IDEAS home Printed from https://ideas.repec.org/a/pal/gpprii/v50y2025i2d10.1057_s41288-024-00326-z.html
   My bibliography  Save this article

The effect of corporate risk management on cyber risk mitigation: Evidence from the insurance industry

Author

Listed:
  • Kwangmin Jung

    (Pohang University of Science and Technology (POSTECH))

  • Chanjin Kim

    (POSTECH)

  • Jiyeon Yun

    (California State University)

Abstract

We examine how corporate risk management can be used to address a firm’s vulnerability to cyber risk. We use a large, novel dataset on cyber risk and corporate risk management to analyse US insurers’ cyber loss events during the period of 2000–2021. Our analysis includes information on whether insurers have implemented an enterprise risk management (ERM) programme and whether they report applying cyber risk management (CRM). The results illustrate that the implementation of CRM measures may have no significant effect on cyber risk mitigation. However, we determine that the likelihood (frequency) of a cyber loss event decreases by 3.9% (6.8%) as ERM programmes mature year on year. We also find that an insurer can benefit from implementing both CRM and ERM through a lowered event likelihood (frequency) of 3.8 percentage points on average (3.7 percentage points) per year compared to solely implementing an ERM programme.

Suggested Citation

  • Kwangmin Jung & Chanjin Kim & Jiyeon Yun, 2025. "The effect of corporate risk management on cyber risk mitigation: Evidence from the insurance industry," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 50(2), pages 259-301, April.
    • Handle: RePEc:pal:gpprii:v:50:y:2025:i:2:d:10.1057_s41288-024-00326-z
    DOI: 10.1057/s41288-024-00326-z
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1057/s41288-024-00326-z
    File Function: Abstract
    Download Restriction: Access to full text is restricted to subscribers.
    File URL: https://libkey.io/10.1057/s41288-024-00326-z?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Eling, Martin & Jung, Kwangmin, 2018. "Copula approaches for modeling cross-sectional dependence of data breach losses," Insurance: Mathematics and Economics, Elsevier, vol. 82(C), pages 167-180.
    2. Iñaki Aldasoro & Leonardo Gambacorta & Paolo Giudici & Thomas Leach, 2023. "Operational and Cyber Risks in the Financial Sector," International Journal of Central Banking, International Journal of Central Banking, vol. 19(5), pages 340-402, December.
    3. James J. Heckman, 1976. "The Common Structure of Statistical Models of Truncation, Sample Selection and Limited Dependent Variables and a Simple Estimator for Such Models," NBER Chapters, in: Annals of Economic and Social Measurement, Volume 5, number 4, pages 475-492, National Bureau of Economic Research, Inc.
    4. Donald Pagach & Richard Warr, 2011. "The Characteristics of Firms That Hire Chief Risk Officers," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 78(1), pages 185-211, March.
    5. Nadine Gatzert & Madeline Schubert, 2022. "Cyber risk management in the US banking and insurance industry: A textual and empirical analysis of determinants and value," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 89(3), pages 725-763, September.
    6. Thomas R. Berry†Stölzle & Jianren Xu, 2018. "Enterprise Risk Management and the Cost of Capital," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 85(1), pages 159-201, March.
    7. André P. Liebenberg & Robert E. Hoyt, 2003. "The Determinants of Enterprise Risk Management: Evidence From the Appointment of Chief Risk Officers," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 6(1), pages 37-52, February.
    8. Kamiya, Shinichi & Kang, Jun-Koo & Kim, Jungmin & Milidonis, Andreas & Stulz, René M., 2021. "Risk management, firm reputation, and the impact of successful cyberattacks on target firms," Journal of Financial Economics, Elsevier, vol. 139(3), pages 719-749.
    9. Eli Amir & Shai Levi & Tsafrir Livne, 2018. "Do firms underreport information on cyber-attacks? Evidence from capital markets," Review of Accounting Studies, Springer, vol. 23(3), pages 1177-1206, September.
    10. Froot, Kenneth A & Scharfstein, David S & Stein, Jeremy C, 1993. "Risk Management: Coordinating Corporate Investment and Financing Policies," Journal of Finance, American Finance Association, vol. 48(5), pages 1629-1658, December.
    11. Eckles, David L. & Hoyt, Robert E. & Miller, Steve M., 2014. "Reprint of: The impact of enterprise risk management on the marginal cost of reducing risk: Evidence from the insurance industry," Journal of Banking & Finance, Elsevier, vol. 49(C), pages 409-423.
    12. Muhammed Altuntas & Thomas R. Berry-Stölzle & J. David Cummins, 2021. "Enterprise risk management and economies of scale and scope: evidence from the German insurance industry," Annals of Operations Research, Springer, vol. 299(1), pages 811-845, April.
    13. J. Scott Long & Jeremy Freese, 2006. "Regression Models for Categorical Dependent Variables using Stata, 2nd Edition," Stata Press books, StataCorp LLC, edition 2, number long2.
    14. Heckman, James, 2013. "Sample selection bias as a specification error," Applied Econometrics, Russian Presidential Academy of National Economy and Public Administration (RANEPA), vol. 31(3), pages 129-137.
    15. Sara A. Lundqvist & Anders Vilhelmsson, 2018. "Enterprise Risk Management and Default Risk: Evidence from the Banking Industry," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 85(1), pages 127-157, March.
    16. Eckles, David L. & Hoyt, Robert E. & Miller, Steve M., 2014. "The impact of enterprise risk management on the marginal cost of reducing risk: Evidence from the insurance industry," Journal of Banking & Finance, Elsevier, vol. 43(C), pages 247-261.
    17. Aldasoro, Iñaki & Gambacorta, Leonardo & Giudici, Paolo & Leach, Thomas, 2022. "The drivers of cyber risk," Journal of Financial Stability, Elsevier, vol. 60(C).
    18. Christine M. Cumming & Beverly Hirtle, 2001. "The challenges of risk management in diversified financial companies," Economic Policy Review, Federal Reserve Bank of New York, issue Mar, pages 1-17.
    19. Martin Eling & Kwangmin Jung, 2022. "Heterogeneity in cyber loss severity and its impact on cyber risk measurement," Risk Management, Palgrave Macmillan, vol. 24(4), pages 273-297, December.
    20. Martin F. Grace & J. Tyler Leverty & Richard D. Phillips & Prakash Shimpi, 2015. "The Value of Investing in Enterprise Risk Management," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 82(2), pages 289-316, June.
    21. Eling, Martin & Jung, Kwangmin & Shim, Jeungbo, 2022. "Unraveling heterogeneity in cyber risks using quantile regressions," Insurance: Mathematics and Economics, Elsevier, vol. 104(C), pages 222-242.
    22. Eling, Martin & Wirfs, Jan, 2019. "What are the actual costs of cyber risk events?," European Journal of Operational Research, Elsevier, vol. 272(3), pages 1109-1119.
    23. Alexander Bohnert & Nadine Gatzert & Robert E. Hoyt & Philipp Lechner, 2019. "The drivers and value of enterprise risk management: evidence from ERM ratings," The European Journal of Finance, Taylor & Francis Journals, vol. 25(3), pages 234-255, February.
    24. Kwangmin Jung, 2021. "Extreme Data Breach Losses: An Alternative Approach to Estimating Probable Maximum Loss for Data Breach Risk," North American Actuarial Journal, Taylor & Francis Journals, vol. 25(4), pages 580-603, November.
    25. Philipp Lechner & Nadine Gatzert, 2018. "Determinants and value of enterprise risk management: empirical evidence from Germany," The European Journal of Finance, Taylor & Francis Journals, vol. 24(10), pages 867-887, July.
    26. Robert E. Hoyt & Andre P. Liebenberg, 2011. "The Value of Enterprise Risk Management," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 78(4), pages 795-822, December.
    27. Eling, Martin & Loperfido, Nicola, 2017. "Data breaches: Goodness of fit, pricing, and risk measurement," Insurance: Mathematics and Economics, Elsevier, vol. 75(C), pages 126-136.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Fung, Derrick W.H. & Lee, Wing Yan & Yang, Charles C., 2025. "Surviving the storm: Evaluating the role of enterprise risk management in property and liability insurers' performance during the COVID-19 pandemic," Journal of Corporate Finance, Elsevier, vol. 91(C).
    2. Evan M. Eastman & Jianren Xu, 2021. "Market reactions to enterprise risk management adoption, incorporation by rating agencies, and ORSA Act passage," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(2), pages 151-180, June.
    3. Alessandra Allini & Raffaela Casciello & Marco Maffei & Martina Prisco, 2022. "The national culture as a determinant of ERM quality: Empirical evidence in the European banking context," MANAGEMENT CONTROL, FrancoAngeli Editore, vol. 2022(1), pages 79-102.
    4. Sorin Gabriel Anton & Anca Elena Afloarei Nucu, 2020. "Enterprise Risk Management: A Literature Review and Agenda for Future Research," JRFM, MDPI, vol. 13(11), pages 1-22, November.
    5. Nguyen, Duc Khuong & Vo, Dinh-Tri, 2020. "Enterprise risk management and solvency: The case of the listed EU insurers," Journal of Business Research, Elsevier, vol. 113(C), pages 360-369.
    6. Chen, Yu-Lun & Chuang, Yi-Wei & Huang, Hong-Gia & Shih, Jhuan-Yu, 2020. "The value of implementing enterprise risk management: Evidence from Taiwan’s financial industry," The North American Journal of Economics and Finance, Elsevier, vol. 54(C).
    7. Muhammed Altuntas & Thomas R. Berry-Stölzle & J. David Cummins, 2021. "Enterprise risk management and economies of scale and scope: evidence from the German insurance industry," Annals of Operations Research, Springer, vol. 299(1), pages 811-845, April.
    8. Nadine Gatzert & Madeline Schubert, 2022. "Cyber risk management in the US banking and insurance industry: A textual and empirical analysis of determinants and value," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 89(3), pages 725-763, September.
    9. Sylvester Senyo Horvey & Jones Odei-Mensah, 2024. "Enterprise risk management and performance of the South African insurers: the moderating role of corporate governance," Risk Management, Palgrave Macmillan, vol. 26(4), pages 1-28, December.
    10. Danijela Miloš Sprčić & Marina Mešin Žagar & Željko Šević & Mojca Marc, 2016. "Does enterprise risk management influence market value – A long-term perspective," Risk Management, Palgrave Macmillan, vol. 18(2), pages 65-88, August.
    11. Al-Amri, Khalid & Davydov, Yevgeniy, 2016. "Testing the effectiveness of ERM: Evidence from operational losses," Journal of Economics and Business, Elsevier, vol. 87(C), pages 70-82.
    12. Matteo Malavasi & Gareth W. Peters & Stefan Treuck & Pavel V. Shevchenko & Jiwook Jang & Georgy Sofronov, 2024. "Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications," Papers 2410.05297, arXiv.org.
    13. Ivana Dvorski Lacković & Nataša Kurnoga & Danijela Miloš Sprčić, 2022. "Three-factor model of Enterprise Risk Management implementation: exploratory study of non-financial companies," Risk Management, Palgrave Macmillan, vol. 24(2), pages 101-122, June.
    14. Milos Sprcic, Danijela & Pecina, Ena & Orsag, Silvije, 2017. "Enterprise Risk Management Practices In Listed Croatian Companies," UTMS Journal of Economics, University of Tourism and Management, Skopje, Macedonia, vol. 8(3), pages 219-230.
    15. Yun, Jiyeon, 2023. "The effect of enterprise risk management on corporate risk management," Finance Research Letters, Elsevier, vol. 55(PB).
    16. Therese R. Viscelli & Mark S. Beasley & Dana R. Hermanson, 2016. "Research Insights About Risk Governance," SAGE Open, , vol. 6(4), pages 21582440166, November.
    17. Matteo Malavasi & Gareth W. Peters & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang & Georgy Sofronov, 2021. "Cyber Risk Frequency, Severity and Insurance Viability," Papers 2111.03366, arXiv.org, revised Mar 2022.
    18. Dionne, Georges & El Hraiki, Rayane & Mnasri, Mohamed, 2023. "Determinants and real effects of joint hedging: An empirical analysis of US oil and gas producers," Energy Economics, Elsevier, vol. 124(C).
    19. Ben Kajwang, 2022. "Theoretical review of enterprise risk management culture drivers for insurance firms in Kenya," International Journal of Research in Business and Social Science (2147-4478), Center for the Strategic Studies in Business and Finance, vol. 11(5), pages 210-217, July.
    20. Simon Ashby & Trevor Buck & Stephanie Nöth-Zahn & Thomas Peisl, 2018. "Emerging IT Risks: Insights from German Banking," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 43(2), pages 180-207, April.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:pal:gpprii:v:50:y:2025:i:2:d:10.1057_s41288-024-00326-z. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.palgrave-journals.com/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.