even if a large amount of information is available to the insurer, it may not be reliable due to the intangible, dynamic and systemic nature of cyber risk.

4. Concerns about the financial sustainability of the cyber insurance market. The systemic nature of cyber risk has raised fears that a global incident could render insurers and reinsurers insolvent. This may partly be a consequence of insurers trying to attract customers by lowering premiums and risk assessment standards. In addition, nowadays the cause of cyber insurance losses is the so-called ransomware, which represents a risk with a high degree of impact and high probability.

5. Low coverage of the target audience by the cyber insurance market. The incapability of organizations to realize how vulnerable they are to cybercrime leads to the inefficiency of cyber insurance policy in terms of costs. On the one hand, awareness of cybersecurity is growing. For example, at the end of 2020, 80% of the UK surveyed enterprises concluded that they consider cybersecurity a priority, while in 2016 the number of such enterprises was 11% less. On the other hand, the intangible nature of cyber risk makes the potential financial impact of its occurrence difficult and makes it difficult to accept the value of cyber insurance. Some potential policyholders believe that they are already protected by adequate property and liability policies, and some believe that cyber insurance does not meet their needs. This leads to another reason - the lack of trust in cyber insurance. There are a lot of companies which strongly believe that cyber insurance will not pay off and that it is an ineffective way to manage risks. Additionally, the high cost of individual cyber insurance policies compared to other insurance policies can also be highlighted as another reason for low coverage.

6. Stimulating negative behavior. Moral hazard is a situation where organizations invest less in risk prevention if they believe that an insurance policy will resolve an incident and/or cover its occurrence. From a business perspective, the empirical data collected by the authors of the article emphasizes that the phenomenon of moral hazard does not arise on the scale of cyber insurance, at least because the cyber insurance policy does not cover all arising cyber risks. For example, cyber insurance does not cover the long-term reputational costs that may occur from a data breach. In addition, there is no payout amount that can cover serious loss of reputation. However, cyber insurers may inadvertently enable cybercriminal behavior by facilitating the growth of targeted ransomware operations.

To overcome all the challenges facing the industry, the authors of the article identify a number of actions for the insurance industry and policymakers. According to the authors, solving the problem of the limited cyber insurance market is possible only with the assistance of the government. Ultimately, all efforts must be complementary and coordinated to achieve success. Measures to improve the efficiency of the cyber insurance market could include new approaches of defining a minimum security standard, data sharing and combating ransomware. A properly functioning and more collegial insurance industry can help law enforcement and national cybersecurity centers identify threats operating within a specific industry or sector.

Thus, it can be noted that even in the most developed economies, the cyber insurance market is not progressive enough and occupies a very small share of the insurance industry. Based on this, as well as from the limitations that the authors cited in their research, it can be concluded that it is inappropriate to introduce the cyber insurance market into the economy of Kazakhstan at the present stage. The emergence of this market will not bring the expected effect. It is worth noting that the analysis of cyber insurance markets was based on developed economies. In the case of Kazakhstan, which is a developing economy, the limiting factors for the development of the cyber insurance market will be more significant. Due to the fact that Kazakhstan actively implements digital technologies and achieves significant results in this area, it needs new, modern measures to reduce and prevent cyber risks, which include cyber insurance. However, for a normal functioning of the cyber insurance market, it is necessary to carry out a number of activities, which include qualified personnel training in the field of IT technologies and cyber risk assessment, developing new security systems and raising public awareness of the fraudulent schemes of cybercriminals. Insurance companies in Kazakhstan need to exchange data between insurance organizations of countries that have implemented cyber insurance to collect an information base for further activities conduction.