Why cyberinsurance has not improved cybersecurity and what governments can do to make it a more effective tool for cyber risk management.

As cybersecurity incidents—ranging from data breaches and denial-of-service attacks to computer fraud and ransomware—become more common, a cyberinsurance industry has emerged to provide coverage for any resulting liability, business interruption, extortion payments, regulatory fines, or repairs. In this book, Josephine Wolff offers the first comprehensive history of cyberinsurance, from the early “Internet Security Liability” policies in the late 1990s to the expansive coverage offered today. Drawing on legal records, government reports, cyberinsurance policies, and interviews with regulators and insurers, Wolff finds that cyberinsurance has not improved cybersecurity or reduced cyber risks. 
 
Wolff examines the development of cyberinsurance, comparing it to other insurance sectors, including car and flood insurance; explores legal disputes between insurers and policyholders about whether cyber-related losses were covered under policies designed for liability, crime, or property and casualty losses; and traces the trend toward standalone cyberinsurance policies and government efforts to regulate and promote the industry. Cyberinsurance, she argues, is ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable. An industry built on modeling risk has found itself confronted by new technologies before the risks posed by those technologies can be fully understood.
 
Series Editor's Introduction ix
Acknowledgments xiii
1 Introduction: A Market-Driven Approach to Cybersecurity 1
I HISTORY OF CYBERINSURANCE
2 Breach on the Beach: Origins of Cyberinsurance 27
II CYBERSECURITY CLAIMS UNDER NON-CYBER COVERAGE
3 "The Hackers Did This": Data Breach Lawsuits and Commercial General Liability Insurance 65
4 "The Point of No Return": Computer Fraud Insurance and Defining Cybercrime 87
5 "Insurrection, Rebellion, Revolution, Riot": NotPetya, Property Insurance, and War Exclusions 111
III CYBER COVERAGE AND REGULATION
6 "The Big Kahuna": Stand-Alone Cyber Coverage 153
7 "What Is the Point of Collecting Data?": Global Growth of Cyberinsurance and the Role of Policymakers 181
8 Conclusion: Is Cyber Risk Different? 215
Notes 227
References 249
Index 265
Josephine Wolff is Associate Professor of Cybersecurity Policy at the Fletcher School of Law and Diplomacy at Tufts University and the author of You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (MIT Press). Her writing on cybersecurity has appeared in the New York Times, the Washington Post, Wired, and Slate.
 

About

Why cyberinsurance has not improved cybersecurity and what governments can do to make it a more effective tool for cyber risk management.

As cybersecurity incidents—ranging from data breaches and denial-of-service attacks to computer fraud and ransomware—become more common, a cyberinsurance industry has emerged to provide coverage for any resulting liability, business interruption, extortion payments, regulatory fines, or repairs. In this book, Josephine Wolff offers the first comprehensive history of cyberinsurance, from the early “Internet Security Liability” policies in the late 1990s to the expansive coverage offered today. Drawing on legal records, government reports, cyberinsurance policies, and interviews with regulators and insurers, Wolff finds that cyberinsurance has not improved cybersecurity or reduced cyber risks. 
 
Wolff examines the development of cyberinsurance, comparing it to other insurance sectors, including car and flood insurance; explores legal disputes between insurers and policyholders about whether cyber-related losses were covered under policies designed for liability, crime, or property and casualty losses; and traces the trend toward standalone cyberinsurance policies and government efforts to regulate and promote the industry. Cyberinsurance, she argues, is ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable. An industry built on modeling risk has found itself confronted by new technologies before the risks posed by those technologies can be fully understood.
 

Table of Contents

Series Editor's Introduction ix
Acknowledgments xiii
1 Introduction: A Market-Driven Approach to Cybersecurity 1
I HISTORY OF CYBERINSURANCE
2 Breach on the Beach: Origins of Cyberinsurance 27
II CYBERSECURITY CLAIMS UNDER NON-CYBER COVERAGE
3 "The Hackers Did This": Data Breach Lawsuits and Commercial General Liability Insurance 65
4 "The Point of No Return": Computer Fraud Insurance and Defining Cybercrime 87
5 "Insurrection, Rebellion, Revolution, Riot": NotPetya, Property Insurance, and War Exclusions 111
III CYBER COVERAGE AND REGULATION
6 "The Big Kahuna": Stand-Alone Cyber Coverage 153
7 "What Is the Point of Collecting Data?": Global Growth of Cyberinsurance and the Role of Policymakers 181
8 Conclusion: Is Cyber Risk Different? 215
Notes 227
References 249
Index 265

Author

Josephine Wolff is Associate Professor of Cybersecurity Policy at the Fletcher School of Law and Diplomacy at Tufts University and the author of You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (MIT Press). Her writing on cybersecurity has appeared in the New York Times, the Washington Post, Wired, and Slate.