An Analytical Review of Cyber Risk Management by Insurance Companies: A Mathematical Perspective

Abstract

This article provides an overview of the current state-of-the-art in cyber risk and cyber risk management, focusing on the mathematical models that have been created to help with risk quantification and insurance pricing. We discuss the main ways that cyber risk is measured, starting with vulnerability functions that show how systems react to threats and going all the way up to more complex stochastic and dynamic models that show how cyber attacks change over time. Next, we examine cyber insurance, including the structure and main features of the cyber insurance market, as well as the growing role of cyber reinsurance in strategies for transferring risk. Finally, we review the mathematical models that have been proposed in the literature for setting the prices of cyber insurance premiums and structuring reinsurance contracts, analysing their advantages, limitations, and potential applications for more effective risk management. The aim of this article is to provide researchers and professionals with a clear picture of the main quantitative tools available and to point out areas that need further research by summarising these contributions.

1. Introduction

Cyber risk is characterised by a combination of factors that complicate its measurement, management, and transfer (Aven et al. 2018; Eling et al. 2021; Zeller and Scherer 2022). First, the lack of reliable historical data (Zängerle and Schiereck 2023), exacerbated by companies’ reluctance to disclose incidents for fear of reputational damage, makes it difficult to build robust loss models. Second, cyber risk is inherently dynamic: it evolves alongside technological innovation, regulatory developments, and the increasing speed and scope of digital transformation, continuously creating new vulnerabilities (Georgescu 2021; Smith and Lostri 2020). In particular, Ratnawat (2025) focused on how AI can benefit small- and medium-sized businesses in the use of cyber insurance from an insurtech perspective. Mupa et al. (2025) reinforced this point, demonstrating an AI-based approach to assessing operational risk for insurance companies and pricing cyber policies. On the other hand, Zraqou et al. (2025) highlighted the rise in AI-risks, linked to the use of insurtech tools. Furthermore, Novo et al. (2025) proposed a review of emerging cyber risks due to the development of smart cities. Actually, Wheatley et al. (2016) and Xu et al. (2018) observed a growing number of significant incidents and higher frequency attacks. Also, Palsson et al. (2020) and Pollmeier et al. (2023) confirmed an increasing trend in cyber incidents. Third, unlike many traditional risks, cyber incidents are often intentional acts carried out by strategic threat actors driven by economic or political reasons, supported by a mature cybercrime ecosystem offering tools and services on demand (Abou El Houda 2024; Munk 2022). Furthermore, the high degree of interconnectivity between IT systems creates interdependence and accumulation risks, where a single vulnerability can have cascading effects across networks and sectors (Kröger 2008; Maglaras et al. 2018). This interconnectedness also generates negative externalities, as underinvestment in security by one entity can weaken the overall resilience of the network. Adding to this complexity is the challenge of quantifying the economic impact of intangible information assets and managing information asymmetries, such as adverse selection and moral hazard, which hinder effective cyber insurance solutions (Franke 2017). In this sense, Pal et al. (2025) proposed a framework relating to the information asymmetry linked to chain propagation along the supply chain of a cyber attack, and the need for the insurance company to obtain information relating to the interdependence of the insured portfolio. These issues have also led to an increasing body of literature on how to manage cybersecurity (e.g., Ghelani 2022; Lallie et al. 2021; Taherdoost 2022; Venkatachary et al. 2017). Furthermore, Allianz Commercial (2025) states that cyber risk is the one that worries companies the most, consolidating its position compared to previous years. The main causes lie in the interdependence of risks with other issues and the increase in attacks due to the improvement in AI and related technologies. The issue of security is not only about technology, but also about the possibility of hedging losses through adequate instruments. In this context, insurance companies play a fundamental role. Significant cyber-related risks have arisen in the insurance industry as a result of the growing digitalisation of financial services. According to European Insurance and Occupational Pensions Authority (2023), insurers’ vulnerability to cyber threats is twofold: they are exposed to breaches as IT users, and, on the other hand, they are indirectly exposed due to underwriting risk from cyber insurance products. Cyber attacks can limit the operational activities of insurers to fulfil contractual obligations and guarantee their continuity, with consequent risks to policyholders and broader financial stability. For this reason, insurance companies are required to integrate the ability to withstand, respond to, and recover from cyber incidents into supervisory stress test exercises, to quantify the financial impact of adverse cyber scenarios, and to assess the adequacy of risk management practices. At the same time, the expansion of the cyber insurance market reflects a greater awareness of digital vulnerabilities among companies and individuals, which inevitably exposes insurance companies to a greater underwriting risk. To these, the issue of non-affirmative cyber risk is added, which occurs when traditional insurance products inadvertently provide coverage for cyber events. These exposures are often not recognised in the underwriting processes, leading to potential misalignments between the risk and premium. With the increase in the frequency and severity of cyber events, the inability to accurately outline and assess these risks can lead to unexpected loss accumulations and greater volatility in insurers’ claims experience. An additional area of concern is the risk of cyber accumulation, where a widespread ransomware attack or a significant disruption at a commonly used cloud service provider can impact a substantial portion of an insurer’s portfolio. The interconnection of cyber risk is a key point to manage, and it requires specific modelling to be included in the stress test. In other words, the stress-testing methodologies related to cyber risk must consider both their role as targets of cyber attacks and as facilitators, ensuring not only that they can recover internally from cyber incidents but also that they are resilient to potential accumulation losses arising from their underwriting activities to safeguard the stability and reliability of the insurance sector integrated into the IT system. The increasing exposure to cyber risk has led to the exploration, quantification, and classification of the phenomenon. In this context, Lopez et al. (2025) proposed an integrated framework for risk quantification, stress scenario construction, and insurance solution design, highlighting the inherent complexity of modelling dynamic and interconnected risks. On the other hand, Rabitti et al. (2025) highlighted the excess of taxonomies about the cyber risk, which could lead to confusion, and proposed a comparative review of the main cyber risk taxonomies, highlighting significant divergences in classification criteria and emphasising the need for standardisation to improve interoperability and consistency in assessments.

This aspect is certainly important for a correct assessment of the problem and for choices in terms of both security and design of insurance products. In this sense, Strzelczyk and Puławska (2025) explored how insurance can not only cover financial losses but also incentivise virtuous behaviour in terms of cybersecurity investments. A similar result was stated by Adriko and Nurse (2024), showing how information gathering by insurance companies helps define best practices, even though the market is significantly undersized compared to the risk. However, the effectiveness of this mechanism largely depends on insurers’ ability to correctly assess the risk profile of policyholders. In this regard, Rangu et al. (2024) analysed the critical issues and gaps in the risk analysis frameworks adopted by insurance companies, highlighting how the lack of standardised metrics and structured data represents an obstacle to market efficiency.

The aim of our review is to investigate the mathematical tools available for insurance companies to manage several issues related to cybersecurity. In particular, this paper analyses the quantitative aspects of the regulatory framework to determine the fair premium and the capital requirements, the model devoted to claims evaluation and insurance pricing, and some financial instruments for reinsurance. The paper is structured as follows. Section 2 provides an overview of the state-of-the-art on cyber risk and cyber risk insurance. This is followed by Section 3, in which the quantification of cyber risk history is presented. Section 4 is devoted to cyber insurance quantification, focusing on the interdependence issue. Section 5 examines the main mathematical models for insurance pricing. Finally, Section 6 concludes the article.

2. Overview of the State-of-the-Art

This section aims to provide an overview of the current state of academic and industry research on cyber risk and cyber insurance. It examines how scholars have approached the modelling, prediction, and management of cyber threats, highlights the unique features that distinguish cyber risks from traditional insurable risks, and summarises the main challenges that still hinder the development of mature insurance solutions. By reviewing key contributions in the field, this section identifies existing knowledge gaps and emerging research directions, offering a foundation for future work on more robust and effective risk transfer mechanisms. The first contribution in this field is given by Marotta et al. (2017), providing a comprehensive overview of the state of knowledge on cyber insurance, combining perspectives from both the market and academia. Their survey defines key concepts and clarifies the formal foundations of cyber insurance as a distinct line of business within the insurance industry. They examine the main features that differentiate cyber insurance from conventional products, such as the intangible nature of the insured assets, the evolving threat landscape, the potential for large-scale correlated losses, and the role of risk accumulation through interconnectivity. The paper discusses how technological factors—including the adoption of digital infrastructures, cloud computing, and IoT devices—create new risk vectors and complicate risk assessment and underwriting processes. Moreover, Marotta et al. (2017) compared various scientific approaches to analysing the cyber insurance market, ranging from theoretical models of market equilibrium and adverse selection to empirical studies of market penetration, product design, and claims data. This synthesis helps establish a shared foundation for researchers and practitioners to build upon. Moreover, Carfora et al. (2019) contributed an actuarial perspective on cyber risk management, highlighting how traditional actuarial methods can be adapted to the context of cyber threats. Their paper focuses on the development and application of actuarial models for quantifying and pricing cyber risk, emphasising the need to account for the high degree of uncertainty and the interdependent nature of cyber events. They also discuss challenges in defining appropriate risk measures, collecting reliable data, and integrating dynamic threat intelligence into actuarial frameworks. By bringing an actuarial lens to cyber risk, their work bridges the gap between cybersecurity practice and quantitative risk modelling, underscoring the potential for actuarial science to support more robust and resilient cyber insurance solutions. Eling (2020) presented one of the most influential and structured reviews on cyber risk and cyber insurance, focusing on how these topics are addressed within the disciplines of management, economics, finance, risk management and insurance, and actuarial science. Their study shows that, although the relevance of cyber risk has grown substantially in recent years, it remains under-explored in business and actuarial research compared to its practical impact on organisations and markets. Specifically, business studies have primarily examined the adverse effects of cyber incidents through event studies and scenario-based analyses, revealing how cyber attacks influence stock prices, firm value, and operational continuity. Meanwhile, economic research emphasises the trade-offs involved in cyber risk management decisions, exploring how firms balance investments in prevention, detection, and transfer of risk through insurance. In the actuarial domain, quantitative models tend to focus on loss modelling, often investigating the statistical properties of cyber incidents, including frequency, severity, and interdependence. Notably, Eling (2020) categorised the empirical contributions in terms of how they address the dependencies between cyber risks, highlighting the role of network structures and contagion effects that make cyber risks fundamentally different from traditional insurable risks. This categorisation provides a clearer understanding of what is currently known about the distributional characteristics and correlation structures of cyber incidents, while also pointing out critical gaps in the empirical evidence base. Dubois et al. (2022) analyses the state of the art in cyber risk modelling both from academic literature and “grey” sources to provide actuaries with guidance on both the most used quantitative approaches and the available data sources, underlining the need for greater collaboration between different disciplines, the development of shared datasets, and the adoption of empirically validated models. The report highlights that while there is a great interest among computer scientists, actuaries are still little involved in analysing cyber risk. In this line of research, Cremer et al. (2022) expanded this perspective by critically analysing both academic and industry literature with a specific focus on the availability, quality, and limitations of cyber risk data. Their review underscores that one of the major barriers to advancing research and practical risk modelling in this field is the scarcity of reliable, standardised, and publicly accessible data on cyber incidents. The authors discuss how data gaps affect the accuracy of risk assessment, hinder the development of robust actuarial models, and limit the effectiveness of insurance products. They also identify emerging trends in data-sharing initiatives, regulatory reporting requirements, and collaborative efforts among insurers and firms aimed at improving the transparency and consistency of cyber risk information. In their comprehensive survey, Awiszus et al. (2023) examined the complexity of cyber risk modelling and insurance pricing frameworks, proposing a three-fold taxonomy of cyber risks: idiosyncratic, systematic, and systemic, each with distinct characteristics and modelling implications. In particular, idiosyncratic risks, arising from isolated incidents such as internal errors or targeted attacks on individual firms, are assumed to be independent across entities. These are well-suited to traditional actuarial techniques, leveraging frequency–severity models and classical premium principles to assess claim distributions. Systematic risks relate to common vulnerabilities shared across exposures, leading to correlated loss events, and can be modelled via common risk factors as in the classical frameworks. Finally, systemic risks represent the most difficult to model category, involving contagion mechanisms, showing non-linear dependencies and requiring advanced modelling strategies such as epidemic network models or game-theoretic systems to capture infection dynamics and behavioural interactions. Additionally, Dacorogna and Kratz (2023) provided a valuable perspective by framing cyber risk as a key component of modern operational risk. They discuss how traditional actuarial and quantitative models—originally designed for well-understood risks with stable statistical properties—must evolve to address the unique features of cyber threats, such as heavy-tailed loss distributions, contagion effects, and high uncertainty. The survey detects three layers of cyber risk: hardware, software, and psycho-cognitive, highlighting the importance of combining empirical data with expert judgement to quantify low-frequency, high-severity events like cyber incidents. Furthermore, Tsohou et al. (2023) added to this body of work by providing an extensive review of the literature on cybersecurity insurance, spanning both research and practice. They outline the evolution of the field, describe the current state of the market, and identify emerging trends and open issues. Among these are the increasing need for more tailored insurance products, the development of standardised policy terms, and the role of policy and regulation in shaping coverage and market growth. Their synthesis underscores the importance of interdisciplinary research and collaboration between academia and industry to tackle the complex challenges of insuring cyber risks. Adriko and Nurse (2024) analysed the relationship between cybersecurity, cyber insurance, and small- and medium-sized enterprises. The study arises from the growing awareness that small- and medium-sized enterprises are increasingly exposed to cyber threats, but often lack the resources, knowledge, and adequate tools to effectively address them. In this context, cyber insurance is proposed as a possible financial and technical support. On the one hand, cyber insurance can offer concrete value to small- and medium-sized enterprises, providing financial protection in the event of incidents, access to specialised services, and incentivising the adoption of good security practices. On the other hand, several barriers to adoption emerge, such as the difficulty of companies in understanding and assessing their cyber risks, the complexity of insurance policies available on the market, and the lack of internal technical skills. The need to develop clearer and more standardised tools to help small- and medium-sized enterprises in assessing cyber risk is also highlighted. Overall, the article represents an original and significant contribution, as it is one of the first studies to offer a comprehensive and critical view of the intersection between cyber insurance and cybersecurity in the context of small- and medium-sized enterprises, highlighting both the potential of this combination and the current limitations that hinder its full effectiveness. Finally, He et al. (2024) offered a more recent and cross-disciplinary perspective, providing a structured review of the literature on cyber risk modelling and insurance to bridge the gap between computer engineering, actuarial science, and business studies. Their work highlights the evolution of methodologies used to predict and model cyber risks, including stochastic models, simulation-based approaches, machine learning techniques, and scenario analysis. They also emphasise the importance of integrating technical insights from computer science, such as vulnerability analysis, threat intelligence, and network topology, into actuarial and insurance models to better capture the dynamic and interconnected nature of cyber risks. By categorising the existing contributions according to their modelling frameworks and underlying assumptions, the authors help identify promising avenues for future research, including hybrid models that combine statistical and engineering-based approaches to improve prediction and pricing accuracy.

3. Brief History of Cyber Risk Quantification

The development of early models for cyber risk analysis will be briefly reviewed in this section, with an emphasis on the major advancements and the introduction of more sophisticated techniques. In order to comprehend the nature and variability of cyber threats, we will also look into different risk distribution descriptions. The first two theoretical models aimed at assessing the cybersecurity vulnerability of an organisation were proposed by Gordon and Loeb. A key element of the model introduced in their seminal paper Gordon and Loeb (2002) is the vulnerability function, which expresses the probability that information is compromised as a function of the level of investment in security measures. This function is fundamental because it allows modelling the protective effect of investments: as spending on information protection increases, the probability of a successful attack decreases, although with diminishing marginal returns. The vulnerability function $v:\mathbb{R}\to [0,1]$ is typically defined as decreasing and concave, reflecting the intuition that each additional unit of investment i in security provides progressively smaller benefits in terms of risk reduction. This structure enables a rational evaluation of the trade-off between protection costs and the value of information at risk, helping to avoid both underinvestment, which exposes the organisation to significant damage, and overinvestment, which is inefficient and wasteful. The two vulnerability models are described by the following functions:

$$v={\displaystyle \frac{v_0}{{(\alpha i+1)}^{\beta }}}$$

(1)

$$v=v_0^{\alpha i+1}$$

(2)

where $v_0$ represents the vulnerability in the absence of any security investment, and $\alpha$ and $\beta$ are parameters that modulate the effectiveness of the security investment i. While the first is linear in the vulnerability variable in the absence of investment ($v_0$), the second is non-linear with respect to $v_0$, providing a more sensitive and refined model for describing overall vulnerability. The importance of this model lies in its ability to integrate cybersecurity risk into an economic framework, offering an operational criterion for determining the optimal level of investment in security (see also Gordon et al. 2014, 2016, 2020). The most well-known and cited result from the model is that it is never economically rational to invest more than 37% of the expected loss value to protect information. This limit provides a useful guideline, especially in contexts where vulnerability is significant but available resources are limited. Further models following Gordon and Loeb’s work were introduced by Hausken (2006). In particular, he proposed four models for describing the vulnerability of a firm, the last three of which can be grouped under a single function, though they differ in how vulnerability is modelled based on parameter ranges. The first model introduced by Hausken (2006) takes the following form:

$$v={\displaystyle \frac{v_0}{1+\alpha (e^{\beta i}-1)}}$$

(3)

where the parameters measure the effectiveness of security investments. The peculiarity of this model lies in the fact that there exists an intermediate level of investment at which the curve describing a firm’s vulnerability changes concavity (from concave to convex). The remaining three models can be summarised under a single function:

$$v=\left\{\begin{array}{cc}{v}_0(1-\alpha i^{\beta })\hfill & \mathrm{if}i\le {\alpha }^{-1/\beta }\hfill \\ 0\hfill & \mathrm{if}i>{\alpha }^{-1/\beta }\hfill \end{array}\right..$$

(4)

In all three models, the parameter $\alpha >0$, while they differ in the range of values that $\beta$ can take. In the first of the three, $\beta \in (0,1)$; in the second, $\beta >1$; and in the third, $\beta =1$.

Three additional models were introduced by Wang (2017), namely the Exponential Power Model, the Proportional Hazard Model, and the Wang Transform.

$$v=v_0{\alpha }^{i^{\beta }}$$

(5)

$$v=v_0(1-{\alpha }^{i^{-\beta }})$$

(6)

$$v=v_{0}G(G^{-1}\left(\alpha \right)-\beta ln\left(i\right))$$

(7)

where $G(·)$ is the cumulative distribution function of the standard normal distribution. In all three models, $\beta >0$ and $\alpha \in (0,1)$. In fact, in these models, Wang assumes $v_0=1$, thus implying that a system is fully vulnerable in the absence of security investments ($i=0$). Equations (5)–(7) represent a generalisation of the functions introduced by Wang.

The vulnerability functions are summarised in

Table 1. Summary of the vulnerability functions and their mathematical formulations. $v_0$ is the vulnerability when no investment was made, i is the investment in security, and $\alpha$ and $\beta$ are two positive parameters that describe the effectiveness of the investment on the vulnerability.

Vulnerability Function	Mathematical Formulation
Function 1	$v={\displaystyle \frac{v_0}{{(\alpha i+1)}^{\beta }}}$
Function 2	$v=v_0^{\alpha i+1}$
Function 3	$v={\displaystyle \frac{v_0}{1+\alpha (e^{\beta i}-1)}}$
Function 4–6	$v=\left\{\begin{array}{cc}{v}_0(1-\alpha i^{\beta })\hfill & \mathrm{if}i\le {\alpha }^{-1/\beta }\hfill \\ 0\hfill & \mathrm{if}i>{\alpha }^{-1/\beta }\hfill \end{array}\right.,$ $\beta \in (0,1)$ or $\beta =1$ or $\beta >1$
Function 7	$v=v_0{\alpha }^{i^{\beta }}$
Function 8	$v=v_0(1-{\alpha }^{i^{-\beta }})$
Function 9	$v=v_{0}G(G^{-1}\left(\alpha \right)-\beta ln\left(i\right))$

.

The Gordon and Loeb model has been extended and refined in various ways to better capture the complexities of real-world cybersecurity investment decisions. For example, Kuper et al. (2020) examined under what conditions it is economically rational to invest in cybersecurity, highlighting the existence of a critical threshold of vulnerability where such investments become worthwhile. Building on this, Mazzoccoli and Naldi (2021) developed a dynamic extension of the Gordon–Loeb framework, accounting for asset depreciation and time-dependent returns, and suggesting that optimal investments should adapt over time. Young et al. (2016) contributed a flexible decision-making framework that incorporates uncertainty about cyber risks, allowing organisations to adapt their security strategies as new information emerges. Meanwhile, Matsuura (2008) linked cybersecurity investments directly to productivity gains, emphasising that better security can also enhance overall business performance. Skeoch (2022) expanded the traditional Gordon–Loeb approach by introducing systemic risks, showing how interconnections between organisations can lead to cascading effects that increase the optimal level of investment. In a similar vein, Mazzoccoli and Naldi (2022b) optimised cybersecurity spending by jointly considering insurance solutions and complex market dynamics, illustrating how security and insurance can be combined for better risk management. Wang (2019) proposed an integrated cost–benefit model for cybersecurity that goes beyond the original static framework, weighing security spending against insurance premiums and expert costs. Krutilla et al. (2021) also extended the analysis to a dynamic, multi-period setting, evaluating how the benefits of cybersecurity investments evolve over time and contribute to broader public welfare. Focusing on inter-organisational dependencies, Gao et al. (2015) incorporated network effects into the investment decision, analysing how firms’ security choices influence each other. Huang and Behara (2013) revisits the economics of vulnerabilities with a variant which applies to targeted attacks on specific nodes rather than general threats. Mayadunne and Park (2016) used this simplified Gordon and Loeb version to support risk management decisions for small- and medium-sized enterprises, applying expected utility theory to tailor investment levels. Taking the strategic dimension further, Xu et al. (2019) modelled cybersecurity investments in interactive, multi-actor contexts, introducing game-theoretic elements absent from the original Gordon–Loeb model. All these extensions have been studied and summarised in depth by Mazzoccoli and Naldi (2022a), who provided an extensive review of how the Gordon–Loeb framework has evolved to incorporate dynamics, network effects, insurance integration, and real-world empirical adjustments. Callegaro et al. (2025) presented a stochastic and dynamic version of the Gordon–Loeb model for optimal cybersecurity investment by using a Hawkes process to incorporate temporally clustered cyber attacks. Finally, Franke and Orlando (2025) extended the Wang model to highlight the role of the insurer to stimulate joint investment in cybersecurity to reduce systematic risks and improve the entire business supply chains. Furthermore, several studies focused on the frequency–severity approach to model cyber attacks. In particular, severity follows heavy-tailed distributions (Dacorogna et al. 2023; Dunne and Malone 2017; Eling et al. 2024; Farkas et al. 2021; Strupczewski 2019), while Sun et al. (2021) focused on random variables to model frequency distribution instead of severity, proposing a hurdle Poisson random variable to manage zero attacks on firms and an irregular distribution of breaches. This distribution is combined with a heavy-tailed distribution for severity, taking into account the relationship between frequency and severity, which is generally neglected. An important article regarding the frequency–severity approach is given by Maillart and Sornette (2010). The two authors analysed a dataset of real-world cyber incidents collected between 2000 and 2008, including economic losses caused by attacks such as viruses, hacking, data breaches, and similar events. In particular, they show that the economic damages resulting from cyber incidents follow a heavy-tailed distribution, specifically a power-law distribution:

$$\mathbb{P}(X>x)\sim x^{-\alpha },x\ge x_{min}$$

where $\alpha$ is the power-law exponent, and $x_{min}$ is the threshold above which the distribution effectively follows the power-law behaviour.

The authors estimate $\alpha$ from the observed data in the following way:

$$\widehat{\alpha }=1+n{\left[\sum _{i=1}^{n}ln\left({\displaystyle \frac{x_i}{x_{min}}}\right)\right]}^{-1}$$

where n is the number of observations such that $x_i\ge x_{min}$.

The empirical value they find is $\alpha \approx 1.7$, which implies a theoretically infinite variance and a highly unstable mean.

This means that while most incidents cause relatively small damages, a small fraction of extreme events can lead to massive economic losses. Traditional risk assessment methods (based on means and standard deviations) are inadequate for modelling cyber risks.

Companies and governments must adopt risk management strategies that account for the possibility of rare but catastrophic events.

Peters et al. (2017) employed clustering and predictive modelling techniques to analyse cyber incident data. For unsupervised classification, K-means clustering is utilised to partition the data by minimising the within-cluster sum of squares:

$$\underset{C_1,\dots ,C_k}{min}\sum _{j=1}^k\sum _{x_i\in C_j}{\parallel x_i-{\mu }_j\parallel }^2,$$

where ${\mu }_j$ denotes the centroid of cluster $C_j$. Additionally, hierarchical clustering methods are applied to capture the relational structure between clusters based on inter-group distance metrics. Supervised learning approaches are adopted to model incident severity and the likelihood of specific attack types. In particular, logistic regression is used to estimate the probability of a successful cyber attack. To characterise the distribution of cyber losses, parametric models such as log-normal, gamma, and Pareto distributions are employed. Moreover, kernel density estimation is used as a non-parametric technique to obtain smoothed approximations of loss distributions. In the paper by Sobchuk et al. (2023), cyber attacks were represented by a piecewise continuous function $f\left(t\right)$, constructed from empirical data (e.g., the number of attacks within specific time intervals). The function $f\left(t\right)$ was expanded into a Fourier series as follows:

$$f\left(t\right)=a_0+\sum _{n=1}^{\infty }\left(a_{n}cos\left({\displaystyle \frac{2\pi nt}{T}}\right)+b_{n}sin\left({\displaystyle \frac{2\pi nt}{T}}\right)\right)$$

where T is the period of the function (e.g., a fixed time window), and $a_n$ and $b_n$ are the Fourier coefficients, calculated based on the observed data. Weisman et al. (2025) proposed mathematical models to quantify the cyber resilience of the system under study. Let $X\left(t\right)$ represent the system performance or state of functionality at time t, where $X\left(t\right)$ decreases due to the impact of cyber attacks and recovers over time due to inherent physical resilience and cyber-defence mechanisms. The dynamics of $X\left(t\right)$ can be modelled by differential equations of the form

$$dX\left(t\right)=-{\alpha }_{1}A\left(t\right)X\left(t\right)dt+{\alpha }_{2}R\left(t\right)(1-X\left(t\right))dt,$$

where $A\left(t\right)$ is the attack intensity function representing the severity or presence of malware attacks at time t, $R\left(t\right)$ represents recovery efforts or inherent resilience factors active at time t, and ${\alpha }_1$ and ${\alpha }_2$ are positive parameters quantifying the effectiveness of attack impact and recovery mechanisms, respectively. This formulation captures the degradation of system performance under attack and its restoration through resilience. The model parameters can be estimated from experimental data obtained during systematic testing of the cyber–physical system. Key quantitative metrics derived from this model include the resilience level, which is defined as the minimum performance level reached during an attack, the recovery time required for $X\left(t\right)$ to return to a specified threshold close to full functionality, and the robustness, which quantifies the system’s resistance to performance degradation. In particular, these models provide a tractable and interpretable framework for assessing cyber resilience and guiding the design of improved defence strategies. The importance of severity–frequency models relies on their use by insurance to determine the value of the portfolio and the solvency capital requirement. The next section focuses on the insurance market and the issues facing portfolio management and the modelling of tailored cyber risk hedging products.

4. Cyber Insurance

4.1. Managing Interdependence in Insurance Regulation

The insurance market for cyber risk hedging has been expanding in recent years, and this growth has also impacted the regulation and operational risks associated with the products offered by insurance companies. In particular, the European Insurance and Occupational Pensions Authority (EIOPA) investigates cyber risk hedging needs, both on the supply and demand side. European Insurance and Occupational Pensions Authority (2018) satisfies the need to investigate the cyber risk insurance market, understand its dimension, and evaluate the critical issues to be explored in depth. To fill the knowledge gap, a qualitative survey is carried out in 13 European insurance groups to define a general framework of the phenomenon. From the survey, an embryonic phase emerges, with extensive use of qualitative methods for the estimation of pricing, risk exposures, and risk accumulations. Lack of claims data is the most important limitation in properly estimating and pricing risk. In addition, the importance of quantifying non-affirmative risks and operational risks for insurance companies arises. European Insurance and Occupational Pensions Authority (2019) explores the latter aspects, with a quantitative survey of 41 insurance groups, representing approximately three-quarters of the European market. The study shows significant variability in the definition of Solvency Capital Requirements (SCRs) for cyber risk, with significantly different capital requirements; alternatively, some insurers refer to the Solvency II Standard Formula and do not quantify cyber risk directly. EIOPA investigations show the importance of a common regulatory framework and definitions to improve operational resilience and enable more effective dialogue between insurance companies, regulators and authorities, and the need for harmonised claims reporting systems, to enable a more complete and shared view of risk. The opportunity to leverage cyber insurance to increase awareness of digital risk and promote the dissemination of best practices. Alongside these aspects, the need to develop specific quantitative methods to manage non-affirmative exposures emerged, since they are still poorly understood and structured in the market.

At the end of the investigation and discussions with insurance companies and actuaries, European Insurance and Occupational Pensions Authority (2023) defines a regulatory framework to assess insurer resilience under the likely scenarios of cyber adverse events, providing guidelines in terms of events to stress test, metrics to use for assessment, and types of risk to consider, in line with the indications of the Digital Operational Resilience Act (DORA). In particular, EIOPA focused on two main issues: cyber resilience, that is, the ability of an insurance company to withstand the financial impact of an adverse cyber event, and the cyber underwriting risk, that is, the insurance capacity to deal with the capital requirements affecting the insurance hedging, such as liability portfolios. Distinguishing between affirmative and non-affirmative risks, EIOPA indicates the suitable insurance product to define a cyber liabilities portfolio, the size of the financial exposure, in terms of line of business, and the evaluation metrics to adequately perform a stress test. Also in this report, awareness promotion versus the need to perform a stress test on non-affirmative cyber risk emerges. Let N be the number of adverse cyber events and $L_i$ be the associated losses. We define the random variable of exposure risk X as

$$X=\sum _{i=1}^N{L}_i.$$

Assuming $L_i$ are i.i.d. with a generic random variable $\mathcal{L}$, we define the actuarial present value of the insurance contract, that is, the expected value of the risk exposure random variable X as

$$\mathbb{E}\left[X\right]=\mathbb{E}\left[N\right]\mathbb{E}\left[L\right]\mathbb{V}\left[X\right]=({\mathbb{E}}^2\left[L\right]+\mathbb{V}\left[L\right])\mathbb{E}\left[N\right],$$

(8)

and the distribution of risk exposure is defined as

$$F_X(\ell )=\sum _{i=0}^{\infty }{P}_n·F_L^n\left(x\right)$$

where $P_n$ is the frequency distribution and $F_L^n\left(x\right)$ represents the n times convolution of the severity distribution.

Solvency II states the calculation of the Solvency Capital Requirement (SCR) according to two approaches European Commission (2015); European Insurance and Occupational Pensions Authority (2014): the standard formula and the internal model. The former is equal to the sum of the basic SCR ($bSCR$), the capital requirement for operational risks ($SC{R}_{op}$), and the adjustment ($Adj$)

$$SCR=bSCR-Adj+SC{R}_{op}.$$

Let $SCR$ be the vector of the capital requirement for each risk category $SC{R}_i$, it can be defined as

$$SCR=\sqrt{SC{R}^T·\Sigma ·SCR}$$

where $\Sigma$ is the correlation matrix between different risk categories. The standard formula takes into consideration only linear relationships between predetermined risk categories, whose coefficients are provided by EIOPA. The SCR can also be defined as the gap between the $\alpha \%$ Value-at-Risk (VaR) and the actuarial present value of the exposure to risk random variable X:

$$SCR=\left[{VaR}_{\alpha \%}\left(X\right)-\mathbb{E}\left[X\right]\right].$$

This implies that the $SCR$ can be defined as

$${VaR}_{\alpha \%}\left(X\right)-\mathbb{E}\left[X\right]=\kappa ·\sqrt{\Sigma }$$

where $\kappa$ is the standard deviation factor of a distribution, and VaR is defined as follows:

$${\mathrm{VaR}}_{\alpha }=inf\{x\in \mathbb{R}:P(L>x)\le 1-\alpha \}.$$

The actuarial present value $\mathbb{E}\left[X\right]$ let to define the pure premium $PP$ by adding the safety loading $\delta$

$$PP=\mathbb{E}\left[X\right]+\delta .$$

The sum of the pure premium and the expense loadings gives the expenses-loaded premium

$$EP={\displaystyle \frac{PP}{(1-\eta )}}.$$

(9)

The expense loading proportion is denoted by $\eta$ and is measured in $EP$. The safety loading ${\delta }_{CoC}$ is determined according to the principle of the cost of capital (CoC). Let $\rho$ be the cost of capital rate, assuming that the risk will expire in one year, the target solvency ratio is equal to $\xi \%$ and $i_{rf(0,1)}$ is the risk-free rate between 0 and 1, then we define ${\delta }_{CoC}$ as

$${\delta }_{CoC}={\displaystyle \frac{\xi \rho ·SCR}{\left(1+i_{rf(0,1)}\right)}}={\displaystyle \frac{\xi \rho ·\left[{VaR}_{\alpha \%}\left(X\right)-\mathbb{E}\left[X\right]\right]}{\left(1+i_{rf(0,1)}\right)}}.$$

The relationship among risks is a crucial point for a correct definition of capital requirements and the expense-loaded premium. As highlighted by Adelmann et al. (2020), there is an interconnection between cyber risk and financial stability, through knock-on effects that affect financial operators and institutions, which arises through a loss of confidence by lead customers, lack of liquidity, and substitutability, which can be emphasised by weaknesses in technology and communications between technology and financial operators. For these reasons, many studies focus on the interaction effects between cyber attacks and the impact on the assessment of capital requirements and the pricing of insurance products.

In particular, Eling and Schnell (2020) proposed an empirical analysis comparing the results of Solvency II, the US Risk-Based Capital Standards, and the Swiss Solvency Test regulations for the calculation of capital requirements, considering the correlations between sources of risk. In the paper, the fallacy of independence emerges: treating each risk as independent (e.g., the sum of individual risks with marginal distributions) leads to underestimating the aggregate risk. Copulas are used precisely to model this dependence between events, separating the dependence structure from the marginal distributions. The theoretical basis for the use of copulas is provided by Sklar’s theorem, which states that for every multivariate distribution $H(x_1,\dots ,x_d)=\mathbb{P}(X_1\le x_1,\dots ,X_d\le x_d)$ of a random vector $X=(X_1,\dots ,X_d)$ with marginal distributions $F_i\left(x\right)=\mathbb{P}(X_i\le x_i)$, there exists a copula C such that

$$H(x_1,\dots ,x_d)=C(F_1\left(x\right),\dots F_d\left(x\right)).$$

Additionally, the converse is true. Given a copula $C:{[0,1]}^d\to [0,1]$ and marginals $F_i\left(x\right)$, then $C\left(F_1\left(x_1\right),\dots ,F_d\left(x_d\right)\right)$ defines a $d–$dimensional cumulative distribution function with marginal distributions $F_i\left(x\right)$. The main families of Copula are elliptical and Archimedean.

For a random vector X which expectation and variance are constant, let $\psi :[0,\infty )\to \mathbb{R}$ be a function such that ${\varphi }_{X-\mu }=\psi (t^{\prime }\Sigma t)$. If it holds for the characteristic function ${\varphi }_{X-\mu }$ of $X-\mu$, X is an elliptically distributed random vector with parameters $\mu$, $\Sigma$, and $\psi$. To isolate the dependence structure, we define $u_i=F_i\left(x_i\right)$, for $i=1,\dots ,d$, so that $u=(u_1,\dots ,u_d)\in {[0,1]}^d$ is a vector of standardised uniform variables. Let $X\sim Ed(\mu ,\Sigma ,\psi )$ be an elliptically distributed random vector with the cumulative distribution function H and continuous marginal distributions $F_i\left(x\right)$. The unique copula C of X with $C\left(u\right)=H(F_1^{-1}\left(u_1\right),\dots ,F_d^{-1}\left(u_d\right))$ is called an elliptical copula. The most well-known and commonly used elliptical copulas are the Gaussian copula with correlation matrix R and the t-copula, namely

$$C_R^{\mathrm{Gauss}}\left(u\right)={\Phi }_R^d\left({\varphi }^{-1}\left(u_1\right),\dots ,{\varphi }^{-1}\left(u_d\right)\right),$$

where ${\Phi }_R^d$ is the cumulative density function of a d-dimensional normal distribution with expected vector 0 and correlation matrix R, and ${\varphi }^{-1}$ is the inverse of the standard normal marginal distribution.

$$C_{\alpha ,R}^t\left(u\right)=t_{\alpha ,R}^d(t_{\alpha }^{-1}\left(u_1\right),\dots ,t_{\alpha }^{-1}\left(u_d\right)),$$

where $t_{\alpha ,R}^d$ is the cumulative density function of ${\displaystyle \frac{\sqrt{\alpha }}{\sqrt{S}}}Z$, where $S\sim {\chi }_{\alpha }^2$, $Z\sim N_k(0,R)$, and S and Z are independent. $t_{\alpha }$ are the marginal distributions of $t_{\alpha ,R}^d$.

Elliptic copulas are symmetric and characterised by a linear dependence structure. The main difference between a Gaussian and t-copula is that the former has zero asymptotic dependence in the tails, while the latter shows symmetric and positive tail dependence. The main disadvantages of elliptical copulas are the inability to handle asymmetric relationships and the absence of a general closed form, overcome by Archimedean copulas. Let $\mathcal{F}:[0,1]\to [0,+\infty ]$ be a continuous, strictly monotone decreasing function with $\mathcal{F}\left(1\right)=0$. The pseudo-inverse function ${\mathcal{F}}^{[-1]}:[0,+\infty ]\to [0,1]$ is defined by

$${\mathcal{F}}^{[-1]}\left(t\right)=\left\{\begin{array}{cc}{\mathcal{F}}^{-1}\left(t\right)\hfill & 0\le t\le \mathcal{F}\left(0\right)\hfill \\ 0\hfill & \mathcal{F}\left(0\right)\le t\le +\infty \hfill \end{array}\right..$$

${\mathcal{F}}^{-1}\left(t\right)$ is continuous and monotone decreasing on $[0,\infty ]$, strictly monotone decreasing on $[0,\mathcal{F}(0\left)\right]$ and ${\mathcal{F}}^{[-1]}\left(\mathcal{F}\left(u\right)\right)=u$ for $u=[0,1]$ holds. The function $C:{[0,1]}^d\to [0,1]$, with $C(u;\mathcal{F})={\mathcal{F}}^{[-1]}(\mathcal{F}\left(u_1\right),\dots ,\mathcal{F}\left(u_d\right))$ is a copula if $\mathcal{F}$ is convex, and C is an Archimedean copula with generator $\mathcal{F}$. Also of note, Archimedean copulas are as follows: Gumbel copula, with $\mathcal{F}\left(t\right)={(-lnt)}^{\theta },\theta \ge 1$ to model right tail dependence, Clayton copula, with $\mathcal{F}\left(t\right)={\displaystyle \frac{1}{\theta }}(t^{-\theta }-1),\theta >0$, to model left tail dependence, and Frank copula, with $\mathcal{F}\left(t\right)=-ln\left({\displaystyle \frac{exp(-\theta t)-1}{exp(-\theta )-1}}\right),\theta \ne 0$ to model symmetric dependence. To model the loss linked to insurance company solvency, Eling and Schnell (2020) used a Clayton copula to show that even small changes in the copula model or parameters lead to significant changes in the expected rewards and benefits from diversification, with an underestimation of capital requirements for cyber risk hedging, especially for small portfolios. In a previous research, Eling and Jung (2018) performed a Pair Copula Construction, which is an approach to combine bivariate copulas according to a criterion, in this case, the type of breach and business sectors, to show the presence of an asymmetric tail dependency structure among cyber attacks. In this way, the model describes correlations between extreme losses much more realistically than simpler or independent models. Mukhopadhyay et al. (2013) proposed a Copula-Bayesian Vulnerability Assessment, combining a Bayesian Belief Network and a Gaussian copula to assess the vulnerability of computer security systems to attacks and the convenience of associating the investment in security with an insurance hedging. Xu et al. (2018) analysed the dependency structure between frequency and severity of cyber attacks, comparing different types of copulas, both elliptical and Archimedean, showing that the inter-arrival periods of the breaches and the breach magnitude are positively correlated. According to the cybersecurity definition of reliance, a significant breach is more likely to occur after a prolonged period without any occurrences. Based on this result, they propose a stochastic loss forecasting process that takes into account both severity and frequency. In a later research, Xu and Hua (2019) integrates Gaussian and Clayton copulas into non-Markovian models, which takes into account the relationship between waiting time and severity of an attack, while also including network contagion effects. In this way, the model takes into account both time dependence and network contagion effects. The results show that non-Markovian models, in combination with copulas, are able to model the simultaneity of attacks and the persistence of the threat, which Markovian models tend to underestimate. Carannante et al. (2023) focused on the dependency structure of breaches, using vine copulas by type of attack. Vine is a tool to define constraints in high-dimensional probability distributions. In particular, decomposing the multivariate copula $C\left(u\right)$ into a sequence of conditional bivariate copulas allows for a more flexible representation of dependence structures. In other words, a vine copula expresses $C\left(u\right)$ as the product of conditional bivariate copulas. In particular, $\left(F,V,B\right)$ denotes a vine copula specification where $F=\left(F_1,\dots ,F_d\right)$ is a vector of continuous invertible marginal distribution functions, and $B=\left\{B_e|i=1,\dots ,d-1;e\in E_i\right\}$ is a set of copulas with $B_e$ being a bivariate copula. The unique specification of the vine copula, whose density is given by

$$f_{1\dots d}\left(x\right)=\prod _{k=1}^d{f}_k\left(x_k\right)\prod _{i=1}^{d-1}\prod _{e\in E_i}{c}_{C_{e,a,}{C}_{e,b}|D_e}\left(F_{C_{e,a}|D_e}\left({\mathbf{x}}_{C_{e,a}}|{\mathbf{x}}_{D_e}\right),F_{C_{e,b}|D_e}\left({\mathbf{x}}_{C_{e,b}}|{\mathbf{x}}_{D_e}\right)\right)$$

where $\mathbf{x}=\left(x_1,\dots ,x_d\right)$, $e=\left\{a,b\right\}$,$x_{D_e}=\left\{x_i|i\in D_e\right\}$, and $c_{C_{e,a,}{C}_{e,b}|D_e}$ is the bivariate copula density for edge $e=\left\{a,b\right\}$. The advantage of using vine copulas is to identify the type of relationship that occurs between the random variables by comparing them in pairs. Carannante et al. (2023) showed that the vine copula approach outperforms elliptical multivariate copulas in a prudential sense to determine the SCR in a cyber risk hedging framework, analysing the relationship among seven cyber breaches. Peng et al. (2018) proposed a combined vine copula and GARCH approach to model the volatility of breaches on individual servers and their dependencies. Empirical results show that this Copula-GARCH approach improves the accuracy of predicting joint risk exposure, allowing for better estimation of indicators such as multivariate Value-at-Risk. Cherubini (2024) extended the GL1 model in Equation (1) to the multivariate case using vine copulas to model the losses deriving from a multiple attack or addressed to multiple technologies. On a similar front, Bardopoulos (2025) analysed the dependency relationships between risks related to cyber attacks, comparing different heavy-tailed loss functions and estimating the joint distributions of loss. The empirical analysis shows that the main risk factor is the tail volatility, which insurance companies do not take into account in their assessments, leading to an underestimation of capital requirements. Ballestra et al. (2024) evaluates a different aspect of interdependency, namely the geographical basis risk in the cyber insurance products due to contagion effects. A breach risk model based on a count regression that combines exchangeable random effects and spatial random effects is proposed to determine the risk of breach in the US. The empirical analysis shows the opportunity to propose a generalised scheme to ensure most of the US states are covered.

4.2. Cyber Insurance Products

Cyber insurance is a risk management tool that has become increasingly important in response to the spread and danger of cyber attacks, especially in the context of businesses and critical infrastructures. It represents a form of risk transfer in which an organisation takes out a policy t,o hedge economic losses due to breaches, business interruptions or reputational damage. However, despite the increasing demand in recent years, the cyber insurance market remains limited compared to other insurance areas, partly due to the high uncertainty in assessing and pricing cyber risk. The barriers that limit the growth of cyber insurance are of interest to international organisations. In particular, Organisation for Economic Co-operation and Development (2017) stated the need to overcome structural barriers in the insurance market, including the scarcity of historical data, regulatory uncertainty, and the difficulty of modelling the systemic risk associated with large-scale attacks. Organisation for Economic Co-operation and Development (2020) also highlighted the need to make insurance hedging more transparent and understandable, both for policyholders and insurers, suggesting regulatory tools to improve contractual clarity and encourage the spread of policies. Weber et al. (2024) analysed actuarial techniques and applications of artificial intelligence in cyber risk assessment, identifying potential tools to improve the underwriting and pricing process. Barreto et al. (2021) focused on the specific challenges posed by cyber-physical systems, such as energy infrastructure, industrial plants, and intelligent transport, where the consequences of an attack can propagate into the physical world and cause catastrophic damage, highlighting the difficulties in risk assessment for cyber-physical systems. A possible solution could be a combination of insurance innovation and regulatory intervention to encourage transparency and develop tools appropriate to the complex nature of these systems. One of the aspects that limits the growth of the insurance market is the presence of moral hazards and information asymmetries. Shetty et al. (2010) proposed a market competitive model for insurance companies, showing that the lack of information about the level of investment in cybersecurity by insurance companies causes market inefficiency, as this depends on the utility functions of individual policyholders. In addition, there is a moral hazard effect, as insurance coverage discourages investments in security. In particular, the goal is to optimise both policyholders’ and insurance companies’ utility. Let $s\ge 0$ be the cybersecurity investment to minimise the expected costs; insurance companies compete by offering premiums $EP\left(s\right)$ and indemnity share $\mathcal{b}\in [0,1]$. The expected utility for the policyholder is given by

$$\mathcal{U}\left(s\right)=-EP\left(s\right)-\mathbb{P}\left(s\right)·(1-\mathcal{b})L-\mathcal{C}\left(s\right)$$

where $EP\left(s\right)$ is the insurance premium to pay (expenses-loaded premium), $\mathbb{P}\left(s\right)$ is the loss probability, L is the economic value of the loss, and $\mathcal{C}\left(s\right)$ is the cost of investment in cybersecurity. The insurance companies’ problem is to maximise their profit, given the rational behaviour of the user and the competition in the market

$$\underset{EP,\mathcal{b}}{max}\{EP\left(s\right)-\mathbb{P}\left(s\right)·\mathcal{b}L\}.$$

The lack of information about the level of investment s in cybersecurity by insurance companies is a cause of market inefficiency. In addition, there is a moral hazard effect, as insurance coverage discourages investments in security. The analysis shows that it is not possible to optimise both policyholders’ utility and insurance companies’ profits. Romanosky et al. (2019) systematically analysed over 100 cyber insurance policies collected from US state commissioners, identifying four main areas evaluated by insurers: governance and compliance; technical; internal policies and procedures; and regulatory aspects. On the pricing front, the authors highlight strong heterogeneity. Many policies adopt a flat-rate model based exclusively on the asset value or turnover of the company, ignoring security controls. Only about a third of companies integrate factors related to the actual security status of the insured into the premium calculation. Many premiums remain approximate and poorly correlated with the actual security of the insured, indicating a potential benefit in integrating more granular technical assessments into the underwriting processes. Zeller and Scherer (2022) proposed a quantitative formalisation for a cyber insurance contract through a marked point process, which allows for overcoming the main limitations of cyber insurance. In particular, instead of relying on static or heuristic premiums, they directly model the distribution of losses, allowing pricing based on real risk. Their model can be used both by insurers and by regulators, bridging a gap between actuarial theory and commercial practice. In particular, the stochastic process is defined as a sequence of marked points

$${\left\{(t_i,(m_i,S_i))\right\}}_{i\in \mathbb{N}}\subset [0,T]\times (M\times \mathcal{P}\left(\{1,\dots ,J\}\right))$$

where $t_i$ is the arrival time, $m_i\in [m_{min},m_{max}]$ is a mark to describe severity and frequency, and $S_i\subseteq \{1,\dots ,J\}$ is the set of breached firms in portfolio. Marks $(m_i,S_i)$ are independent from arrival time $t_i$, that is

$$(m_i,S_i)\perp t_i\mathrm{for}\mathrm{each}i\in \mathbb{N}.$$

The main advantage of this approach is considering cyber interdependencies from a dynamic perspective. Xiang et al. (2024) determined a dynamic equilibrium for cyber insurance contracts, introducing a Bonus–Malus system to incentivise risk reduction through autonomous mitigation measures and reduce moral hazard by rewarding those who do not file claims or adopt good practices. In particular, a Markov transition model is defined to update dynamically the insurance state to calculate the premium. For $t=1,\dots ,T$, let $f_t:{\mathcal{B}}_1\times {\mathcal{B}}_2\times \mathcal{D}\times \{0,1\}\times \{0,1\}\times \mathcal{W}\to {\mathcal{B}}_1\times {\mathcal{B}}_2$ be the state transition function for each year t, given by

$$f_t(b_1,b_2,d,\iota ,j,w):=\left\{\begin{array}{cc}\mathcal{B}\mathcal{M}\left(b_1,j{\lambda }^{\mathcal{B}\mathcal{M}}(b_1,t,L(d,w))\right),\hfill & \mathrm{if}\iota =1,\hfill \\ \mathcal{B}{\mathcal{M}}_0(b_1,b_2),\hfill & \mathrm{if}\iota =0,\hfill \end{array}\right.$$

where ${\lambda }^{\mathcal{B}\mathcal{M}}$ is the Bonus–Malus loss function. In other words, $f_t(b_1,b_2,d,\iota ,j,w)$ returns the Bonus–Malus level and the insurance state in year t given that the Bonus–Malus level and the insurance state in year $t-1$ are $b_1$ and $b_2$, the decisions in year t are $d,\iota ,j$, and the cyber loss events in year t are w. Chong et al. (2025a) developed an economic basis for incident-specific cyber insurance products, focusing on how incident-specific benefits should be designed to achieve Pareto optimality for both the insurance seller and the buyer. Real-world cyber incident data is used to illustrate the feasibility of this approach. Additionally, several implementation improvement methods are discussed for practicality. In particular, the expected utility of the insured, considering the specific coverage for the type of accident, can be expressed as

$$\mathcal{U}=\mathbb{E}\left[u\left(\mathrm{W}-EP-\sum _k{\mathrm{I}}_k·L_k\right)\right]$$

where $\mathrm{W}$ is the initial wealth, $EP$ the insurance premium paid, ${\mathrm{I}}_k\in \{0,1\}$ indicates whether the accident of type k is hedged, $L_k$ is the loss associated with the accident of type k, and $\mathcal{U}$ is the utility function of the policyholder. The premium and hedging structure ${\mathrm{I}}_k$ is designed to achieve a Pareto efficient equilibrium between insurer and insured for each type of accident. Finally, Chong et al. (2025b) introduced a two-pillar cyber risk management framework to address the pervasive challenges in cyber risk management. The first pillar, cyber risk assessment, combines insurance frequency–severity models with cybersecurity cascade models to capture the unique nature of cyber risk. The second pillar, cyber capital management, facilitates informed capital allocation for a balanced cyber risk management strategy, including cybersecurity investments, insurance coverage, and reserves. A case study, based on historical cyber incident data and realistic assumptions, demonstrates the need for a comprehensive cost–benefit analysis for companies with limited budgets and competing cyber risk management objectives. Additionally, a sensitivity analysis highlights the dependence of the optimal strategy on factors such as the price of cybersecurity controls and their effectiveness. The optimal capital management is formalised as the following minimisation problem:

$$\underset{\mathcal{C},\mathrm{I},CoC}{min}\{\mathcal{C}+EP\left(\mathrm{I}\right)+CoC\left(\mathcal{R}\right)\}$$

subject to

$$\mathbb{P}(X>\mathcal{R}+\mathrm{I})\le \alpha$$

where $\mathcal{C}$ is cybersecurity investments, $\mathrm{I}$ is the level of insurance coverage, $\mathcal{R}$ is capital reserves, $EP\left(\mathrm{I}\right)$ is the insurance premium as a function of $\mathrm{I}$, $CoC\left(\mathcal{R}\right)$ is the cost of capital associated with reserves, and $\alpha$ is the level of acceptable risk (e.g., VaR or probability of default).

4.3. Cyber Reinsurance

Insurance companies employ cyber reinsurance as a safeguard to control their exposure to cyber threats (Cremer et al. 2024). Insurers who provide specialised coverage for cyber risks—like ransomware attacks, data breaches, or disruptions of digital services—are more vulnerable to potentially significant and frequently unanticipated losses as a result of the growth in these threats. In order to safeguard themselves, they assign a portion of this risk to reinsurance firms, who then distribute it among a larger and more varied portfolio (Woods and Wolff 2025). Since cyber risks are different from other insurance categories, reinsurance is especially crucial in this situation. A single cyber attack can disrupt hundreds of businesses at once, particularly if they depend on shared cloud services or software providers. This is the first example of how cyber incidents can have a systemic effect. Furthermore, the very nature of cyber risk is ever-changing: new vulnerabilities appear on a regular basis, making it challenging to forecast with precision how frequently and how severe accidents will occur. Risk piling, which means that a single incident might affect several policies, is another important problem. An insurance company’s decision to keep the entire exposure on its own balance sheet is, therefore, dangerous. It is consequently more practical to provide cyber coverage in the market since reinsurance permits risk pooling and diversification. The need for cyber reinsurance has increased dramatically in recent years, but reinsurers are being cautious. Cyber risk is one of the most complicated issues facing the insurance industry as a whole because of the dearth of adequate historical data, the high degree of uncertainty, and the possibility of catastrophic catastrophes Zängerle and Schiereck (2023). In this context, alternative risk transfer mechanisms such as cyber catastrophe bonds (cat bonds) have been proposed as innovative reinsurance tools. As discussed in Mastroeni et al. (2022), cyber cat bonds can help insurers transfer part of their cyber risk exposure to capital markets, offering a potential solution to the capacity constraints and uncertainty inherent in traditional reinsurance models. These instruments could play a key role in enhancing the resilience of the cyber insurance ecosystem by enabling broader risk sharing and attracting new sources of capital.

5. Pricing

This section presents several models proposed in the scientific literature for determining insurance premiums in the context of cyber insurance. In particular, we describe the mathematical models and the variables commonly used for this purpose. An early discussion surrounding the role of insurance in cybersecurity focused on its potential to incentivise security investments—specifically, whether insurance promotes increased investment in protection or instead gives rise to a “market for lemons.” Proponents of cyber insurance include Kesan et al. (2004), Bolot and Lelarge (2009), and Yang and Lui (2014), particularly in scenarios where protection quality is not sufficiently high. On the other hand, critics such as Pal et al. (2014) and Shetty et al. (2010) argue that significant information asymmetry regarding the policyholders’ actual vulnerability prevents the emergence of a viable insurance market. Key challenges to the adoption of cyber insurance—namely, asymmetric information and correlated risks—were already identified by Baer and Parkinson (2007) and continue to persist today. As previously highlighted, identifying an appropriate distribution for cyber claims is extremely challenging. Several studies, including Edwards et al. (2016), highlighted the absence of a well-defined distribution for such events. As a result, increasingly sophisticated models are required to minimise the risk of loss estimation errors and, consequently, to optimise pricing models (Adriko and Nurse 2024; Franke 2017). In the paper by Böhme and Kataria (2006), premiums were not determined exogenously; rather, they depend on the expected expenditure incurred by insurance companies to settle all claims within a given period. The total cost $TC$ for insurers in a single period can be expressed as the sum of three components:

$$TC=\mathbb{E}\left[X\right]+Admin+r·Sc$$

where $\mathbb{E}\left[X\right]$ is the expected value of the loss, with X representing a random variable denoting the exposure to risk distribution, $Admin$ is the total administrative cost, which is assumed to be negligible, $Sc$ denotes the amount of safety capital required to ensure full coverage in the event that the realised losses exceed expectations, and r is the interest rate applied to the safety capital $Sc$, reflecting the risk profile of the insurance business. With reference to Equation (9), $TC$ corresponds to the expenses-loaded premium $EP$ recalculated for each period. Lau et al. (2020) analysed the insurance premium using the well-known Expected Value Premium Principle (see for details Kaas et al. 2008), which defines the pure premium as being proportional to the expected loss. However, they assess that this approach is not suitable for cyber risks, as these risks are typically not independent. Specifically, it is defined as follows:

$$PP=(1+\lambda )\mathbb{E}\left[X\right]$$

where X is the random variable describing the potential total loss and $\lambda$ is the risk loading coefficient. In this model, the Risk loading coefficient is set to a positive value to account for uncertainty, cover administrative costs, and ensure a profit margin. However, it is typically kept relatively low to maintain the affordability of the insurance product. To address the dependency among risks, the authors introduce a more advanced approach for insurance premium calculation. Given the total potential loss across all Transmission Companies in the energy sector, defined as

$$X=\sum _{i=1}^n{X}_i,$$

they propose determining the pure premium using Value-at-Risk (VaR). This method sets the premium as

$$P{P}_1=Va{R}_{\alpha }\left(X\right)$$

where $\alpha \in (0,1)$ represents the chosen confidence level. The key idea is to ensure that the probability of the total loss exceeding the premium remains within acceptable bounds, specifically

$$\mathbb{P}(X>P{P}_1)=\alpha .$$

Since VaR only considers the threshold beyond which extreme losses occur, the authors further propose a more conservative alternative based on Tail Value-at-Risk (TVaR). This measure accounts for the average loss in the tail beyond the VaR threshold and is given by

$$P{P}_2=TVa{R}_{\alpha }\left(X\right)={\displaystyle \frac{1}{\alpha }}{\int }_0^{\alpha }Va{R}_y\left(X\right)dy.$$

This approach provides a stronger guarantee, ensuring that the probability of losses exceeding the premium is strictly less than the confidence level $\alpha$, $\mathbb{P}(X>P{P}_2)<\alpha .$

Lin et al. (2018), in their paper, employed the extension of the expected value premium principle known as the mean–variance premium (see, for example, Olivieri and Pitacco 2015) to compute the price of the cyber insurance premium. In particular, they defined the pure premium as follows:

$$PP=\mathbb{E}\left[X\right]+{\displaystyle \frac{\delta }{2}}\mathbb{V}\left[X\right],$$

where $\delta$ is the risk aversion coefficient, and is using the random variable of the exposure risk ${\displaystyle X=\sum _{i=1}^{N}L}$ where N is the number of records breached and L is the random variable of loss. Specifically, starting from Equation (8), the pure premium is defined as

$$PP=\mathbb{E}\left[N\right]\mathbb{E}\left[L\right]+{\displaystyle \frac{\delta }{2}}({\mathbb{E}}^2\left[L\right]+\mathbb{V}\left[L\right])\mathbb{E}\left[N\right].$$

The mean–variance premium was also used by Mastroeni et al. (2019) to determine the total insurance premium for service disruptions occurring in the cloud, using three different metrics for claims: service disruption, prolonged disruption, and service time unavailability. A similar model was used by Antonio et al. (2021). In particular, authors employed the standard deviation principle to compute the insurance premium

$$PP=\mathbb{E}\left[X\right]+\delta \sqrt{\mathbb{V}\left[X\right]}.$$

The standard deviation principle differs from the mean–variance premium principle primarily in its use of the standard deviation, rather than the variance, in the pricing formula (see also Bühlmann 1970). This substitution results in a comparatively lower sensitivity to the risk associated with the underlying random variable. Specifically, Antonio et al. (2021), using this principle, found that, defining by L and R the loss and the system downtime, the random variable of the total loss X is defined as

$$X=\sum _{i=1}^N(\mu \left(L\right)+\gamma \left(R\right))$$

where N is the number of infections, $\mu$ the cost function due to infection, and $\gamma$ is the cost function corresponding to the length of time-to-repair. So, the pure premium is defined by the following equation:

$$PP=\mathbb{E}\left[\sum _{i=1}^N(\mu \left(L\right)+\gamma \left(R\right))\right]+\delta \sqrt{\mathbb{V}\left[\sum _{i=1}^N(\mu \left(L\right)+\gamma \left(R\right))\right]}.$$

In the paper by Lau et al. (2021), the authors proposed a cooperative framework for cyber insurance premium calculation, specifically applied to the power sector. The model is based on the formation of a coalition among multiple Transmission Operators that jointly share cyber risk. The premium was computed by estimating the expected economic losses resulting from cyber attacks, taking into account both cyber vulnerability and the impact on power system reliability. This was achieved through stochastic simulations that model load loss and translate it into monetary terms. The pure premium for the coalition was given by

$$P{P}_{\mathrm{coalition}}=\mathbb{E}\left[L_{agg}\right]+\lambda \sqrt{\mathbb{V}\left[L_{agg}\right]}$$

where $\mathbb{E}\left[L_{agg}\right]$ denotes the expected value of aggregated losses. The premium is then fairly allocated among the coalition members using the Shapley value, which reflects each operator’s marginal contribution to the total risk. This approach promotes risk sharing, incentivises cooperation, and enables more accurate and sustainable cyber insurance pricing for interdependent power systems. On the other hand, Mukhopadhyay et al. (2013, 2019) computed the pure premium $P{P}_i$ for insuring against each type of cyber attack, calculating it as the expected severity $\mathbb{E}\left(L_i\right)$ of each attack $L_i$, multiplied by the overhead loading $OV$, plus the standard deviation of the loss of each attack $\sqrt{\mathbb{V}\left(L_i\right)}$ multiplied by the contingency loading k

$$P{P}_i=OV·\mathbb{E}\left(L_i\right)+k\sqrt{\mathbb{V}\left(L_i\right)}.$$

Building on the mean–variance premium principle, Naldi and Mazzoccoli (2018) proposed an extended approach, which was subsequently employed by Mazzoccoli and Naldi (2020b), involving the use of higher-order moments—up to the fourth order—in the determination of pure premiums

$$PP=\mathbb{E}\left[X\right]+{\displaystyle \frac{\delta }{2}}\mathbb{V}\left[X\right]+{\displaystyle \frac{{\delta }^2}{6}}\mathbb{S}\left[X\right]{\mathbb{V}}^{3/2}\left[X\right]+{\displaystyle \frac{{\delta }^3}{24}}\mathbb{K}\left[X\right]{\mathbb{V}}^2\left[X\right]$$

where, in this case, $\delta$ is the constant absolute risk aversion coefficient defined as in Babcock et al. (1993)1:

$$\delta ={\displaystyle \frac{1}{\mathbb{E}\left[X\right]}}ln\left({\displaystyle \frac{1+2\epsilon }{1-2\epsilon }}\right)$$

where $\epsilon \in (0,{\displaystyle \frac{1}{2}})$ is the probability premium. The use of statistical moments up to the fourth order—such as skewness and kurtosis—allows for a more accurate representation of the risk distribution, especially in the presence of heavy tails or asymmetric distributions. In many cases, the fourth-order premium tends to be higher than the second-order (mean–variance) approximation, providing greater protection against extreme events. The model accounts not only for variability (second moment) but also for the shape of the risk distribution (third and fourth moments), enabling a more sophisticated pricing approach. However, higher-order moments (third and fourth) are significantly more difficult to estimate accurately, particularly when dealing with small or noisy datasets. Estimation errors in these moments can lead to distorted premium values. Moreover, the dispersion of the premium calculated using the fourth-order approximation can be substantial; in some cases, it may result in excessively high premiums that are not justified by an actual increase in risk exposure. Another pricing model was introduced by Mazzoccoli and Naldi (2020a). In particular, they defined the pure premium in a different way using the Gordon and Loeb model for the vulnerability

$$PP=kpL(1-r(1-v\left)\right)$$

where k is the premium rate coefficient, p is the attack probability, L is the loss, and v is the vulnerability described by Equations (1) and (2). As can be seen, this formulation is adaptable to any vulnerability model expressed through Equations (3)–(7). An extension of this model was used by Mazzoccoli and Naldi (2021) for a multi-branch firm under a full set of insurance liability scenarios, that is, full coverage, limited coverage, and limited coverage of the losses with deductibles. In this case, the authors used a vulnerability function

$${\displaystyle v=1-(1-p{v}_0)\prod _{i=1}^m(1-\rho v_i)}$$

where $v_0$ is the vulnerability of a firm (called principal firm or headquarters), $v_i$ is the vulnerability of the i-th firm risk-connected with the principal firm, and m is the number of risk-connected firms with the principal firm. Moreover, the model proposed by Mazzoccoli and Naldi (2020a) has also been employed in the paper by Mazzoccoli and Naldi (2022b) with the introduction of a time-dependent vulnerability function. In particular, the authors model vulnerability as following a sawtooth pattern: it increases over time within each interval $(t_{i-1},t_i)$, but is sharply reduced at the moments when investments are made, namely at times $t_1,t_2,\dots ,t_n$. During the intervals between investments, the evolution of vulnerability is described by a logistic function

$$v\left(t\right)={\displaystyle \frac{v_0}{1+e^{-\xi (t-\tau )}}}\mathrm{for}{t}_i<t<t_{i+1}.$$

Here, $v_0$ represents the maximum possible vulnerability, $\xi$ is the logistic growth rate (i.e., the steepness of the curve), and the parameter

$$\tau =t_{i+1}-{\displaystyle \frac{1}{\xi }}ln\left({\displaystyle \frac{v_0}{v\left(t_i\right)}}-1\right)$$

is determined based on the vulnerability level just after the most recent investment.

Herath and Herath (2007, 2011), to compute the insurance premium, previously described the random variable of total loss L as

$$L=\left\{\begin{array}{c}{c}_{1}ifn\le n_1\hfill \\ c_2+{\displaystyle \frac{n-n_1}{n}}{\displaystyle \frac{l}{10}}if{n}_1<n<n_2\hfill \\ c_3+{\displaystyle \frac{n-n_2}{n}}{\displaystyle \frac{l}{10}}ifn\ge n_2\hfill \end{array}\right.$$

where l is the random variable representing the economic loss, n is the random variable describing the number of computers affected, $n_1$ and $n_2$ are the lowest and highest limits of the numbers of likely computers affected, and $c_1$, $c_2$, and $c_3$ are three constants. After describing the total loss, they formulate the pure premium in the following way:

$$PP=\left\{\begin{array}{c}0ifL\le ded\hfill \\ (1-c^{\ast })(L-ded)ifd<L<d+{\displaystyle \frac{l^{\ast }}{1-c^{\ast }}}\hfill \\ l^{\ast }ifL>d+{\displaystyle \frac{l^{\ast }}{1-c^{\ast }}}\hfill \end{array}\right.$$

where $ded$ are the deductibles, $l^{\ast }$ is the limit of coverage, and $c^{\ast }$ is the coinsurance.

An outline of the main methods and models for insurance premium calculation is provided in

Table 2. Summary of the fundamental principles of cyber insurance premium calculation. X is the random variable representing the loss, and $\lambda$ is a positive real constant.

Principle	Mathematical Formulation
Expected value premium	$PP=(1+\lambda )\mathbb{E}\left[X\right]$
Mean-variance premium	$PP=\mathbb{E}\left[X\right]+{\displaystyle \frac{\lambda }{2}}\mathbb{V}\left[X\right]$
Standard deviation premium	$PP=\mathbb{E}\left[X\right]+{\displaystyle \frac{\lambda }{2}}\sqrt{\mathbb{V}}\left[X\right]$
Fourth order statistics	$PP=\mathbb{E}\left[X\right]+{\displaystyle \frac{\lambda }{2}}\mathbb{V}\left[X\right]+{\displaystyle \frac{{\lambda }^2}{6}}\mathbb{S}\left[X\right]{\mathbb{V}}^{3/2}\left[X\right]+{\displaystyle \frac{{\lambda }^3}{24}}\mathbb{K}\left[X\right]{\mathbb{V}}^2\left[X\right]$
Tail Value-at-Risk premium	$PP={\displaystyle \frac{1}{\alpha }}{\int }_0^{\alpha }Va{R}_y\left(X\right)dy.$

.

The analytical frameworks discussed here not only extend traditional approaches but also highlight the need for ongoing refinement to address emerging cyber threats and evolving market dynamics. These considerations pave the way for future research and practical applications, which we summarise in the final conclusions.

6. Conclusions

This article proposed an overview of the field of cyber insurance, focusing on the mathematical models used to measure cyber risk in terms of losses due to cyber attacks, the effects of interdependency of risk, both in a temporal or spatial dimension, and among types of breaches, on pricing and capital requirements. We started by analysing the main ways to describe cyber risks, such as key vulnerability functions and different stochastic and dynamic models that show the unique characteristics of cyber threats. Next, we gave an overview of the cyber insurance market, focusing on the regulatory issues, the characteristics of insurance products to hedge cyber risk analysed in academic literature, and the role of cyber reinsurance, and looked at the main pricing models that have been suggested in the literature for figuring out how much to charge for insurance.

Our research shows that even though modelling techniques and pricing strategies have come a long way, there are still some problems that need to be solved. Some of these are the problems with accurately measuring changing and evolving threats, managing risks that are related to each other, and dealing with the fact that insurers and insured parties do not always have the same information. Furthermore, the lack of standardised methods and data-sharing practices hinders the development of more precise pricing models and limits the overall efficiency of the cyber insurance market.

These open questions show that we need to do more research on adaptive pricing systems, better risk assessment tools, and frameworks that better incorporate new technologies like real-time monitoring and threat intelligence. It is also important to close the gap between theoretical models and real-world use to make sure that cyber insurance not only protects against financial losses but also encourages better cybersecurity practices.

Finally, we emphasise that closer collaboration between researchers, insurers, and policymakers will be crucial to overcoming these challenges and fostering the sustainable growth of the cyber insurance market as an effective risk management tool in an increasingly digital society.

Looking ahead, future research could focus on developing innovative actuarial models that better capture the unique characteristics of cyber risk, including its rapid evolution and systemic nature. Further work could also explore new forms of reinsurance structures for cyber risk, the use of advanced data analytics and artificial intelligence to enhance risk prediction, and the design of regulatory frameworks that encourage information sharing and market resilience. Such research directions would contribute to making cyber insurance a more robust and adaptive instrument for managing the complex and ever-changing landscape of cyber threats.