The effect of corporate risk management on cyber risk mitigation: Evidence from the insurance industry

Abstract

We examine how corporate risk management can be used to address a firm’s vulnerability to cyber risk. We use a large, novel dataset on cyber risk and corporate risk management to analyse US insurers’ cyber loss events during the period of 2000–2021. Our analysis includes information on whether insurers have implemented an enterprise risk management (ERM) programme and whether they report applying cyber risk management (CRM). The results illustrate that the implementation of CRM measures may have no significant effect on cyber risk mitigation. However, we determine that the likelihood (frequency) of a cyber loss event decreases by 3.9% (6.8%) as ERM programmes mature year on year. We also find that an insurer can benefit from implementing both CRM and ERM through a lowered event likelihood (frequency) of 3.8 percentage points on average (3.7 percentage points) per year compared to solely implementing an ERM programme. © The Geneva Association 2024.