Can cybersecurity insurance protect consumers from attacks?–Doug Criscitello

Doug Criscitello, Executive Director of MIT’s Center for Finance and Policy

Doug Criscitello, Executive Director of MIT’s Center for Finance and Policy

From The Hill

As we move beyond the widespread acceptance and use of online banking and trading platforms and push further into an increasingly digital financial marketplace, consumers face new forms of risk—namely, cyber risk—that would have been unfathomable previously. When confronted with risks that could be financially devastating, consumers are driven to mitigate and insure against such perils. Has the time come to purchase insurance for financial cyber risks?

Rational consumers seek to prevent, minimize or avoid adverse financial outcomes by purchasing insurance to protect against actual and perceived risks they can’t easily afford. Insurance essentially serves as a risk management and wealth preservation tool. However, consumers realize that it doesn’t make sense to purchase insurance when the cost of coverage is so high that they will pay substantially more in premiums than expected losses. In other words, they decide that self-insuring is the more cost-effective alternative.

Individuals today are increasingly concerned about their online security but don’t have a clear understanding of the amorphous yet perilous risks they face. In response, new consumer-directed insurance products are being offered to guard against cyber attacks.


While such products are designed to insure against some of the risks and expenses arising from individually focused cyber attacks, they don’t necessarily mitigate a consumer’s nightmare scenario. That scenario goes beyond having personally identifiable information stolen from the IRS or Target to having your bank or brokerage account drained or otherwise wiped out by a malicious actor. And no insurance product exists today that safeguards individuals from that most catastrophic of cyber risks.

Insurance products require an actuarially sound basis for pricing policy coverage, yet insurance companies are finding it difficult, if not impossible, to quantify the precise likelihood and potential impact of a cyber attack on individual financial accounts. Given recent and past intrusions into the banking system, a threat clearly exists—whether through data or financial theft—but pricing the likelihood of that risk remains hugely challenging. One point of consolation, at least the financial sector has one of the most sophisticated network defenses of any sector.

Most consumers don’t fully understand the extent of their financial exposure if such a nightmare event were to occur. In the U.S., several entities chartered by Congress (e.g., FDIC, SIPC, NCUA) insure banking and brokerage accounts. But those organizations do not insure against theft or fraud at the institution. Instead, those situations are often covered through separate (private) insurance policies arranged by financial institutions.

Read the full post at The Hill.

Doug Criscitello is the Executive Director of MIT’s Center for Finance and Policy.

Leave a Reply

Your email address will not be published. Required fields are marked *