cumulated risk – at least to a certain extent – because market participants can diversify their investment between asset classes. There is some experience with cat bonds in flood and natural-disaster insurance, but no experience at all with exploit derivatives, as the latter are more specific to IT. A difficulty in applying cat bonds to IT might lie in the moral hazard problem: speculators might find themselves in situations where causing or commissioning a cyber-attack would improve their financial wealth. Conventional insurance can deal with moral hazard by strictly limiting cat bond pay-out functions to purely natural perils. Option 5: Insurable infrastructure design The interdependent nature of cyber-risk means that insurability and incentives to buy insurance are determined by the technical environment, such as network topology, configuration and protocols [90, 108, 24, 14, 16, 17]. While Bolot and Lelarge’s recommendation: ‘[N]etwork algorithms and network architecture might be designed or re- evaluated according to their ability to help implement desirable economic policies, such as the deployment of insurance’  remains rather vague, concrete measures to improve insurability can be taken by in- creasing diversity. For example, an ISP that was totally dependent on Cisco routers should logically pay higher premiums than one which had diversified by purchasing Ju- niper equipment as well. Formal economic models show that equilibrium premiums for diverse systems are below those of homogeneous ones even if the unconditional probability of failure of each diverse node is higher than the unconditional probability of failure of the homogeneous nodes . System diversity should be a policy maker’s goal not only for reasons of fair competition but also to increase robustness and resilience. Conclusions on cyber-insurance If we order the options by priority, then the ideal long-term goal is building an insurable infrastructure, or at least seeing to it that insur- ability is not harmed by infrastructure design. Second, better financial instruments to facilitate risk transfer would be useful; policy makers should ensure that their use isn’t impeded by the regulatory and supervision framework. Making cyber-insurance compuls- ory would be a heavyweight intervention in an immature market and should therefore 86
be avoided. (It might though be a workable last resort in specific sectors should they come under pressure from cyber-incidents in the future.) The provision of government re- insurance is expensive and is rather likely to create misaligned incentives; and premium differentiation is so essential for cyber-insurance that any attempt to fix or influence premiums should be strictly avoided. We conclude the chapter on cyber-insurance without a straight recommendation be- cause we see that the market is becoming more and more competitive over time. And we believe that some of our other recommendations, if properly implemented, will help the market to develop anyway.