Insurance versus digital harm: a content analysis of home and cyber insurance policies in the USA and UK

Abstract

The adoption of digital technology creates the potential for new harms. Given that risk prevention solutions are imperfect, individuals may wish to transfer digital risk to an insurer. It is unclear whether existing insurance policies cover these harms, or whether specialized consumer cyber insurance products are available. We address this research gap by conducting a content analysis of 50 insurance policies, 32 in the USA and 18 in the UK. Our analysis of 26 home insurance policies reveals that insurers typically exclude digital perils (losses caused by computer viruses, hacking, or cyber attacks), but include coverage for digital assets (devices and downloaded data) impacted by conventional perils. A minority of home insurance policies affirmatively cover digital perils such as identity theft and social media defamation. Our analysis of 24 consumer cyber insurance products identifies 6 core perils that are generally covered: cyber attack, data breach, ransomware, online fraud, cyberbullying, and identity theft. Finally, pricing information from 21 policies reveals that specialist cyber policies typically cost between $20 and $150. One insurer’s actuarial calculations suggest that the expected losses range from $2 (online fraud) to $9 (computer attack). These findings can help users form strategies to manage digital risk.

Introduction

Individuals are exposed to harmful digital events, including corporate data breaches [1], ransomware [2], unlawful tracking [3], identity theft [4] and other online frauds [5], toxic content [6], Denial of Service (DoS) attacks [7], and more. Typical advice about how to manage this risk revolves around raising awareness and implementing technical processes [8,9]. However, it is widely acknowledged that these practices are rarely 100% effective in preventing digital harm [10]. This motivates strategies aimed at responding to digital incidents.

Insurance represents one such solution. In exchange for a premium, insurers promise to pay costs resulting from events covered by the policy, which is known as an indemnity payment [11]. This helps policyholders to smooth the financial impact of adverse events. In some cases, insurers go further by providing services intended to reduce the frequency and size of the policyholder losses [12]. However, legacy policies were designed before the advent of digital technologies, which raises the possibility of a coverage gap.

In corporate insurance, insurers have tried to exclude cyber coverage from traditional products [13–15]. This involved fighting costly court battles to exclude “cyber-related losses from their other [traditional] coverage” [16]. To meet this coverage gap, a specialist cyber insurance product emerged covering losses from data breaches, ransomware, business email compromise, and DoS attacks [17].

Less is known about whether digital harms suffered by individuals (as opposed to organizations) are covered by traditional insurance products or whether they can purchase specialist digital insurance products [18]. Isolated reports suggest that there are consumer products available that cover specific digital harms such as identity theft [19], cyberbullying [20], and crypto wallet theft [21]. But, there is no comprehensive study of digital products or analysis of coverage in traditional policies.

This matters because corporate coverage does not directly translate to the personal context. Individuals are not typically considered data custodians as they do not maintain databases of personal data. Studies of interdependent privacy calls this assumption into question [22]. However, they typically center on decisions such as sharing genetic information, which impacts relatives, or enabling a smart device that collects data about friends and family [23] rather than data breaches.

Another difference is that businesses can use accounting data to quantify the impact of ransomware in terms of lost income. However, individuals have no equivalent way of quantifying the time lost to a ransomware or fraud incident, given the response is taken out of the individual’s free time. It is even more challenging to quantify indemnity payments for impact of lost privacy or emotional distress [24].

We study coverage in consumer insurance policies from the USA and UK. We collect home insurance policies (11 USA and 15 UK) and consumer cyber insurance policies (21 USA and 3 UK), plus pricing data for the US policies. Our qualitative analysis asks for the following:

• RQ1 How does home insurance cover digital harm?

• RQ2 What is covered by consumer cyber insurance?

• RQ3 How is consumer cyber insurance priced?

The main contributions of our paper are as follows:

• RQ1 Typically, US home insurance policies cover damage to digital assets such as hardware and downloaded data. US policies are silent on whether the policy covers losses due to digital perils such as cyber attacks or viruses, whereas the majority of UK policies exclude these digital perils. Surprisingly, 30% of the home insurance policies cover identity theft and a handful cover social media defamation.

• RQ2 All cyber insurance policies cover losses due to cyber attack, extortion, and online fraud, while the majority cover identity theft, data breach, and cyberbullying. This includes coverage for specific costs such as data recovery and system restoration, ransomware payments, financial fraud losses, lost wages and care costs incurred responding to incidents, and even mental health counseling.

• RQ3 The median price of cyber insurance is $99 per year, rising to $4375 for the most expensive policy. Price differences are driven by the limit (maximum payout), which is typically $25k–$100k up to a maximum of $2m. There is no evidence of discounts for users with controls such as antivirus, Multi-Factor Authentication, and so on.

Our study can inform user strategies for managing digital risk. It motivates future work exploring how users perceive digital insurance and the potential for coverage gaps, especially for at-risk users who face different threats.

The “Background” section provides a primer on insurance. The “Related work” section identifies relevant academic studies. The “Methods” section describes our approach to data collection and analysis. The “Results” section presents the results of our analysis of home and cyber insurance policies. The “Discussion” section discusses the outlook for users and the insurance industry. The “Conclusion” section presents our conclusion.

Background

The core function of insurance is smoothing financial risk over time [11]. In exchange for a guaranteed cost (the insurance premium paid to the insurer), the insured receives the promise of an indemnity payment if a covered loss occurs in the policy term. The insurer may also provide free or subsidized risk reduction services, both pre- and post-loss [11]. Table 1 defines key terminology. For the purposes of our study, the two most important concepts are pricing and coverage. Coverage captures which losses qualify for payment and the size of the indemnity payment to the insured, whereas pricing determines how much the insured pays to the insurer. We do not address other insurance tasks such as marketing to customers, providing accurate advice, resolving claims disputes, ensuring the insurer has enough funds to pay claims, investing premiums, and so on [11].

Insurance coverage is described in the policy document, a legal contract with multiple components, including a list of defined terms. A policy document will typically specify whether it covers specific perils, which are causes of loss such as fire or theft in conventional policies. For each peril, it may further define specific costs—the specific harms—that are covered such as fire damage or replacing certain assets. The term costs may be replaced by injuries (in life and medical insurance) or damages (in litigation cover). Sometimes this includes specific items, but it may also be a generic term such as “reasonable costs”. Finally, the policy will include exclusions, which are costs or perils that are explicitly not covered by the policy. A claim will describe actual costs incurred by the policyholder that were caused by (possibly multiple) perils.

In addition to the yes-–no question of whether a specific claim is covered by the policy, the policy determines how much can be paid via (sub)limits and deductibles. The limit is the maximum payout under the policy, meanwhile the deductible is the first part of the loss that is paid by the insured and is subtracted from the limit. Sublimits establish a maximum payment related to specific costs or perils. For example, a home insurance policy might cover up to $1m in property damage costs, but apply a $5k sublimit to currency losses. This means that if the insured lost $500 000 of cash in a robbery, the policy would pay a maximum of $5000 for this cost. This can limit insurance fraud, in which an accomplice takes the cash and the insured is compensated for the loss, thereby doubling the money held by the pair.

Turning to pricing, the premium is determined by the type and amount of coverage, as well as the insured’s characteristics. Some insurers will price each peril separately and allow the insured to select which perils are covered. Higher limits increase the cost of the policy, whereas higher deductibles decrease the cost of the policy (as the insured pays a greater share of the loss). Finally, the insurer may change price based on the insured’s characteristics, such as charging older individuals more for medical insurance, and even the insured’s behavior, such as offering discounts on property insurance if fire sprinklers are installed [11].

Related work

Our interest in digital risk insurance is motivated by the emergence of diverse digital harms, including toxic content on social networks [6], personal identity theft [4], DoS attacks [7], consumer ransomware [2], crypto frauds such as fake initial coin offerings [5], and domestic abuse facilitated by Internet of Things devices [25]. Typically, researchers, especially computer scientists, study technologies, and policies designed to reduce the prevalence of digital harm. For example, one could design an algorithm that detects and blocks toxic content before individuals are exposed to it. A different approach is to transfer the consequences of digital harm to a third party.

Corporate cyber insurance is the most common product, which led to multiple literature surveys [26–30]. The early years of study focused on theoretical models [26], which involved modeling how insurers might incentivize security levels by offering price discounts for adopting security controls [31–35]. Yet empirical research revealed that cyber insurance had little impact on preventative controls and more impact on incident response [36–38]. This mismatch between early theoretical models and empirical reality motivates our study, which establishes descriptive facts about consumer insurance that can inform theory.

Empirical studies of cyber insurance deploy various qualitative methods. Some studies established relationships with practitioners and/or insurance firms, which allows for expert interviews [38–41] and analysis of proprietary data such as claims reports [42]. However, these relationships are difficult to set up as insurers are time-constrained and have a commercial interest in painting the industry in a positive light, which may limit the questions that can be asked.

This problem is avoided by studies that collect data from open-access sources (our approach). Many studies extract data from a regulatory database in the USA, namely System for Electronic Rates and Forms Filing (SERFF) [17,43–45]. The SERFF database provides access to documents—policy wordings, application forms, and even pricing algorithms—that were submitted to a regulator. This creates reliable metadata (e.g. submission date) and also information about pricing schemes. However, all non-US policies and some US policies are not found in SERFF.

The Web provides an alternative data source as many cyber insurance policies and application forms can be downloaded from search engines [46]. Another option is to search insurers’ websites to understand product offerings and also any partner firms [47]. Our study collects data from all three sources (search engines, the SERFF database, and insurer websites).

Alternative digital insurance products. A 2023 systematic literature review revealed a “paucity” of research into personal cyber insurance [18]. Anat considers insurance covering artificial intelligence liability without identifying a commercially available product [48]. Kshetri and Voas [20] brought academic attention to cyberbullying coverage in a paragraph without a single reference. Zuckerman [49] used press releases and media reports to document the emergence of crypto-asset insurance, but did not study an actual policy.

Turning to studies of personal cyber insurance, Schutz et al. [50] studied personal cyber insurance policies in Germany, Austria and Switzerland. The authors find that policies cover first- and third-party costs, as well as legal and IT assistance services. Further, “online shopping fraud, identity theft, [and] reputational damage” are mainly covered in the standalone policies. Meanwhile, home insurance policies cover data recovery and identity abuse [50]. An empirical study of 34 personal identity insurance products explored coverage and pricing [19]. The results show that these products are relatively standardized in covering the costs of responding to identity theft and typically cost around $10 per year. However, the author explains the study only “used a small number of search terms” and recommends broadening this search in future work [19].

We meet this call for future research by studying digital insurance products that cover privacy, security, and safety harms. We also study whether traditional consumer insurance products cover digital harms. Finally, we also probe the validity of our coverage analysis via intercoder reliability, which was not done in prior work.

Methods

Our aim for RQ1 and RQ2 was to understand what digital coverage is provided. Given the lack of prior work, we adopted an exploratory approach with two stages of analysis. The first stage involved inductive in vivo coding to identify key terms from the policies. These terms were then grouped into more generic themes. The second stage involved deductively coding whether each theme was covered by each policy, which enables comparison across policies even when they use different terms for the same coverage. Our analysis of pricing for RQ3 involved reporting summary statistics, which could be directly extracted due to the clarity and simplicity of the pricing schemes.

The “Data collection” section explains how we collected insurance policies and pricing data. The “Data analysis” section describes the qualitative methods used for data analysis. The “Validation” section presents the results of a validation exercise for our coverage analysis.

Data collection

To collect home and cyber insurance products across the USA and UK, we used multiple data sources (see Fig. 1). Across the various data sources, we identified 24 cyber insurance policies (21 in the USA and 3 in the UK), and 26 home insurance policies (11 in the USA and 15 in the UK). We exhaustively collected cyber policies because the sample was feasible to analyze, unlike an exhaustive search of home insurance policies.

For the USA, we collected policies from regulatory databases, as these policies are typically approved by a regulator and consumers are more likely to buy such policies. An additional benefit is that we can access pricing information for these policies. There is no UK equivalent of the US regulatory databases. Instead, we collected UK policies from the insurers’ websites and/or Web search engine results.

We stopped collecting cyber policies when we had checked all search results. Policies outside our sample are likely to be difficult for consumers to find also. Further justification for stopping data collection is that our thematic analysis (described in the “Data analysis” section) reached saturation [51,52]. We stopped collecting home insurance policies when we had searched for the policies of the largest insurers according to public lists. The following describes our search strategy for each product and market.

Cyber insurance policies

We collected cyber insurance policies from the SERFF database, which provides access to documents submitted to US state regulators. The circumstances in which filing/submission is required and whether the documents are later uploaded are complex [17]. Regulated/admitted policies bring benefits—the state guarantees payment of claims if the insurer fails, and there are appeal procedures that are favorable to the policyholders. However, nonadmitted insurance allows insurers to innovate because policy wording/pricing can be changed without seeking re-approval, with some modifications on a policy-by-policy basis. Nonadmitted policies typically incur higher fees and taxes. We anticipate that most consumer cyber insurance policies are sold as admitted products because consumers value regulatory oversight and efficiency over flexibility. This hypothesis is supported in that we only found two cyber insurance policies for which no admitted filing could be found.

We focused on the four largest states, namely California, New York, Pennsylvania, and Texas. Insurers who offer policies in multiple states were selected only once. This follows prior work on corporate cyber insurance [17,43,44].

Our first method (SERFF narrow in Fig. 1) involved searching each state’s SERFF database for property and casualty products with keywords “cyber”, “personal cyber”, “individual cyber”, and “consumer cyber”. We only collected policies that were approved by the regulator. We also had to check whether the products were marketed to individuals or firms, only selecting consumer policies. This strategy led to few results because the majority of cyber insurance policies are offered as an optional coverage added to a home insurance policy without a standalone regulatory filing.

The second search method was to manually check the websites of the largest property and casualty insurers in the USA [53]. The third method used the same keywords as the first strategy, but inputted them into a Web search engine. If we identified a policy by either method, we collected company name, product name, URL, and NAIC. We then searched the SERFF database for the identified policy. This resulted in a further six policies.

The final search method (SERFF broad) was the most time-consuming. For example, searching SERFF California for property and casualty products that contain the word “cyber” results in about 900 results, most of which are for corporate cyber insurance. Only 11 results are of subtype “04.0 Homeowners Sub-TOI Combinations”, which is the category under which most of the personal cyber insurance policies fall. Similarly, only five rows belong to the insurance type “09.0 Inland Marine Sub-TOI Combinations”, under which two policies fall. Using this specific search method, we found no result under the type “17.1 Other Liability-Occ Only”. All the other results subtypes of insurance are, for instance, “0.1 Commercial Property” “0.50002 Businessowners”, and “17.2019 Professional Errors and Omissions Liability” whose end customer cannot be an individual but rather a company.

We searched traditional insurance products that we had previously found consumer cyber insurance under (e.g. 04.0 Homeowners, 09.0 Inland Marine, and 17.1 Other Liability-Occ Only). For the filings under these lines of insurance, we searched for the keyword “cyber” in all accepted documentation (e.g. form, rate and rule, and explanatory memorandum). This resulted in another five policies.

There is no equivalent of the SERFF database in the UK. Instead, we used search engines and the insurers’ websites. We identified 52 unique insurers operating in the UK by combining different lists. We used the lists produced by the Insurance Times, Statista, Money Facts, and Property Casualty 360. For each insurer, we used a Web search engine with the prompt site: “company website” “search term” with terms “personal cyber insurance”, “smart device”, and “card fraud”. We inputted the same search terms into each company’s website if the website offered a search function. We identified just three specialist cyber policies.

Home insurance policies

For home insurance, we only tried to collect policies from the largest insurers. We stopped collecting home insurance policies when we had a sample of the largest insurers, acknowledging that this is far from an exhaustive search. The population of home insurance policies is huge because most mortgage providers require the home owner to take out insurance. Further, the home insurance market is more developed compared to cyber insurance.

For the USA, we identified the top 25 insurance groups and companies by countrywide premium (2022) according to the National Association of Insurance Commissioners. For each company, we then searched the website of the California Department of Insurance, which collects home insurance products offered in the state of California by these companies. We focused on California because it is the largest US state and there is no reason why cyber coverage would vary across states. We identified 11 US home insurance policies and selected the most comprehensive. For the UK, we used the same search strategy and downloaded the most comprehensive home insurance policy that was available. This resulted in a sample of 15 UK home insurance policies.

Data analysis

The data collection resulted in three distinct types of documents: home insurance policies, cyber insurance policies, and cyber insurance pricing schemes and actuarial justifications (USA only). We describe how we analyzed each in the following subsections.

Home insurance policies (RQ1)

We needed to identify whether digital perils or digital assets were covered under traditional home insurance policies. To do this, we first read the policies to identify the flow and scope of the document. We focused on identifying specific terms associated with the digital world. We did not code the rest of the policy because the vast majority (95%+) of the data would not speak to our research questions. A comprehensive analysis of home insurance policies can be found in legal scholarship [54,55].

First, we inductively identified relevant language using an in vivo approach in which we extracted terms from the policies. This led to a list of words or phrases that were linked to the digital world. This included various cyber perils (e.g. hacking, ransomware, and virus) and cyber assets (e.g. smart device, smart home system, and downloaded data). We avoided expansive interpretations of assets that have digital versions. For example, the term “locks” was not considered to be digital even though smart locks exist. Second, we grouped the terms into themes if the terms had the same meaning. For example, “virus” and “computer virus” were considered to be a part of the same category. This resulted in 13 themes, 8 for perils and 5 for assets.

We constructed a codebook that described how data should be classified into included, excluded, ambiguous, and silent. Due to the complexity of insurance policies, the codebook also defined additional rules that were set while coding the data, such as “no segregation is made between personal computer and business computer for the purpose of this research”.

Cyber insurance policies (RQ2)

We followed the process proposed by Elo et al. [56] and Saldaña [57], which was also applied in the context of corporate cyber insurance [17]. Our aim was to inductively create themes related to specific coverage. We then conducted a deductive analysis to determine whether each policy contained the themes.

First, we read the policy to gain familiarity and understand the high-level structure of the document. Second, we extracted units of analysis in the form of covered perils and definitions. This took advantage of the modular structure of legal contracts, in which these units were often collected together in a single section.

Third, we used an in vivo approach, in which we tried to adhere to terminology from the documents. We had to create novel themes to group together those items that could not be classified into existing themes. This was an iterative process using subthemes [58]. For example, we extracted the term “Transfer of Funds” from USCIP#12, which was initially coded as “Fraud and Cyber Crime” but later updated to the subtheme “Deceptive Funds Transfer”, which belongs to the final theme “Online Fraud”.

Fourth, we classified the units of analysis into the final themes. The codebook identified a set of keywords associated with each theme to help this process. For example, privacy breach, security breach, and data breach are all part of the Data Breach theme, whereas data recovery costs and system restoration costs belong to Cyber Attack. The themes related to perils covered by the policy, and subthemes related to services and other costs covered under each peril. Due to the timing of data collection, we analyzed the UK policies with the final themes created based on the US data.

Pricing schemes and justifications (RQ3)

For the US market, we collected 19 rate/rule files (pricing schemes) and 17 explanatory memoranda. From the pricing schemes, we extracted how prices varied with the coverage, deductible, and limit. We did not systematically analyze details such as sublimits that are difficult to summarize. Finally, we quote from the explanatory memorandum, which is used to communicate changes in the insurance rate or explain pricing decision process for legal purposes.

Validation

To probe validity, we had a second coder analyze all of the cyber insurance policies and six UK/US home insurance policies that were picked at random. Secondary analysis of all home insurance was not an efficient use of the researchers’ time because home insurance policies are typically 50+ pages with just one or two clauses related to the digital world. To quantify agreement, we calculated statistics for each theme because the themes were not mutually exclusive as one policy could include/exclude multiple themes.

For US cyber insurance policies, the two coders agreed on 98.4% of classifications (included versus not) regarding high-level perils. If a peril was included, the agreement on which subthemes were covered under each peril ranged from 87% to 96% depending on the peril. For the UK cyber insurance policies, agreement was 100% on the high-level themes and 83% for sub-themes.

For home insurance, the two coders agreed on 92.9% (USA) and 94.87% (UK) of classifications for the coverage themes. This classification contained more information than for cyber insurance because there were four potential classifications (e.g. included, excluded, ambiguous, or silent). There were no subthemes for the home insurance analysis.

Results

The “Silent cyber and home insurance” section probes whether home insurance policies cover, exclude, or are silent on cyber risk. The “Cyber insurance coverage” section presents results about what is covered by personal cyber insurance. The “Cyber insurance pricing” section analyzes how the US policies are priced. We provide a limited analysis of exclusions in the Appendix.

Silent cyber and home insurance

We identified 12 distinct digital coverage categories in home insurance policies. These can be divided into eight digital perils—an insurance term denoting the event or cause of damage—and four types of digital asset—the object that is damaged. Our analysis determines whether each was included or excluded. We were forced to introduce the ambiguous category when this could not be determined. Finally, a policy is said to be silent about a specific category if it was not mentioned.

Digital assets

Across both the USA and UK, damage to digital assets caused by conventional perils is rarely excluded (see Fig. 2). One such example is a fire or flood causing damage to a laptop. Damage under this scenario would fall under the computer/mobile equipment category, which was the most commonly included category in the UK. All but one policy in the UK affirmatively covered this, and only one US policy excluded it.

The vast majority of policies were silent on coverage for smart homes and systems. Three UK and one US home insurance policy explicitly included this. However, one policy (UKHIP#4) excluded such costs:

“We will not cover: Repairing or replacing a faulty or non-functional smart device. You should contact your chosen smart device installer.”

It was unclear whether the peril is relevant, e.g. whether nonfunctionality was caused by a malicious cyber attack or just normal wear and tear. Moving away from coverage categories associated with hardware, the majority of policies cover data downloaded onto that equipment, e.g.:

“We’ll pay claims for the cost of replacing any files you or your family have legally downloaded and that can’t be recovered. For example, music or films. You must have a receipt for them.” UKHIP#2

The policies often excluded the cost of replacing proprietary software, such as UKHIP#6, which excluded “loss or damage to computer software”. Similarly, USHIP#6 excludes “Business data”, including that stored as “papers records”.

Finally, the majority of policies are silent on coverage for cryptocurrency losses. Two UK and one US policy explicitly exclude coverage for cryptocurrency losses. For example, USHIP#1 does not cover “electronic currency, digital currency, virtual currency, crypto-currency, and other similar mediums of exchange”. Interestingly, USHIP#3 includes the following:

“$150 limit on money; cashiers’ checks; currency, or any type of currency proxy, like bitcoin or crypto-currency; gift certificates or cards, stored value card”.

Although this counts as an inclusion in our codebook, the size of the sublimit (just $150) effectively functions as an exclusion.

Digital perils

A digital peril occurs when a logical command or action associated with a computer system is the cause [59], which may cause harm to a conventional asset or a digital asset. There was a strong divergence between the UK and US policies with respect to digital perils. For example, 12 of the 15 UK home insurance policies excluded losses caused by a computer virus, whereas this term was not used in a single US home insurance policy. UKHIP#8 defines a virus as follows:

“A program or piece of code that is often capable of copying itself and that causes damage to systems or data.”

A handful of UK policies also excluded coverage related to Cyber Attack and Hacking. HIP#15 included the following general exclusion:

“loss or damage to your computer or smart devices, e.g. tablets, smart phones, smart televisions, caused by hacking or computer viruses.” HIP#15

US home insurance policies were typically silent on how they would respond to a cyber attack. However, USHIP#4 included the following exclusion:

“Malfunction or Failure of Software or a Computer System... whether or not a result of error or malicious activities.”

Digital perils were not always excluded. For example, the peril Identity Theft was affirmatively included in four UK policies and four US policies. UKHIP#15 was interesting as it offered an identity fraud assistance hotline; however, they state that “this service doesn’t cover any financial loss or costs you may incur”, which we counted as an exclusion. They defined identity theft as follows:

“The theft or unauthorised use of your personal identification which has resulted in the unlawful use of your identity.” UKHIP#15

As discussed earlier, identity theft coverage is available as a specialist product in the USA [19].

In addition to coverage for identity theft, UKHIP#8 and UKHIP#9 included coverage for social media defamation. This covered the cost of writing two letters “following defamatory comments made about You through a social media website”. One letter is sent to the publisher and the second to the author. USHIP#4 includes coverage for personal injuries caused by a number of clauses, including the following:

“Oral, written or electronic publication of material that slanders or libels a person”.

This suggests that insurers believe online abuse can inflict a form of injury. However, it should be noted that none of the home insurance policies used the term cyberbullying, which is a common coverage item in specialist cyber policies (see “Cyber insurance coverage” section)

UKHIP#8 was an outlier. Instead of excluding cyber perils, UKHIP#8 included coverage for cyber attack defined as follows:

“Malicious deletion, corruption, unauthorised access to, or theft of data; or damage or disruption caused by a computer virus, hacking or denial of service attack, affecting your home systems.”

The policy also covers ransomware attacks. In this way, UKHIP#8 was unique in affirmatively providing cyber insurance coverage as part of a home insurance policy.

Summary

Home insurance policies varied regarding inclusions and exclusions related to digital harm. The typical US and UK policies include damage to digital assets such as hardware and downloaded data (but not software). However, there is a US–UK difference in that most UK policies affirmatively exclude digital perils such as computer viruses and hacking, whereas US policies are typically silent on this. This suggests that home insurers are typically comfortable covering digital assets from conventional perils such as fire and flood, but not covering losses from digital threats.

Exceptions did, however, exist. Eight policies affirmatively covered digital perils such as identity theft and online defamation. This highlights another direction in which home insurance simply absorbs novel digital perils, and specialist cyber insurance has no place. However, this was not the mainstream approach, which motivates the following section exploring specialist cyber insurance for consumers.

Cyber insurance coverage

Our analysis of cyber insurance policies introduced a two-level hierarchy of themes. We first identify six perils (themes) and then we identify specific damages (sub-themes) that are covered for each peril. Table 2 provides a summary of which perils are covered by each policy. Cyber Attacks, Cyber Extortion, and Online Fraud were covered by all the policies in our sample. Identity Theft, Cyberbullying, and Data Breaches were inconsistently covered in the early policies, but appear to have become standard coverage items since 2020. There were no consistent differences between US and UK personal cyber insurance policies, although we only analyzed three policies from the UK.

Before describing how each peril was defined and what specific costs are covered, we note that 12 policies were developed using The Hartford Steam Boiler Inspection and Insurance Company’s (HSB) standard forms. This means that the definitions, coverage, exclusions, and pricing strategy are highly similar, even identical in some cases. However, these products are not all identical. Table 2 shows variety even among HSB policies. Despite all regulatory filings citing HSB research, USCIP#9 covers cyberbullying and data breach, whereas these perils are not covered by USCIP#2, #10, or #21.

Cyber Attack

This peril was covered in all policies, and was most commonly defined in terms of how an attacker gains access. The following definition was included in 15 of the 21 policies in our sample:

“Cyber attack means one of the following involving a ‘computing device’ or ‘connected home device’:

• Unauthorized Access or Use – meaning the gaining of access to your device or system by an unauthorized person or persons or by an authorized person or persons for unauthorized purposes.

• Malware Attack–meaning damage to your device, system or loss or corruption of data arising from malicious code, including viruses, worms, Trojans, spyware and keyloggers. This does not mean damage from shortcomings or mistakes in legitimate electronic code or damage from code installed on your computer system during the manufacturing process.”

USCIP#20 uses a similar definition, but uses the terms “hacking attack” and “virus” instead of “Unauthorized Access or Use” or “Malware Attack”. USCIP#15 was atypical in using Cyber Attack as an umbrella term for multiple cyber perils. USCIP#4 and #6 used an alternative term, Cyber Disruption Occurrence, to reflect the possibility that smart home could be targeted. For example, USCIP#4 defines it as

loss first discovered during the policy period arising out of a cyber attack, which results in the interruption of continuous, normal operation of your:

• electronic household management systems, where such interruption:

• denies you or a family member access to your residence; or

• would make your residence uninhabitable; or

• incidental business at home.”

To understand whether different definitions of cyber attack meaningfully change coverage, one would have to consider a series of concrete scenarios. Even then, ambiguity in interpretation is possible.

Data recovery and system restoration were the most common damages covered under the Cyber Attack theme, but detailed descriptions were rarely provided. USCIP#5 provides an exception and explains that system restoration costs include “replacing and restoring computer programs, removing malicious code, and configuration of the device”. The two policies that explicitly cover attacks against smart homes also include temporary relocation expenses for the family.

Cyber Extortion

Cyber Extortion was defined in terms of the attacker’s post-compromise behavior, in contrast to Cyber Attack, which was defined in terms of the method of infection. USCIP#3 captures the two core aspects:

“any demand for money, securities or other property made in connection with a threat to commit a cyber attack or to end an ongoing cyber attack”.

It is interesting they include not only successful attacks but also the threat of an attack. Some policies limit this to a “credible threat to damage, disable, deny access to or disseminate content from your device, system or data” (e.g. USCIP#3), where infecting and controlling a victim’s device presumably increases credibility. USCIP#4 provides more details on the types of threat:

“...threatens the following unless a payment is made:

• to release, divulge, disseminate, destroy, or use your or a family member’s personal information;

• to cause failure to electronic data processing property owned by you or a family member; or

• to restrict or inhibit access to your or a family member’s electronic data processing property or personal information.”

This captures ransoms based on the threat of leaking data, not just threats related to encrypting data.

Turning to which costs are covered, 20 explicitly covered the cost of ransom payments, with USCIP#4 covering the payment “in any legal tender”. Notably, one policy that referenced HSB research (USCIP#11) did not cover ransoms, in contrast to the other policies that used HSB research. Similarly, two of the UK policies included it and the other did not. This suggests that the controversial decision of whether to pay a ransom is not determined by location or standards setting institutions, and is instead the decision of each insurer. Six insurers specifically refer to ransom payment, by mentioning the necessary payment to terminate the threat or the recipient to whom the amount of money has to be sent: “We will pay [...] for: money or digital currency paid to the extortionists as ransom; [...]” (USCIP#6) and “[payment] to a third party individual or group.” (USCIP#12).

Online Fraud

This theme was used to unify a number of distinct terms: “financial fraud”, “fraud event”, “forgery”, “cyber crime event”, “cyber crime”, “cyber financial fraud occurrence”, “funds transfer event”, and “deceptive transfer fraud”. Typically, these involve a cyber criminal socially engineering a victim for the criminal’s financial gain. A majority of policies used the following definition of fraud:

“Fraud event means any of the following, when such event results in direct financial loss to an ‘insured’:

1. An ‘identity theft’;

2. The unauthorized use of a card, card number or account number associated with a bank account or credit account issued to or registered in an ‘insured’s’ name, when the ‘insured’ is legally liable for such use;

3. The forgery or alteration of any check or negotiable instrument;

4. Acceptance in good faith of counterfeit currency; or

5. An intentional and criminal deception of an ‘insured’ to induce the ‘insured’ to part voluntarily with something of value.”

Clearly, this definition captures both traditional and cyber frauds. To address this, most insurers included a clause such as the following:

There has been a “fraud event” against you or another “insured” that is wholly or partially perpetrated through a “computing device” or “connected home device”.

However, this issue was ambiguous in some policies. We also included deceptive transfer fraud in this category, even though it was a standalone category in USCIP#6 and USCIP#12. It has the following definition:

“A deceptive transfer fraud occurrence means someone misleads you into transferring your personal property or account funds to them. They mislead you by impersonating a person or legitimate organization that you recognize and would reasonably expect to be in contact with for an authentic purpose. You will do everything needed to recover your stolen funds from the relevant financial institution or tax authority.” USCIP#6

All insurers offering Online Fraud coverage will reimburse the direct financial loss, the “amount fraudulently taken from the insured” as defined in USCIP#8. In addition, USCIP#4 reimburses damages or expenses for which the insured may become legally liable to, which includes “salary lost; attorney fees; lawsuits protection; removal of criminal or civil judgments or any challenge to the information in a consumer credit report”. USCIP#6 also offers nonrecoverable personal property, legal liabilities, missing tax refunds or financial account funds, and extra payment card charges.

Identity Fraud

Much like how cyber extortion is a subset of cyber attack, identity fraud is a subset of online fraud. A distinctive aspect of identity theft is the broad and well-defined list of costs that are covered, whereas online fraud focuses on the direct financial loss. USCIP#6 provides a concise definition of identity theft, namely when “someone illegally uses your identity without your consent”. The typical definition focused on the criminal’s goal, as follows:

“Identity fraud means the fraudulent use of an insured’s identifying information to:

• commit crimes;

• unlawfully establish credit accounts;

• secure loans; or

• enter into contracts.” USCIP#2

Table 3 shows how identity theft coverage includes a range of specific damages. These include costs associated with recovering the identity or any adverse loan applications due to ruined credit history. The specific costs include refiling loan applications, communicating with authorities via affidavits, and hiring an attorney. Another set of costs includes acquiring credit reports or credit monitoring. Finally, the disruption to victims’ lives can be seen in coverage for lost wages and care costs for the insured’s children or elderly dependents.

Cyberbullying

The definitions of cyberbullying are similar to each other in language and purpose. USCIP#18 defines an event to be

“two or more similar or related acts of harassment, intimidation, defamation, invasion of privacy, threats of violence or other similar acts. These related acts must be perpetrated using computers, cell phones, tablets or any similar device”.

USCIP#15 defines the methods of cyberbullying, namely “texting, instant messaging, chat rooms, photos and other content posted on social media”. All insurers require that at least two acts of cyberbullying occur. Some insurers mentioned specific harms resulting from the bullying:

• “wrongful termination, false arrest, or wrongful discipline by a governing official or body of a primary or secondary school, institution or higher education, or private school; or

• causes debilitating shock, mental anguish, or mental injury that has been diagnosed by a licensed physician, psychologist, or other authorized mental health professional (other than you or a family member) leading to the inability of you or a family member to attend school or work full-time for more than one week. [...]” USCIP#3

Figure 4 shows the specific costs related to cyberbullying, which were extensive much like identity theft. A range of crisis response strategies are possible, each requiring different expertise. Legal expenses cover using a lawyer to request taking down of offensive content. Counsellors are needed for mental health support, and IT professional assistance and other consultants help with reputation management or digital forensics.

Highlighting the potential for disruption, policies cover the cost of private education and relocation in case the child cannot attend school or the family must move as a result of the bullying. It also covers the cost of lost wages and alternative care arrangements if the policyholders needs to take time off work to respond to the incident. Finally, many policies cover support software and Web services to prevent the occurrence of further cyberbullying acts.

Data Breach

Insurers considered different scenarios regarding the data breach peril. The insurer behind USCIP#6 imagines that the policyholder’s data were lost by someone else:

“A cyber breach of privacy occurrence means your private personal information or false information about you is published on the internet, and it:

1. hurts your reputation.

2. puts your physical safety or home at risk.

3. leads to your:

   • wrongful termination;

   • false arrest;

   • being unfairly disciplined by an educational institution; or

   • being unable to attend work or school for more than a week as a result of suffering mental injury, as diagnosed by a mental health professional who is not your family member or yourself.”

For USCIP#4, data breach means the following:

“Data breach means the loss, theft, accidental release or accidental publication of ‘personally identifying information’ or ‘personally sensitive information” as respects to one or more affected individuals”.

This was used by five other insurers. For these insurers, the peril is that the policyholder loses the data of other individuals.

This explains why all insurers provide legal review assistance and digital forensics to determine the scope of the data breach and how to respond to it. Much like with corporate cyber insurance [17], some consumer policies explicitly cover the cost of notifying and providing credit monitoring services to affected individuals. Recalling that USCIP#6 considers the policyholder’s data were lost, it also covers psychiatric services and related recovery expenses, lost wages, relocation expenses, and a reputation management firm consultancy. Similarly, the Other costs in USCIP#9 include mental health services expenses and a professional public relations consultant and a reputation management firm. For the two UK policies (UKCIP#23 and UKCIP#24), Other concerned the cost of “retrieving” or “recovering” data that were lost or damaged during the breach.

Cyber insurance pricing

We also retrieved pricing documents from the SERFF database. The rate/rule filings describe how prices are calculated based on policy characteristics. The explanatory memorandum filings are used to explain and justify how the prices were calculated.

Table 3 displays the range of prices, limits, and deductibles across all of the policies. The average premium for personal cyber insurance is $245 and the median stands at $99, with a median limit of $100k. This table omits information about perils covered, how policyholder characteristics impact price, and also sublimits. For example, a total policy limit may be $100k, but there may be a maximum of $10k of coverage available for cyber extortion.

Many insurers do not differentiate prices based on policyholder characteristics. Five insurers engage in price discrimination, with price varying based on the homeowner’s insurance type (USCIP#5), insured’s total assets (USCIP#12), form category (USCIP#14 and USCIP#18), and pricing calculation method (USCIP#8).

The explanatory document typically declared that personal cyber insurance was a new program, for which no loss or actuarial support is available. Such policies are expected to adjust prices in the coming years. Some insurers filed an additional document announcing an increase in the premium price following loss experience. Less frequently these updates declared that a higher limit would be available to customers.

The most common source for actuarial calculations was a survey commissioned by HSB, which was used by six insurers. USCIP#12 used publicly available information, namely the FBI’s 2018 Internet Crime Report and the Microsoft Security Intelligence Report. Despite this empirical grounding, the insurer concedes that “a great deal of judgment was required to determine the rates [prices]”. USCIP#19 based prices on a multivariate analysis of six industry competitors.

Table 4 shows the actuarial calculations from USCIP#13’s explanatory memorandum. Computer attack is the highest risk peril because the frequency is so high, even though its impact is moderate. Online fraud is the opposite in that it has the highest impact, but is relatively infrequent. When asked to rank the impact of a similar set of incidents, the aggregate of participants’ responses was largely aligned with the ranking of severity in Table 4 with the exception of cyberbullying, which the median participant believed would have an impact of zero dollars [60].

Discussion

This section discusses how our findings should inform user strategies and the future of digital insurance.

User strategies

Digital risk management strategies cannot be universal because different users have specific needs and circumstances [61,62]. As such, we cannot make a blanket recommendation about the role of cyber insurance. Instead, we probe gaps in coverage, size of the limit, and crisis response. These considerations can inform users when considering whether to buy insurance.

Coverage

A first-order question is whether home or cyber insurance covers the riskiest digital harms faced by consumers. Acknowledging that mapping out the digital risk landscape is itself an open research topic [63–65], we can start with studies that have identified specific harms/harmful incidents. Breen et al. [66] identify the six most common cybercrimes in the USA using FBI data. Similarly, a systematic review identifies 10 crime categories by reviewing cybercrime victimization estimates produced by statistical agencies, academia, and industry [67]. The majority of home insurance policies provide no affirmative coverage (see Fig. 2) for these crimes, and the other home policies would only provide coverage for identity theft and social media defamation. Notably, identity theft was not one of the top six cybercrimes [66], and online defamation was not identified as a harm in either study.

Cyber insurance, unsurprisingly, provides more coverage. Of the top six crimes [66], extortion would be covered, while the other five crimes are different types of online scams that are most likely covered, although we would need a concrete scenario and policy to provide a definitive answer. For example, extortion would be covered under the Cyber Extortion peril. CC/banking, Non-delivery, Non-payment, Advanced Fee, and Overpayment are likely covered under the Online Fraud peril. Of the 10 crimes from the meta review [68], 6 crimes directly map to perils identified in our paper. Cyber attack, Malware, Unauthorized Access, and DoS (from [67]) |$\rightarrow$| Cyber attack (our theme), Ransomware |$\rightarrow$| Cyber Extortion, and Identity Theft |$\rightarrow$| Identity Theft. The frauds/scams (e.g. Fraudulent Email/Website, Online Banking, and Online Sales Fraud) are likely covered under the Online Fraud peril. It is unclear whether “Espionage” [67] is covered.

To summarize, cyber insurance (but not home insurance) appears to cover the riskiest cybercrimes according to law enforcement data. We were uncertain about coverage for all online frauds because of the many different types of scams [69–71]. Coverage for digital harms outside the law enforcement lens is harder to evaluate. It is likely inadequate for at-risk groups who face a different threat landscape [61,62].

Limits

The next question is how much insurance to buy, if any. The average severity of incidents displayed in Table 4 ranges from $192 to $1225. Slightly higher estimates are provided by a representative survey of consumer cyber crime experiences in the USA (⁠|$n=11,953$|⁠). The 90th quartile of money lost ranges from $300 (online sales fraud) to $3000 (advanced fee fraud) with ransomware at $1442 [66]. This suggests that a limit of $25–100k is sufficient for most losses. This makes sense given the median total US household wealth is $150k and much of that is insulated from digital risk (e.g. a house). However, the minority of individuals who face potential six-figure digital losses should purchase greater limits, which are available up to $2m based on our sample.

These losses are small enough, relative to, say, medical costs or property damage, that self-insurance is a viable strategy. Indeed, the majority of UK and US consumers self-insure by default given personal cyber insurance remains a niche product. This is not a problem if they can quickly get hold of few thousand dollars/pounds to cover a cyber incident. The problem arises when individuals can neither afford a loss nor afford to buy insurance to cover it.

Loss services

Beyond financial transfer, insurers provide value by coordinating crisis response, which is the case for corporate cyber insurance [36–38]. In much the same way, the policies in our sample pay for various services to respond to digital incidents. Attorney fees, IT assistance, mental health counseling, and other professional services were a common part of the Identity Theft and Cyberbullying perils. During the stress of a crisis, victims are not well placed to decide which practitioners to hire and to negotiate a fair price. Insurers may be better suited to this task [47].

Outlook

Private cyber insurance is a mass-market product targeted at the typical consumer. It covers the riskiest cybercrimes, offers a maximum payout (limit) that is sufficient for most consumers, and provides additional value in coordinating a range of crisis responders. For these reasons, it seems to be an effective risk management solution for the typical US or UK consumer. However, this breaks down for marginalized subpopulations who struggle with affordability or for at-risk individuals who face a different threat landscape. This raises the question of how the products can and should evolve, as well as the role of public policy.

Future of personal cyber insurance

A fundamental question for the industry is whether digital harm should be covered by traditional or specialist products. Our data cannot speak to whether individuals get coverage from businesses from which they buy products and services. For example, corporate cyber insurance policies provide credit reports and monitoring to the policyholders’ customers in the event of a data breach [17]. Notably, these services are covered under the policies we analyzed (see Fig. 3). Even more significantly, banks indemnify customers for online frauds in some cases, as evidenced by <10% of victims of bank/credit card fraud actually losing money [66].

Home insurance

One future sees the core home insurance policy expand to cover digital harms. It seems that insurers are comfortable covering digital losses caused by conventional losses, such as damage to laptops and downloaded data. Even though there are nuances, losses related to music and video files are covered providing they were legally acquired, but lost or damaged software is not covered. This seems strange given the cost of “replacing” software is near zero for the owner [72].

Turning to digital perils, there is US–UK divergence. Most UK insurers exclude losses caused by computer viruses, hacking, or cyber attacks, whereas US policies are silent. It is unclear whether the lack of exclusions represents silent coverage (digital losses are covered in a way that the insurer did not expect) or whether other clauses in the contracts or precedent are sufficient to exclude coverage. For example, a few policies exclude cryptocurrency losses, but this does not necessarily mean that the other 13 policies cover such losses. Many policies include generic exclusions related to financial losses and even gambling, which most likely captures cryptocurrencies. These ambiguities will only be clarified when consumers try to make cyber claims under home insurance policies.

Cyber insurance

Another future sees personal cyber follow corporate cyber in becoming a specialist product [16]. In terms of perils, both consumer and corporate cyber policies can provide coverage for online fraud, cyber attack/extortion, and data breach [17], as well as the cost of hiring crisis response firms [47]. These similarities point to the reality that cyber risk exists on a continuum of network complexity from multinational corporations through to small businesses, which are closer to family networks from a technical perspective.

Consumer products did, however, introduce novel coverage related to cyberbullying and social media defamation. This shows how security strategies cannot be imported from corporate contexts into the home context. It seems that consumer cyber insurance is more human-centered, which can be seen in the costs covered, including mental health counselling following identity theft and cyberbullying. More fundamentally, the policies cover harms to the policyholder and their family, which marketing departments use to create product affinity.

One direction is for personal cyber insurance to go beyond covering malicious incidents—notably, all of the harms identified in the “Results” section are caused by an active adversary. For example, Haidt argues that the adoption of smartphones is the cause of the emerging teen mental health crisis [73]. Is there a role for insurance in mitigating the consequences?

Limitations

The main limitations of our study can be divided into analytical and sampling problems. First, our inductive approach to deriving the codebook biased our results toward what is affirmatively covered, rather than identifying which harms identified in prior work are not covered. Another limitation is that our codebook ignored the structure of the policies. For example, the codebook does not represent the difference between some policies in our sample that included identity theft as a type of online fraud and others that included it as a standalone insuring agreement. This does not affect whether identity theft is covered, but it does abstract away from how insurance policies are designed in modules. Nevertheless, the high agreement between coders suggests that our study has high internal validity.

Turning to sampling issues, it is unclear whether our results will generalize to samples to other insurance products, countries, or time periods. New data would need to be collected to understand whether cyber coverage is available under traditional insurance products such as travel, auto, pet, and so on. There may also be coverage differences in other countries. For example, German personal cyber insurance products do not cover ransom payments [50], possibly due to different laws. It is also possible that our results will not describe future products, which will be tailored to adapt to the evolution of cyber crime.

Conclusion

In answering RQ1, we found that home insurance policies provide inconsistent coverage for digital harm. Damage to digital perils caused by conventional perils is typically covered. However, UK policies exclude digital perils such as computer viruses, hacking, and data breaches, whereas US policies are silent. A minority of US and UK policies explicitly cover identity theft and social media defamation. This leaves gaps in coverage for digital harm.

In answering RQ2, we discovered that specialist cyber insurance policies offer coverage for security incidents such as cyber attacks and extortion; privacy violations such as identity theft and data breaches, online frauds, and cyberbullying. Specific costs covered include data/system restoration, crisis response costs, money lost to fraud, lost income, ransom payments, and mental health counseling. In answering RQ3, we found that policies typically cost between $20 and $100, with either crude or no price discrimination. In the regulatory filings, actuaries report a lack of historic data.

Going forward, it is unclear whether cyber insurance will exist as a specialist product for consumers. Many policies were sold as an optional add-on to home insurance, and eight home insurance policies explicitly covered cyber attacks. It could be that home insurance simply expands to include cyber perils given the average risk of each peril is <$10. More speculatively, governments could begin to offer digital crisis services and to compensate victims of cybercrime.

Conflict of interest

None declared.

Author contribution

Rachiyta Jain (Data curation, Formal analysis, Investigation, Methodology, Project administration, Validation, Visualization, Writing—original draft, Writing—review & editing), Temima Hrle (Data curation, Formal analysis, Investigation, Methodology, Project administration, Validation, Visualization, Writing—original draft, Writing—review & editing), Daniel W. Woods (Conceptualization, Data curation, Investigation, Methodology, Project administration, Visualization, Writing—original draft, Writing—review & editing).

Funding

This research is supported by REPHRAIN: The National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online (UKRI grant: EP/V011189/1).

Appendix

Cyber insurance exclusions

Most of our analysis focused on which costs are affirmatively covered. We also explored which losses and circumstances are explicitly not covered. This exploratory analysis focuses only on US cyber insurance policies and is not verified by intercoder reliability. We stopped this line of analysis because we discovered that exclusions had little relevance to the digital world. This was mirrored in corporate cyber insurance [17] and also personal identity insurance [19]. However, we include the results in case it is of use to future researchers.

Exclusions were included in a section in the contract titled “Exclusions”, which consisted of a list of words and phrases that would invalidate coverage. Figure A1 shows the frequency of these exclusions. Most policies excluded losses associated with fraudulent, dishonest, or criminal acts; property or vehicle damage; physical damage or illness; criminal investigations or proceedings; prior knowledge; third-party liability or legal defense costs; fines or penalties; confiscation; insolvency; other further costs such as replacement of identity document service; and catastrophic events such as war, nuclear hazard, or natural disaster. The political implications of war clauses have been discussed in the context of corporate cyber insurance [74].

A number of cyber exclusions relate to specific technological considerations. The most common was the “Loss to the Internet” exclusions that covered Internet downtime. It was defined as follows:

“Loss arising from a total, partial, temporary or intermittent outage of internet connection; however, this exclusion does not apply to any such outage of internet connection that directly results from a cyber-attack on your connected device.” USCIP#20

The other cyber exclusions were included just once. USCIP#6 excludes the following:

“Losses resulting from any activity involving digital currency that is not authorized by a sovereign government as part of its currency.”

Another is the Widespread events clause, which was introduced by Chubb. This excluded losses caused by the following:

“A single attack upon and/or failure of one of these widely used platforms or technologies”.

In a press release, Chubb mention specific examples of widespread events such as Hafnium, a zero-day exploit; Not-Petya and Solarwinds, and software supply chain exploits [75]. USCIP#9 included the following requirements regarding the policyholder’s cybersecurity posture:

You agree to use due diligence... complying with reasonable and widely-practiced steps for:

• Providing and maintaining appropriate system and data security; and

• Maintaining and updating at appropriate intervals backups of electronic data.”

References