Why cyber-insurance contracts fail to reflect cyber-risks

We consider arbitrary risk-averse users, whose costs of improving security are given by an arbitrary convex function. In our model, user probability to incur damage (from an attack) depends on both his own security and network security: thus, security is interdependent. We introduce two user types (normal and malicious), and allow one user type (malicious users) to subvert insurer monitoring, even if insurers perfectly enforce (at zero cost) security levels of normal users. We prove that with malicious users present, equilibrium contract that specifies user security fails to exist. We demonstrate, in a general setting, a failure of cyber-insurers to underwrite contracts conditioning the premiums on security. We consider arbitrary risk-averse users, whose costs of improving security are given by an arbitrary convex function. In our model, user probability to incur damage (from an attack) depends on both his own security and network security: thus, security is interdependent. We introduce two user types (normal and malicious), and allow one user type (malicious users) to subvert insurer monitoring, even if insurers perfectly enforce (at zero cost) security levels of normal users. We prove that with malicious users present, equilibrium contract that specifies user security fails to exist. We demonstrate, in a general setting, a failure of cyber-insurers to underwrite contracts conditioning the premiums on security.