Tom Baker (University of Pennsylvania Carey Law School) and Anja Shortland (King’s College, London) have posted “The Government Behind Insurance Governance: Lessons for Ransomware” (Regulation and Governance, forthcoming) on SSRN. Here is the abstract:
The insurance as governance literature focuses on the ability of private enterprises to collectively regulate, pool, and distribute risks. This paper analyzes how governments support insurance markets to maintain insurability and limit risks to society. We propose a new conceptual framework grouping government interventions into three dimensions: regulation of risky activity, public investment in risk reduction, and co-insurance. We apply this framework to six case studies, describing insurance markets’ reliance on public support in more analytically precise terms. We analyze how mature insurance markets overcame insurability challenges akin to those currently presented by extortive cybercrime. Private governance struggled when markets grew too big for informal coordination or when (tail) risks escalated. Government interventions vary widely. Some governments prioritize supporting economic activity while others concentrate on containing risks. Governments also choose between risk reduction and ex post socialization of losses. We apply these insights to the market for ransomware insurance, discussing the merits and potential hazards of current proposals for government intervention.
Kyle D. Logue (University of Michigan Law School) & Adam B. Shniderman (University of Michigan Law School) have posted “The Case for Banning (and Mandating) Ransomware Insurance” on SSRN. Here is the abstract:
Ransomware attacks are becoming increasingly pervasive and disruptive. Not only are they shutting down (or at least “holding up”) businesses and local governments all around the country, they are disrupting institutions in many sectors of the U.S. economy — from school systems, to medical facilities, to critical elements of the U.S. energy infrastructure as well as the food supply chain. Ransomware attacks are also growing more frequent and the ransom demands more exorbitant. Those ransom payments are increasingly being covered by insurance. That insurance offers coverage for a variety of cyber-related losses, including many of the costs arising out of ransomware attacks, such as the costs of hiring expert negotiators, the costs of recovering data from backups, the legal liabilities for exposing sensitive customer information, and the ransom payments themselves. Some commentators have expressed concern with this market phenomenon. Specifically, the concern is that the presence of insurance is making the ransomware problem worse, on the following theory: Because there is ransomware insurance that covers ransom payments, and because paying the ransom is often far cheaper than paying the restoration costs and business interruption costs also covered under the policy, there is an increased tendency to pay the ransom — and a willingness to pay higher amounts. This fact, known by the criminals, increases their incentive to engage in ransomware attacks in the first place. And the demand for insurance increases; and the cycle continues.
This Article demonstrates that the picture is not as simple as this story would suggest. Insurance offers a variety of pre-breach and post-breach services that are aimed at reducing the likelihood and severity of a ransomware attack. Thus, over the long-term, cyber insurance has the potential to lower ransomware-related costs. But we are not there yet. This Article discusses ways to help ensure that ransomware insurance is a force for good. Among our suggestions are a limited ban on indemnity for ransomware payments with exceptions for cases involving threats to life and limb, coupled with a mandate that property/casualty insurers provide coverage for the other costs of ransomware attacks. We also explain how a government regulator could serve a coordinating function to help cyber insurers internalize the externalities associated with the insurers’ decisions to reimburse ransomware payments, a role that is played by reinsurers in the context of Kidnap-and-ransom insurance.
Shauhin A. Talesh (University of California, Irvine School of Law) and Bryan Cunningham (Cybersecurity Policy & Research Institute) have posted “The Technologization of Insurance: An Empirical Analysis of Big Data and Artificial Intelligence’s Impact on Cybersecurity and Privacy” (Utah Law Review, 2021, forthcoming) on SSRN. Here is the abstract:
This article engages one of the biggest issues debated among privacy and technology scholars by offering an empirical examination of how big data and emerging technologies influence society. Although scholars explore the ways that code, technology, and information regulate society, existing research primarily focuses on the theoretical and normative challenges of big data and emerging technologies. To our knowledge, there has been very little empirical analysis of precisely how big data and technology influence society. This is not due to a lack of interest but rather, the lack of disclosure by data providers and corporations that collect and use these technologies. Specifically, we focus on one of the biggest problems for businesses and individuals in society: cybersecurity risks and data breach events. Due to the lack of stringent legal regulations and preparation by organizations, insurance companies are stepping in and offering not only cyber insurance but also risk management services aimed at trying to improve organizations’ cybersecurity profile and reduce their risk. Drawing from sixty interviews of the cyber insurance field, a quantitative analysis of a “big data” set we obtained from a data provider, and observations at cyber insurance conferences, we explore the effects of what we refer to as the “technologization of insurance,” the process whereby technology influences and shapes the delivery of insurance. Our study makes two primary findings. First, we show how big data, artificial intelligence, and emerging technologies are transforming the manner in which insurers underwrite, price insurance, and engage in risk management. Second, we show how the impact of these technological interventions are largely symbolic. Insurtech innovations are ineffective at enhancing organizations’ cybersecurity, the role of insurers as regulators and helping insurers manage uncertainty. We conclude by offering recommendations on how society can help technology to assure algorithmic justice and greater security of consumer information as opposed to greater efficiency and profit.
Christopher C. French (The Pennsylvania State University (University Park) – Penn State Law) has posted “Five Approaches to Insuring Cyber Risks” (81 Md. L. Rev. __ (Forthcoming)) on SSRN. Here is the abstract:
Cyber risks are some of the most dangerous risks of the twenty-first century. Many types of businesses, including retail stores, healthcare entities and financial institutions, as well as government entities, are the targets of cyber attacks. The simple reality is that no computer security system is completely safe. They all can be breached if the hackers are skilled enough and determined. Consequently, the worldwide damages caused by cyber attacks are predicted to reach $10.5 trillion by 2025. Insuring such risks is a monumental task.
The cyber insurance market currently is fragmented with hundreds of insurers selling their own cyber risk insurance policies that cover different types of cyber risks. This means the purchasers of cyber insurance must be experts in both insurance and cyber security in order to make a knowledgeable purchase. And, even knowledgeable purchasers of cyber insurance can only obtain limited coverage for cyber risks. This is because the insurance is sold on a named peril, as opposed to all-risk, basis and the policies contain numerous exclusions. Cyber policies also have relatively low policy limits in comparison to other lines of insurance and the enormity of the risks presented.
This Article explores ways the cyber insurance market could be improved. In doing so, it analyzes the current cyber insurance market, including the history of cyber insurance and the challenges that insuring cyber risks present. The Article then offers five different approaches to insuring cyber risks moving forward that address many of the problems with the current cyber insurance market. Ultimately, the article concludes the fifth approach, the novel “all-risk private-public” approach, would be the best one.