With the rise of cyber threats, cyber insurance is becoming an important consideration for businesses. However, research on cyber insurance risk has so far been hindered by the general lack of data, as well as limitations underlying what limited data are available publicly. Specifically and of particular importance to cyber insurance modelling, limitations arising from lack of information regarding (i) delays in reporting, (ii) all businesses affected by third-party events, and (iii) changes in reporting propensity. In this paper, we fill this important gap by utilising an underrecognised set of public data provided by U.S. state Attorneys General, and provide new insights on the true scale of cyber insurance risk. These data are collected based on mandatory reporting requirements of data breaches, and contain substantial and detailed information. We further discuss extensively the associated implications of our findings for cyber insurance pricing, reserving, underwriting, and experience monitoring.

翻译：随着网络威胁的增加，网络保险正成为企业的重要考量。然而，目前对网络保险风险的研究普遍受限于数据匮乏，以及现有公开数据的局限性。尤其对网络保险建模至关重要的问题在于，由于缺乏关于以下三方面的信息而产生的局限：（i）报告延迟，（ii）受第三方事件影响的所有企业，以及（iii）报告倾向的变化。本文利用美国各州检察长提供的未被充分认识到的一组公开数据，填补了这一重要空白，并为网络保险风险的真实规模提供了新的见解。这些数据基于强制性的数据泄露报告要求收集，内容详尽且信息量丰富。我们进一步深入讨论了我们的发现对网络保险定价、准备金计提、承保及经验监控的相关启示。