French on Five Approaches to Insuring Cyber Risks

Christopher C. French (The Pennsylvania State University (University Park) – Penn State Law) has posted “Five Approaches to Insuring Cyber Risks” (81 Md. L. Rev. __ (Forthcoming)) on SSRN. Here is the abstract:

Cyber risks are some of the most dangerous risks of the twenty-first century. Many types of businesses, including retail stores, healthcare entities and financial institutions, as well as government entities, are the targets of cyber attacks. The simple reality is that no computer security system is completely safe. They all can be breached if the hackers are skilled enough and determined. Consequently, the worldwide damages caused by cyber attacks are predicted to reach $10.5 trillion by 2025. Insuring such risks is a monumental task.

The cyber insurance market currently is fragmented with hundreds of insurers selling their own cyber risk insurance policies that cover different types of cyber risks. This means the purchasers of cyber insurance must be experts in both insurance and cyber security in order to make a knowledgeable purchase. And, even knowledgeable purchasers of cyber insurance can only obtain limited coverage for cyber risks. This is because the insurance is sold on a named peril, as opposed to all-risk, basis and the policies contain numerous exclusions. Cyber policies also have relatively low policy limits in comparison to other lines of insurance and the enormity of the risks presented.

This Article explores ways the cyber insurance market could be improved. In doing so, it analyzes the current cyber insurance market, including the history of cyber insurance and the challenges that insuring cyber risks present. The Article then offers five different approaches to insuring cyber risks moving forward that address many of the problems with the current cyber insurance market. Ultimately, the article concludes the fifth approach, the novel “all-risk private-public” approach, would be the best one.