How Cyber Insurance Shapes Incident Response: A Mixed Methods Study
Cyber insurance policies commonly indemnify the cost of incident response services. This creates a multi-layered economic problem in that the policyholder hiring external firms incurs transaction costs and the insurer paying the bill creates a principal-agent problem. We adopted a multi-stage research design to understand how insurers address the problem. First, we iteratively derived 12 stylised facts from 29 expert interviews and a sample of 480 partnerships with incident response firms made by 24 insurers. Second, we validated these facts via a workshop attended by 61 unique participants. The results show insurers have created a private ordering by controlling which firms are selected, negotiating prices ahead of time, and punishing low service quality by withholding future work. A minority of firms win the majority of work, thereby building trust through repeated interactions. We discuss how the findings relate to the economics of incident response, cyber insurance as governance, and ransomware.