. . "2021-01-03" . . . "Cyber Security Incentives and the Role of Cyber Insurance"^^ . . . . . . . . . "This paper outlines the opportunities of and challenges in using cyber insurance to incentivise cyber security practices. Findings are based\r\non a review of existing industry reports and academic research.\r\nThe paper forms part of an independent research project by RUSI and the University of Kent that provides actionable policy recommendations on how to incentivise cyber security through cyber insurance. They derive from a series of interviews and workshops with insurers, businesses, cyber security providers, government and other key stakeholders.\r\nThe current evidence about the ability of cyber insurance to improve cyber security practices is limited. While cyber insurers may be able\r\nto provide expertise to policyholders and increase their awareness of cyber risks, much of the existing evidence base is largely theoretical\r\nand there is still considerable scepticism from customers about the benefits of cyber insurance.\r\nThe uptake of cyber insurance, particularly by small to medium enterprises (SMEs), remains low. Existing research suggests that some of the overarching factors explaining this are: the high cost of policies and the difficulties insurers face in pricing premiums appropriately;\r\nconfusion over what types of incidents insurance policies cover (and the issue of \u2018silent cyber\u2019); and a lack of understanding of risks\r\nstemming from cyber incidents.\r\nThere is the potential for the cyber insurance market to learn from other insurance markets to increase uptake, although understanding the depth of these connections requires further enquiry.\r\nThe paper concludes by identifying several policy questions raised by the existing literature. These questions serve to guide the next stage of the project and to prompt new conversations about how cyber insurance might better incentivise cyber security practices."^^ . . . . . . . . . . . . . .