This study analyzed six years of 10-K filings from 45 firms affected by ransomware, labeling 6,282 cybersecurity-related statements. Findings show disclosures increasingly focus on prospective risks and mitigation strategies, but fewer than half mention incident responses, revealing a lack of transparency. Firms often fail to connect potential risks to actual damages, highlighting limited awareness of ransomware threats.
"In the current market practice, many #cyberinsurance products offer a coverage bundle for losses arising from various types of incidents, such as #databreaches and #ransomwareattacks, and the coverage for each incident type comes with a separate limit and deductible. Although this gives prospective cyber insurance buyers more flexibility in customizing the coverage and better manages the #risk exposures of sellers, it complicates the decision-making process in determining the optimal amount of risks to retain and transfer for both parties. This paper aims to build an economic foundation for these incident-specific cyber insurance products with a focus on how incident-specific indemnities should be designed for achieving #pareto optimality for both the #insurance seller and buyer. Real data on #cyberincidents is used to illustrate the feasibility of this approach. Several implementation improvement methods for practicality are also discussed."
"We compile a comprehensive dataset of adverse #cyberevents experienced by #us firms. We then categorize #cyberincidents by their detrimental impacts on firms' assets and operations, e.g., #datatheft, #ransomwareattacks, #securitybreaches, #denialofservice attacks, and show that firms suffer significant value losses across multiple cyber categories."