Skip to main content
main content, press tab to continue
Article | WTW Research Network Newsletter

A research agenda for consumer insurance covering emerging technology harms

By Daniel Woods , Stuart Calam and Omar Samhan | September 7, 2023

Emerging technologies often harm consumers via corporate data breaches of identity theft,blockchain systems enabling crypto-asset scams,bullying on social media platforms & sensors for domestic abuse.
Willis Research Network|
N/A

While technological solutions have a role in preventing such harms, it is also important to understand how consumers can transfer risk.

In work conducted at the University of Edinburgh and sponsored by the WTW Research Network, Dr. Daniel Woods builds a research agenda for emerging technology insurance for consumers. This involves identifying preliminary work that speaks to these questions. The report also sketches potential research designs.

Studies documenting consumer harms resulting from emerging technologies are proliferating:

  • Toxic content and other harms on social networks[1]
  • Personal identity theft[2]
  • Denial of service attacks[3] and consumer ransomware[4]
  • Crypto scams like Ponzi schemes and fake initial coin offerings (ICOs)[5]
  • Domestic abuse facilitated by IoT devices.[6]

One research direction is to investigate how to design systems or build add-on products and services that prevent incidents from occurring. However, such solutions are rarely fully effective. Taking computer security as an example, developers can follow secure software engineering processes, but this does not eliminate all vulnerabilities. Similarly, firms may install add-on security products like firewalls that aim to block harmful content at the network layer or anti-virus solutions that scan attachments and block malicious files, but these cannot block all malicious activity.

Preventative solutions no doubt raise the bar for attackers, but they are never fully effective, as evidenced by the constant flow of cybersecurity breaches[7]. One can make similar arguments about other aspects of digital harm—for example, content moderation may reduce the volume of online hate, however some hateful content will inevitably be shared. This motivates understanding and developing post-incident strategies that reduce harm and support victims’ recovery.

One component of such a response strategy is risk transfer by which a third-party transfers funds following an adverse event and organises resources to help the victim with recovery. Motivated by the promise of insurance in supporting consumers, this work has identified preliminary findings and research directions for emerging technology insurance.

Understanding the key questions

The full report goes into more detail, but the table distils the core research questions and potential research designs.

Table of core research questions and potential research designs

Table of core research questions and potential research designs.
Research Question Potential research design
RQ0 What emerging technology insurance products are available to consumers? Content analysis of marketing campaigns and literature review of available products.
RQ1 What specific harms does each product cover?
RQ2 What exclusions apply?
A systematic legal analysis of policy contracts.
RQ3 How do insurers assess policyholders? Understood through interviews of underwriters.
RQ4 How are products priced? Extracting rate documents from the SERFF filing system.
RQ5 What risk reduction services are offered? Identified in marketing materials or through interviews.
RQ6 Can we measure the likelihood and impact of incidents? Typically done by analysing a corpus of incidents.
RQ7 How effective are risk prevention and reaction interventions? Through comparisons of incidence / severity following an intervention.
RQ8 What harms do consumer face that insurance could cover?
RQ9 How do individuals perceive the underlying risk?
Through open-ended, inductive research, engaging with individuals who have suffered breaches.
RQ10 How do individuals perceive emerging technology insurance? Focus-groups in which participants are introduced to products and initial reactions are collected.
RQ11 How should EmTech insurance be regulated
RQ12 Which aspects should be provided publicly?
Public-policy analysis of emerging technology specific considerations and the implications for the insurance regulatory regime.

The first question, RQ0, requires casting a broad net to identify innovative products for which supply and demand is still growing. The next two questions try to understand the legal aspects of those products, namely what is and is not covered.

The next set of questions concern how insurers maintain a healthy risk pool by overcoming the problems of adverse selection and moral hazard [8]. If insurers sold policies at a flat-rate, economic theory predicts policies would be disproportionately bought by consumers more at a risk of emerging technology harms (adverse selection), and those consumers would engage in riskier behaviour once the policy was in-place (moral hazard). This motivates research understanding how underwriters assess risk (RQ3) and how actuaries set prices (RQ4). An additional question is how claims teams support victims via post-breach risk reduction services (RQ5).

The previous questions all involve studying the market as it is. However, foundational questions in actuarial science can improve the efficiency of insurance oeprations. For example, pricing schemes must be based on an analysis of the likelihood and impact of incidents (RQ6), which can be done by identifying a corpus of incidents. Further, underwriters should look favourably upon insured who implement risk prevention and reaction activities, which can be understood as part of RQ7.

All viable insurance products need a consumer who wants to transfer the risk to an insurer. This motivates understanding the perceptions and risk exposure of individuals. Notably, it is important to distinguish the harms that consumers face (RQ8) from the perceptions of risks (RQ9), which may be out of alignment. Finally, as emerging technology insurance emerge, RQ10 can study how the products are perceived.

Finally, insurance markets are often of national importance, which motivates government interventions. For example, old age income is provided by social security In the US, and most health care is mostly provided by the publicly-funded National Health Service in the UK. RQ11 asks whether there should there be equivalent public insurance programs for emerging digital harm. Even when private insurance exists, regulators often oversee the contractual terms, pricing structure, and solvency of insurers, which motivates RQ12.

Outlook

Already insurance products exist that cover cybersecurity harms[9], identity theft[10], crypto-assets [11], and cyber bullying[12]. Yet, these policies cover a fraction of the digital harms suffered by consumers. This is due to a mixture of low-purchase rates, low limits, coverage gaps, and the evolution and growing adoption of digital systems. These observations suggest there is a potentially untapped market for emerging technology insurance.

However, insurance products cannot be conjured out of thin air. Insurers must draw on a body of knowledge about what harms individuals face, the legal expertise to draft policies to address them, the risk science to price policies and identify effective risk control measures, and so on. Potential research advances would contribute to fields including computer science, economics, law, public-policy, human-computer interaction and more. This research agenda tries to guide researchers towards the questions that could support the development and operations associated with emerging technology insurance.

References
  1. Kurt Thomas, Devdatta Akhawe, Michael Bailey, Dan Boneh, Elie Bursztein, Sunny Consolvo, Nicola Dell, Zakir Durumeric, Patrick Gage Kelley, Deepak Kumar, et al. SoK: Hate, harassment, and the changing landscape of online abuse. In IEEE Symposium on Security and Privacy, pages 247–267, Oakland, CA, May 2021. Return to article
  2. Sasha Romanosky, Rahul Telang, and Alessandro Acquisti. Do data breach disclosure laws reduce identity theft? Journal of Policy Analysis and Management, 30(2):256–286, 2011. Return to article
  3. Eric Osterweil, Angelos Stavrou, and Lixia Zhang. 21 years of distributed denial-of service: Current state of affairs. Computer, 53(7):88–92, 2020. Return to article
  4. Camelia Simoiu, Joseph Bonneau, Christopher Gates, and Sharad Goel. ”I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. In Fifteenth symposium on usable privacy and security (SOUPS 2019), pages 155–174,2019. Return to article
  5. Massimo Bartoletti, Stefano Lande, Andrea Loddo, Livio Pompianu, and Sergio Serusi. Cryptocurrency scams: Analysis and perspectives. IEEE Access, 9:148353–148373, 2021. Return to article
  6. Leonie Maria Tanczer, Isabel Lopez-Neira, and Simon Parkin. ‘I feel like we’re really behind the game’: perspectives of the United Kingdom’s intimate partner violence support sector on the rise of technology-facilitated abuse. Journal of Gender-Based Violence, 5(3):431–450, 2021. Return to article
  7. Sasha Romanosky. Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2):121–135, 2016. Return to article
  8. Rob Thoyts. Insurance theory and practice. Routledge, 2010. Return to article
  9. Sasha Romanosky, Andreas Kuehn, Lillian Ablon, and Therese Jones. Content analysis of cyber insurance policies: howdo carriers price cyber risk? Journal of Cybersecurity, 5(1), 2019. Return to article
  10. Daniel W. Woods. Quantifying privacy harm via personal identity insurance. Computers, Privacy and Data Protection Conference (CPDP), 2022. Return to article
  11. Adam Zuckerman. Insuring crypto: The birth of digital asset insurance. U. Ill. JL Tech. & Pol’y, page 75, 2021. Return to article
  12. Nir Kshetri and Jeffrey Voas. Thoughts on cyberbullying. Computer, 52(4):64–68, 2019. Return to article
Authors

University of Edinburgh
email Email

Head of Technology Risks Research,
Programme Director and Climate & Resilience Hub
email Email

Technology and People Risks Analyst
email Email

Contact us