Cyber Insurance Risk: Reporting Delays, Third-Party Cyber Events, and Changes in Reporting Propensity -- An Analysis Using Data Breaches Published by U.S. State Attorneys General

With the rise of cyber threats, cyber insurance is becoming an important consideration for businesses. However, research on cyber insurance risk has so far been hindered by the general lack of data, as well as limitations underlying what limited data are available publicly. Specifically and of particular importance to cyber insurance modelling, limitations arising from lack of information regarding (i) delays in reporting, (ii) all businesses affected by third-party events, and (iii) changes in reporting propensity. In this paper, we fill this important gap by utilising an underrecognised set of public data provided by U.S. state Attorneys General, and provide new insights on the true scale of cyber insurance risk. These data are collected based on mandatory reporting requirements of data breaches, and contain substantial and detailed information. We further discuss extensively the associated implications of our findings for cyber insurance pricing, reserving, underwriting, and experience monitoring.