Unraveling heterogeneity in cyber risks using quantile regressions. (English) Zbl 07525959

Summary: We consider quantile regressions for adequate cyber-insurance pricing across heterogenous policyholders and calculation of claims cost associated with data breach events. We show that the impact of a firm’s revenue is stronger (weaker) in the lower (upper) quantile of the cost distribution. This result suggests that mispricing may occur if small and large firms are priced using the average effect estimated by the traditional least squares approach. Using a novel dataset, our study is the first to take firm-specific security information into account. We find that firms with weaker security levels than the industry average are more likely to be exposed to large-cost events. Regarding data breaches, small or mid-size loss events are related to higher cost per breached record. We compare the premiums of a quantile-based insurance pricing scheme with those of a two-part generalized linear model and the Tweedie model to explore the usefulness of the quantile-based model in addressing heterogeneous effects of firm size. Our findings provide useful implications for cyber insurers and policymakers who wish to assess the impacts of firm-specific factors in pricing insurance and to estimate the cost of claims.


91G05 Actuarial mathematics
62P05 Applications of statistics to actuarial sciences and financial mathematics
62G08 Nonparametric regression and quantile regression
Full Text: DOI


[1] A. M. Best, Cyber insurers are profitable today, but wary of tomorrow’s risks (2019), A.M. Best: A.M. Best New Jersey
[2] AIR Worldwide, Insuring Cyber Risk (2017), AIR Worldwide: AIR Worldwide Boston
[3] Aiyer, B.; Anant, V.; Di Mattia, D., Securing Small and Medium-Size Enterprises: What’s Next? (2021), McKinsey & Company, Retrieved from
[4] Aldasoro, I.; Gambacorta, L.; Giudici, P.; Leach, T., The drivers of cyber risk (2020), BIS Working Papers No. 865
[5] Baione, F.; Biancalana, D., An individual risk model for premium calculation based on quantile: a comparison between generalized linear models and quantile regression, North American Actuarial Journal, 23, 4, 573-590 (2019) · Zbl 1429.91275
[6] Biener, C.; Eling, M.; Wirfs, J. H., Insurability of cyber risk: an empirical analysis, The Geneva Papers on Risk and Insurance. Issues and Practice, 40, 1, 131-158 (2015)
[7] Department for Digital, Culture, Media & Sport (DCMS), Cyber Security Breaches Survey 2018 (2021), U.K. Government: U.K. Government London
[8] Dreyer, P.; Jones, T.; Klima, K.; Oberholtzer, J.; Strong, A.; Welburn, J. W.; Winkelman, Z., Estimating the Global Cost of Cyber Risk (2018), RAND Corporation: RAND Corporation Santa Monica
[9] Edwards, B.; Hofmeyr, S.; Forrest, S., Hype and heavy tails: a closer look at data breaches, Journal of Cybersecurity, 2, 1, 3-14 (2016)
[10] Eiopa, Understanding Cyber Insurance - A Structured Dialogue with Insurance Companies (2018), European Insurance and Occupational Pensions Authority: European Insurance and Occupational Pensions Authority Luxembourg
[11] Eling, M.; Jung, K., Copula approaches for modeling cross-sectional dependence of data breach losses, Insurance. Mathematics & Economics, 82, 167-180 (2018) · Zbl 1416.91173
[12] Eling, M.; Loperfido, N., Data breaches: goodness of fit, pricing, and risk measurement, Insurance. Mathematics & Economics, 75, 126-136 (2017) · Zbl 1394.91211
[13] Eling, M.; Schnell, W., What do we know about cyber risk and cyber risk insurance?, The Journal of Risk Finance, 17, 5, 474-491 (2016)
[14] Eling, M.; Schnell, W., Capital requirements for cyber risk and cyber risk insurance: an analysis of solvency II, the US Risk-based capital standards, and the swiss solvency test, North American Actuarial Journal, 24, 3, 370-392 (2020) · Zbl 1454.91181
[15] Eling, M.; Wirfs, J., What are the actual costs of cyber risk events?, European Journal of Operational Research, 272, 3, 1109-1119 (2019)
[16] Franke, U., The cyber insurance market in Sweden, Computers & Security, 68, 130-144 (2017)
[17] Frees, E., Regression Modeling with Actuarial and Financial Applications (2009), Cambridge University Press: Cambridge University Press New York
[18] Fung, B., Actually, every single Yahoo account got hacked in 2013 (2017), The Washington Post, October 4
[19] Garrido, J.; Genest, C.; Schulz, J., Generalized linear models for dependent frequency and severity of insurance claims, Insurance. Mathematics & Economics, 70, 205-215 (2016) · Zbl 1373.62515
[20] Gordon, L. A.; Smith, R., Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective (2007), Congressional Testimony
[21] Gordon, L. A.; Loeb, M. P.; Lucyshyn, W.; Zhou, L., Increasing cybersecurity investments in private sector firms, J. Cybersecur., 1, 1, 3-17 (2015)
[22] Gordon, L. A.; Loeb, M. P.; Lucyshyn, W.; Zhou, L., Empirical evidence on the determinants of cybersecurity investments in private sector firms, Journal of Information Security, 9, 2, 133-153 (2018)
[23] Haberman, S.; Renshaw, A. E., Generalized linear models and actuarial science, Journal of the Royal Statistical Society. Series D. The Statistician, 45, 4, 407-436 (1996)
[24] Heras, A.; Moreno, I.; Vilar-Zanón, J., An application of two-stage quantile regression to insurance ratemaking, Scandinavian Actuarial Journal, 2018, 9, 753-769 (2018) · Zbl 1418.91242
[25] Hiscox, Hiscox cyber readiness report 2019 (2019), Hiscox: Hiscox Bermuda
[26] Hsiao, C.; Kim, C.; Taylor, G., A statistical perspective on insurance rate-making, Journal of Econometrics, 44, 1-2, 5-24 (1990)
[27] Jacobs, J., Analyzing ponemon cost of data breach (2014), December 11
[28] Jørgensen, B.; de Souza, M., Fitting Tweedie’s compound Poisson model to insurance claims data, Scandinavian Actuarial Journal, 1994, 1, 69-93 (1994) · Zbl 0802.62089
[29] Jung, K., Extreme data breach losses: an alternative approach to estimating probable maximum loss for data breach risk, North American Actuarial Journal, 25, 4, 580-603 (2021) · Zbl 1484.91389
[30] Keasey, K.; Short, H., The accounting burdens facing small firms: an empirical research note, Accounting and Business Research, 20, 80, 307-313 (1990)
[31] Kocherginsky, M.; He, X.; Mu, Y., Practical confidence intervals for regression quantiles, Journal of Computational and Graphical Statistics, 14, 1, 41-55 (2005)
[32] Koenker, R.; Bassett, G., Regression quantiles, Econometrica, 46, 1, 33-50 (1978) · Zbl 0373.62038
[33] Koenker, R.; Hallock, K., Quantile regression, The Journal of Economic Perspectives, 15, 4, 143-156 (2001)
[34] Kudryavtsev, A., Using quantile regression for rate-making, Insurance. Mathematics & Economics, 45, 2, 296-304 (2009) · Zbl 1231.91204
[35] Lee, A., Welcome to the Unicorn Club: Learning from Billion-Dollar Startups (2013), TechCrunch, November 3. Retrieved from
[36] Leong, Y.-Y.; Chen, Y.-C., Cyber risk cost and management in IoT devices-linked health insurance, The Geneva Papers on Risk and Insurance. Issues and Practice, 45, 737-759 (2020)
[37] Lloyd’s, Counting the cost: Cyber exposure decoded (2017), Lloyd’s in cooperation with Cyence: Lloyd’s in cooperation with Cyence London
[38] Maillart, T.; Sornette, D., Heavy-tailed distribution of cyber-risks, The European Physical Journal. B, Condensed Matter Physics, 75, 3, 357-364 (2010) · Zbl 1202.68057
[39] McCoy, K., Target to pay \(18.5M for 2013 data breach that affected 41 million consumers. USA today (2017), May 2\)
[40] McLean, R., A hacker gained access to 100 million Capital One credit card applications and accounts (2019), July 30
[41] Muermann, A.; Kunreuther, H., Self-protection and insurance with inter-dependencies, Journal of Risk and Uncertainty, 36, 2, 103-123 (2008) · Zbl 1136.91485
[42] Munich Re, Cyber insurance: risks and trends 2020 (2020), April 14
[43] Oecd, Enhancing the Role of Insurance in Cyber Risk Management (2017), OECD Publishing: OECD Publishing Paris
[44] Ohlsson, E.; Johansson, B., Non-life Insurance Pricing with Generalized Linear Models (2010), Springer: Springer Berlin · Zbl 1194.91011
[45] Palsson, K.; Gudmundsson, S.; Shetty, S., Analysis of the impact of cyber events for cyber insurance, The Geneva Papers on Risk and Insurance. Issues and Practice, 45, 564-579 (2020)
[46] Peng, C.; Xu, M.; Xu, S.; Hu, T., Modeling and predicting extreme cyber attack rates via marked point processes, Journal of Applied Statistics, 44, 14, 2534-2563 (2017) · Zbl 07282168
[47] Ponemon Institute, Cost of a data breach report 2019 (2019), Ponemon Institute: Ponemon Institute Michigan
[48] Ponemon Institute, Global State of Cybersecurity in Small and Medium-Sized Businesses (2019), Ponemon Institute: Ponemon Institute Michigan
[49] Ponemon Institute, Cost of a data breach report 2020 (2020), Ponemon Institute: Ponemon Institute Michigan
[50] PriceWaterhouseCoopers (PwC), Insurance Banana Skins 2019 (2019), PwC: PwC London
[51] Revzin, E.; Majumdara, D.; Bassett, G. W., Conditional quantile regression models of melanoma tumor growth curves for assessing treatment effect in small sample studies, Statistics in Medicine, 33, 29, 5209-5220 (2014)
[52] Romanosky, S., Examining the costs and causes of cyber incidents, J. Cybersecur., 2, 2, 121-135 (2016)
[53] Romanosky, S.; Ablon, L.; Kuehn, A.; Jones, T., Content analysis of cyber insurance policies: how do carriers price cyber risk?, J. Cybersecur., 5, 1, 1-19 (2019)
[54] Shi, P., Insurance ratemaking using a copula-based multivariate Tweedie model, Scandinavian Actuarial Journal, 2016, 3, 198-215 (2016) · Zbl 1401.91194
[55] Steinberg, S., Cyberattacks now cost companies \(200,000 on average, putting many out of business. CNBC (2019), October 1\)
[56] Tarr, G., Small sample performance of quantile regression confidence intervals, Journal of Statistical Computation and Simulation, 82, 1, 81-94 (2012) · Zbl 1431.62171
[57] The Federal Trade Commission, Equifax data breach settlement (2020), January
[58] Tidy, J., Marriott Hotels fined £18.4m for data breach that hit millions, BBC (2020), October 30. Retrieved from
[59] Tweedie, M., An index which distinguishes between some important exponential families, (Statistics: Applications and New Directions: Proceedings of the Indian Statistical Institute Golden Jubilee International Conference, Vol. 579 (1984), Indian Statistical Institute: Indian Statistical Institute Calcutta), 579-604
[60] Wheatley, S.; Maillart, T.; Sornette, D., The extreme risk of personal data breaches and the erosion of privacy, The European Physical Journal. B, Condensed Matter Physics, 89, 7 (2016)
[61] Xie, X.; Lee, C.; Eling, M., Cyber insurance offering and performance: an analysis of the US cyber insurance market, The Geneva Papers on Risk and Insurance. Issues and Practice, 45, 4, 690-736 (2020)
[62] Zeller, G.; Scherer, M., A comprehensive model for cyber risk based on marked point processes and its application to insurance, European Actuarial Journal, 1-53 (2021)
[63] Zhao, X.; Xue, L.; Whinston, A. B., Managing interdependent information security risks: cyberinsurance, managed security services, and risk pooling arrangements, Journal of Management Information Systems, 30, 1, 123-152 (2013)
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.