Cyber Insurance and Cybersecurity Policy: An Interconnected History
A review of Josephine Wolff, “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks” (MIT Press, 2022).
Published by The Lawfare Institute
in Cooperation With
A review of Josephine Wolff, “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks” (MIT Press, 2022).
***
Cyber risks—that is, loss associated with the use of electronic equipment, computers, information technology, and virtual reality—are among the biggest threats facing businesses and consumers. Cybersecurity risks are critical because consumer, financial, and health information are stored predominantly in electronic form. Hackers, malware, viruses, wiretapping, robocalls, and solicitation lead to identity theft and compromise personal, financial, and health information. These breaches impact almost every major industry, including financial services, health care, government, entertainment, retail, law, insurance, social networking, and credit card processing. And of course, hackers have even attempted to influence elections and geopolitical conflicts. Governments have struggled with how to address these challenges and often rely on fragmented and somewhat weak laws and regulations.
Recognizing cybersecurity as creating new risks and potential liability, insurance companies have tried to fill the void. Cyber insurance is designed to provide both first-party and third-party insurance coverage for data breaches, privacy violations, and cyberattacks. Although insurers provide a variety of policies, they all provide some risk-shifting for the costs associated with having to respond to, investigate, defend, and mitigate a cyberattack. Insurers also offer some services aimed at helping policyholders manage their risk. Although cyber insurance is not as mature as other types of long-standing insurance, in 2018 cyber insurers collected approximately $3.5 billion in premiums. Cyber insurers actively compete for market share in this new space. How did we get here in only 30 years? What has been the impact of cyber insurance on the insurance industry? What impact has cyber insurance had on cybersecurity? What role have public legal institutions like courts and legislators played in the development of cyber insurance?
These questions are answered by Josephine Wolff in “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks,” which offers a deep dive into the move by insurance companies to insure these cyber risks and attempt to play a regulatory role over organizations. In her book, Wolff, a professor of cybersecurity policy, computer science, and engineering at Tufts University, offers a careful and comprehensive analysis of the origin and evolution of the cyber insurance market. Relying largely on analysis of lawsuits, cyber insurance policies, government records, and media coverage, Wolff describes the current state of cyber insurance. Specifically, Wolff explores the development of the cyber insurance market by examining regulatory changes, legal battles in courtrooms, and shifts in public policy.
Wolff explores these issues not only in the United States but also in global markets, where insurers are currently attempting to increase sales. In doing so, the book maps the growth of the cyber insurance market and how that growth challenges earlier notions about the quantification, management, and assessment of risk. Because governments do not have a strong command-and-control regulatory apparatus over cyber risks, they collaborate with and involve insurance companies as partners in the oversight of cybersecurity incidents. Wolff shows how governments and the insurance industry have played a critical and interconnected role in creating, sustaining, and legitimating cyber insurance. The rich level of detail and history of cyber insurance makes Wolff’s “Cyberinsurance Policy” easily the “go to” book on the subject.
Siloing Cyber Insurance Was Driven by Courts, Policymakers, and Insurers
Wolff makes a series of distinct but connected arguments about the role insurance companies, courts, and policymakers played in shaping the cyber insurance market and how this market impacts cybersecurity threats and, more broadly, risk management.
Wolff walks the reader through a careful analysis of how courts in the United States have supported insurers’ efforts to exclude cyber risks from non-cyber-specific policies related to cyber liability and crime. Initially, policyholders brought cyber claims under commercial general liability, property, and other lines of traditional insurance. Despite these policies often having ambiguous language concerning whether they covered cybercrimes and cyberattacks (and ambiguities are often construed against the drafter in contract law doctrine), court decisions routinely denied coverage for cyber claims.
Victories for insurance companies allowed insurers to avoid paying legal fees as many cyber-related class action suits emerged. Courts also sent a firm message to businesses making cyber claims: If they wanted protection for data breach and cybersecurity incidents, they would need to purchase a newly developed cyber insurance policy. In other words, the court cases provided insurers cover to shift and develop their cyber risk coverage into stand-alone policies. Moreover, the commercial general liability (CGL) coverage disputes and judicial interventions shielding such policies from coverage did not address the deeper set of liability issues for organizations such as Sony or Target—namely, that they are simultaneously a breach victim and, in parallel lawsuits against them, an enabler of cyber breaches. CGL insurance coverage disputes for breach liability highlighted the challenges of “untangle[ing] who was responsible for incidents that had multiple, often overlapping, layers of victims, enablers, and potential defenders.”
Wolff’s sharpest critiques of the insurance industry surround the decision to isolate cyber risks from the overall insurance market with the support of judicial decisions that excluded coverage under traditional insurance policies. Shifting cyber risks into separate insurance policies and departments within insurance companies led to challenges relating to modeling and pricing these risks. These decisions prevented insurers from keeping up with and identifying the ways computer networks and data have become increasingly embedded into other systems and coverage areas. Thus, insurers’ repeated complaints about the lack of good actuarial data, modeling, and pricing criteria are in part because insurers have eagerly tried to design a comprehensive stand-alone insurance policy. Although such market segmentation by insurers may have helped their business model, Wolff shows how they weakened cyber insurance policy.
Wolff points out that developing a comprehensive stand-alone insurance policy for cyber risks is quite different from insuring auto or fire risks because, unlike with cars and fires, it is virtually impossible to articulate all the ways cyber threats could cause harm. This “named peril” approach to cyber underwriting that insurers have taken makes it likely that there will be significant gaps in customers’ coverage or uncertainty about how their coverage will apply to future risks. An “all-risk” model of insurance (like property insurance) where insurers clearly identify and assess the value of a policyholder’s covered assets does not work well either. Wolff correctly notes that it is hard to assess the cost of damage to digital assets and to deal with third-party liability costs and reputation damages. In trying to treat cyber as a risk analogous to cars, floods, fire, or property and thus create a stand-alone insurance policy, “insurers actually undercut their ability to use the wide range of different coverage formats and risk-modeling tactics at their disposal to address different facets of cyber-related risks.” Moving all cyber risks into stand-alone policies made it harder for insurers to gather reliable data on these risks and to “diversify their risk pools through recruiting customers with different risk profiles.”
Wolff also offers measured and practical recommendations for how to move forward in light of these problems: Different types of cyber risks should be separated into different types of insurance. Some cyber risks are so new and distinct that they may call for separate and distinct cyber policies. Other cyber risks are closely tied to existing lines of coverage and belong inside policies that deal with liability, crime, property, and car insurance.
Wolff addresses the relationship between cyber and other risks in the middle chapters of the book. Although insurers were largely successful in excluding cyber claims from CGL policies, they met much more mixed results in court when it came to denying coverage under computer fraud policies for crimes that were considered insufficiently computer-centric. Different policies offered different definitions of what was considered computer fraud. In turn, courts had different views about how clear that language was and how directly a crime had to be executed by a computer for it to count as computer fraud. For policyholders, these various definitions and interpretations of computer fraud coverage led to considerable uncertainty about which policies applied as insurers continued to experiment with new language in their computer fraud policies. Embedded in new stand-alone cyber insurance policies were also “warlike action” exclusions that raise difficult questions about what constitutes war (or warlike activity) in the online world. The legal disputes over whether cyber-related losses could be claimed under CGL, computer fraud, property insurance, and the merits of specific exclusions such as for warlike activity, have led to growing restrictions on when policyholders can seek coverage for cybersecurity incidents. Thus, an implication of Wolff’s analysis is that legal decisions emboldened insurers to exclude cyber risks from their existing lines of coverage and instead package those risks into stand-alone cyber policies.
The latter chapters reveal how legislative policymakers have, in addition to courts, assisted in the advancement of cyber insurance. By not passing strict privacy and cybersecurity requirements for organizations, state and federal governments created space for insurers to offer cyber insurance and risk management services This is largely based on the idea that insurers can act as a regulatory lever over organizations purchasing such insurance and reduce organizations’ overall cyber risk exposure. However, once again, Wolff reveals that a lack of data, a lack of expertise, and an inability to scale rigorous security audits have rendered cyber insurers unable to play a significant deterrent role in reducing cybersecurity incidents or exposure to cyber risks.
Global Cyber Insurance: Same Issues, Same Mistakes
Wolff does not constrain her analysis to the United States. Wolff impressively explores the global growth of cyber insurance and the role that policymakers played around the world in this expansion. Although the early cyber insurance market in the 1990s and 2000s was largely confined to the United States, the late 2010s saw gradual increases in sales of cyber insurance policies in other countries such as the European Union member states, China, Brazil, India, and Singapore. This growth was due in large part to the increasing regulatory activity related to data security and privacy, which led to new laws and regulations around the world. The global story of cyber insurance that Wolff tells is fascinating because, with a few exceptions, it tracks the story of cyber insurance in the United States.
As in the United States, global insurers initially met with various governments to promote and develop cyber insurance and discuss broad policy concerns such as security standards and access to anonymous data for risk assessments. Just as the data breach notification laws in the United States had done for U.S. cyber insurance markets in the early 2000s, laws such as the General Data Protection Regulation implemented by the European Union in 2018 made companies increasingly aware of their own potential liability and responsibility and generated greater interest in cyber insurance. Wolff reveals that very few countries were able to avoid the problems that U.S. regulators encountered in regulating the cyber insurance industry. Rather than learn from the lessons of the United States about how to regulate the cyber insurance industry, most governments used a soft, “hands-off” approach and relied on insurers to figure out how to use their products to improve cybersecurity on their own. Wolff notes that although insurers lobbied in broad and vague terms for government involvement, they often backtracked or failed to push for such involvement when concrete negotiations occurred. The failure of regulators to address challenges faced by cyber insurers meant cyber insurers did not have access to international risk data and support and could not tailor their risk assessments to specific countries and regulatory environments. Instead, cyber insurance policies on the global market were largely based on data they had been able to gather from the United States. The global cyber insurance market was largely left in a similar position to the U.S. market: lacking reliable data on loss history, lacking a clear sense of which cybersecurity controls work, and calling for the government to provide some form of a backstop in the event of a catastrophic loss that insurers might have to bear. Wolff’s careful comparative analysis elucidates how the fragmented, market-led policy approach toward cyber has proliferated worldwide and continuously affords cyber insurers too much autonomy without reliance on data and measurable security standards.
Although most of the world has made the same errors as the United States, Wolff reveals how Singapore has managed to chart its own path fairly successfully. In 2016, Singapore launched its Cyber Risk Management Project. This project tried to support the underwriting and pricing of cyber risks and foster an efficient cyber risk insurance marketplace. Singapore has had measurable success in creating a more balanced collaborative governance partnership between the insurance industry and government. Singapore’s cyber risk project relied on developing a standardized taxonomy for describing cybersecurity incidents, creating a database of cybersecurity incidents and their resulting losses, and benchmarking different models of cyber-related losses to support actuarial pricing. This initiative ultimately led to meetings between government and the insurance industry that actually resulted in the passage of the Singapore Cybersecurity Act.
Singapore developed a $1 billion cyber risk pool that “drew both inspiration and a strong sense of potential pitfalls of their work from observing the earlier efforts in the United States.” In particular, Singapore’s policymakers admired the rapid growth of the cyber insurance market in the United States but took note of how unhelpful regulations had been at providing insurers with useful data or effective security standards. Ultimately, the U.S. government’s involvement led to the growth of cyber insurance but not any meaningful collaboration or oversight. Learning from the United States’ errors, Singapore recommended developing a large pool of money drawn from both private and public sectors that could help cover claims and lessen the risk that insurers took on while the insurance industry developed and matured. Thus, by focusing on the international cyber insurance market with rich detail and analysis and highlighting the exceptional case of Singapore, Wolff significantly augments the impact of her book because she highlights a tangible example of how government oversight of the insurance industry can work more effectively to align incentives.
***
In sum, Wolff’s “Cyberinsurance Policy” is an essential and foundational read for those interested in the interrelationship between cybersecurity and the role of insurance companies. Until now, no one had gathered together in one location a comprehensive history of cyber insurance. We learn so much from this book. Wolff’s book highlights the uniqueness of cybersecurity risks and why insurance companies need to deal with cybersecurity risks differently. Unlike auto, flood, and fire insurance, Wolff shows how cyber insurance does not cover a single, coherent type of threat. Unlike CGL, property, or casualty insurance, cyber insurance does not cover a particular, coherent set of damages. Rather, cyber insurance stand-alone policies address a range of different threats, including cyber crime, data breaches, network outages, and online extortion. Cyber insurance policies cover a range of first-party costs such as lost business, ransom payments, breach notifications, to third-party costs tied to lawsuits and liability. Wolff’s book teaches that cyber insurance is not one single “thing” but, rather, a range of different products that deal with computer-, data-, and network-related risks that intersect with any number of different threats and types of losses. The irony of the cyber insurance story is that, despite the interrelatedness of cyber risk to other harms, insurers have done everything they can to establish a dedicated, single line of insurance with coverage solely for cyber risk, including eliminating cyber-related losses from their other lines of insurance. Wolff’s careful historical analysis highlights how the current state of cyber insurance is not purely industry driven, but the product of court and legislative policy decisions in a world increasingly fond of public-private partnerships.
More importantly, this book reminds us that the idea that cybersecurity can be handled primarily through a market-driven approach led by insurers is fundamentally flawed. Wolff’s careful historical analysis drives toward possible policy solutions or at least improvements to the cyber insurance market. It forces readers to reimagine insurance-by-regulation and the role of government oversight in insurance. It leaves room for insurance and regulation scholars to explore, in a more fine-grained manner, how cyber insurance acts as a form of regulation and under what conditions insurance can act as a positive or negative form of regulation. It is time to reexamine the intertwined relationships between the insurance industry and cybersecurity policy, and Josephine Wolff’s “Cyberinsurance Policy” is a great place to start that reexamination.