Helaba New York

Rumen Ketipov

Cognitive Systems Specialist

Dr. Rumen Ketipov brings over 15 years of expertise spanning cybersecurity, IT, and regulated financial environments across the U.S. and Europe. He currently works as a cybersecurity specialist in the financial sector in New York. Rumen holds a Master’s degree in Information Science, an MBA with a focus on Finance and Strategic Management, and a PhD in Computer Science. He has authored numerous influential articles on cybersecurity, cognitive informatics, and economics, establishing himself as a thought leader at the intersection of technology and business.

The New Digital Reality: Complexity, Connectivity, and Emerging Threats

We live and do business in an uncertain world, where forces such as globalization, turbulence in the geopolitical landscape and business environment, increased regulation, and, not least, the rapid and continuous development of technology and growing dependency on suppliers create significant uncertainty. Whether small or large, private or public, domestic or international, enterprises today operate in a risk-filled environment and need to invest extensively in technologies to counter cyber threats. However, even with the most advanced defenses, malicious actors can still gain access to sensitive data and critical infrastructure.

The rapid development of Artificial Intelligence offers advanced capabilities in cyber defense, but its integration also introduces new risks. Threat actors may target training data, model parameters, or deployed systems, compromising the core principles of information security - confidentiality, integrity, and availability.

All this is reflected in rising cybercrime statistics, including increased data breaches, ransomware attacks, online scams, and disruptions of third-party services. Against this backdrop, industry data from insurers indicate that the cyber insurance market will remain one of the fastest-growing segments of the global insurance sector.

The nature of cyber insurance

To keep their businesses operating and profitable in this complex and risky digital environment, cybersecurity managers and executives need to manage emerging risk exposure. Generally, cyber risks can be accepted considering the entity’s risk appetite and tolerance, avoided by altering operations or processes, mitigated through appropriate technical or organizational measures, or transferred. In practice, a combination of these approaches is possible and often a practical choice in risk steering decision making.

The purpose of cybersecurity insurance (cyber insurance) is to transfer a policyholder’s financial liability arising from cybersecurity and privacy events to an insurance provider. However, it is important to note that cyber insurance is not a replacement for a strong cybersecurity strategy and posture; rather, it is intended to cover risks that exist after efforts have been made to minimize them.

How does cyber insurance work?

The cybersecurity insurance process works in a similar way to other forms of insurance. Cyber insurance policies often include first-party coverage, which refers to losses that directly impact an enterprise, and third-party coverage, which refers to losses suffered by external parties. The cyber insurance offer typically consists of an annual premium - the policy price, the sum insured - the total amount of coverage, the deductible - the amount the policyholder must pay out of pocket before insurance coverage applies, and exclusions.

Exclusions

Exclusions typically include known circumstances, patching and service accounts, outages due to terrorism, natural disasters, and contractual neglect with third-party service providers. However, offers may vary based on the nature of the insurer’s business, the complexity of the IT infrastructure, and the complexity of the service supplier’s network, and there may also be optional coverage available.

"As risks become increasingly interdependent and can occur simultaneously, cybersecurity can no longer rely on technical controls alone. It requires a multifaceted approach in which risk transfer plays a key role, and the economic efficiency of cyber insurance must be assessed both quantitatively and qualitatively"

To evaluate the economic effectiveness of cyber insurance, a quantitative assessment is required.

Return of Investment – a practical investment evaluation

The concept of calculating Return on Investment (ROI) can generally be applied to the evaluation of any investment, and information security is no exception. However, since cybersecurity is generally not an investment that generates a profit, but rather a prevention of losses, the Return on Security Investment (ROSI) model is a suitable method for this purpose. The model calculates how much potential loss can be covered by a cybersecurity investment. Therefore, the monetary value of the investment is compared with the monetary value of cyber risk reduction:

In order to calculate ROSI, the Annual Loss Expectancy (ALE) must be determined, which is a function of the Single Loss Expectancy (SLE) and the Annual Rate of Occurrence (ARO) (ALE = SLE × ARO). In the context of cyber insurance, the mitigation ratio reflects the proportion of expected loss (ALE) covered by the policy, accounting for exclusions, which results in the following ROSI formula:

Limitations of ROSI

While ROSI is a practical evaluation approach for cybersecurity investments, like every model, it also has its limitations:

• Estimation of key inputs (especially SLE and ARO) is often subjective and data-limited, which can significantly affect the reliability of the final ROSI value.

• Without considering extreme damage scenarios, the basic ALE estimation provides only a limited appraisal of the expected loss.

• ROSI generally does not fully capture intangible impacts, such as reputational damage, loss of customer trust, or long-term market effects.

• The model assumes independence of risk events, while in practice, cyber incidents can be correlated (e.g., chain effects).

Several other advanced models and probabilistic techniques can be applied for this purpose, such as Monte Carlo simulation for Value at Risk estimation or loss distribution modeling, machine learning models, among others. However, each model has its disadvantages, and the most appropriate approach depends on the company’s business model, scope, strategic objectives, risk appetite, and risk tolerance.

Beyond the Risk Transfer

Real-world cyber risk modeling is rarely linear. In today’s highly complex digital environment, organizations must account for interconnected risk chains, third-party dependencies, and simultaneous systemic incidents driven by expanding Industry 4.0 interdependencies and massive, heterogeneous data flows. As risks become increasingly interdependent and can occur simultaneously, cybersecurity can no longer rely on technical controls alone. It requires a multifaceted approach in which risk transfer plays a key role, and the economic efficiency of cyber insurance must be assessed both quantitatively and qualitatively.

In addition to risk transfer, cyber insurance provides several key benefits, including access to cybersecurity specialists, emergency response teams, and legal expertise. It also offers peace of mind, giving organizations confidence that they are better prepared to respond to cyber incidents. Furthermore, it can provide competitive differentiation by supporting contractual requirements and strengthening market positioning.

Given the complex business and technological environment, cyber insurance is likely to increasingly shift from a pure risk transfer mechanism to a strategic decision with broader organizational impact. We only see what we know, and we measure only what can be appraised - yet much of the risk remains unseen.