Cyberinsurance Policy

As cybersecurity incidents-ranging from data breaches and denial-of-service attacks to computer fraud and ransomware-become more common, a cyberinsurance industry has emerged to provide coverage for any resulting liability, business interruption, extortion payments, regulatory fines, or repairs. In this book, Josephine Wolff offers the first comprehensive history of cyberinsurance, from the early "Internet Security Liability" policies in the late 1990s to the expansive coverage offered today. Drawing on legal records, government reports, cyberinsurance policies, and interviews with regulators and insurers, Wolff finds that cyberinsurance has not improved cybersecurity or reduced cyber risks. Wolff examines the development of cyberinsurance, comparing it to other insurance sectors, including car and flood insurance; explores legal disputes between insurers and policyholders about whether cyber-related losses were covered under policies designed for liability, crime, or property and casualty losses; and traces the trend toward standalone cyberinsurance policies and government efforts to regulate and promote the industry. Cyberinsurance, she argues, is ineffective at curbing cybersecurity losses because it normalises the payment of online ransoms, whereas the goal of cybersecurity is the opposite-to disincentivise such payments to make ransomware less profitable. An industry built on modelling risk has found itself confronted by new technologies before the risks posed by those technologies can be fully understood. Series Overview: The Information Policy Series publishes research on and analysis of significant problems in the field of information policy, including decisions and practices that enable or constrain information, communication, and culture irrespective of the legal siloes in which they have traditionally been located as well as state-law-society interactions. Defining information policy as all laws, regulations, and decision-making principles that affect any form of information creation, processing, flows, and use, the series includes attention to the formal decisions, decision-making processes, and entities of government; the formal and informal decisions, decision-making processes, and entities of private and public sector agents capable of constitutive effects on the nature of society; and the cultural habits and predispositions of governmentality that support and sustain government and governance. The parametric functions of information policy at the boundaries of social, informational, and technological systems are of global importance because they provide the context for all communications, interactions, and social processes.