Risk mitigation services in cyber insurance: optimal contract design and price structure

Gabriela Zeller, Matthias Scherer

Research output: Contribution to journalArticlepeer-review


As the cyber insurance market is expanding and cyber insurance policies continue to mature, the potential of including pre-incident and post-incident services into cyber policies is being recognised by insurers and insurance buyers. This work addresses the question of how such services should be priced from the insurer’s viewpoint, i.e. under which conditions it is rational for a profit-maximising, risk-neutral or risk-averse insurer to share the costs of providing risk mitigation services. The interaction between insurance buyer and seller is modelled as a Stackelberg game, where both parties use distortion risk measures to model their individual risk aversion. After linking the notions of pre-incident and post-incident services to the concepts of self-protection and self-insurance, we show that when pricing a single contract, the insurer would always shift the full cost of self-protection services to the insured; however, this does not generally hold for the pricing of self-insurance services or when taking a portfolio viewpoint. We illustrate the latter statement using toy examples of risks with dependence mechanisms representative in the cyber context.

Original languageEnglish
Pages (from-to)502-547
Number of pages46
JournalGeneva Papers on Risk and Insurance: Issues and Practice
Issue number2
StatePublished - Apr 2023


  • Coherent risk measures
  • Cyber assistance
  • Cyber insurance
  • Cyber risk
  • Prevention
  • Self-insurance
  • Self-protection
  • Stackelberg game


Dive into the research topics of 'Risk mitigation services in cyber insurance: optimal contract design and price structure'. Together they form a unique fingerprint.

Cite this