Ben's Book of the Month: Review of "Cyberinsurance Policy"

Posted on by Ben Rothke

If you don’t have the time to read this great new book Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks (MIT Press) by Josephine Wolff, let me summarize it in 14 words:

  • Company buys cyberinsurance
  • It has a breach
  • Insurance company denies the claim
  • Company litigates

But if you want to educate yourself on cyberinsurance, you owe it to yourself to read every word in this fantastic book.

Virginia Haufler of the University of Maryland has written extensively about the critical role of the insurance industry in shaping global trade. Here, Wolff extends Haufler’s theory of how increasing public-sector involvement is required for the development of insurance products intended to govern global risks and examines how it applies to cyber risk, as well as its limitations in the face of different nations’ sometimes-conflicting interests in security and data protection.

Kenneth Abraham of the University of Virginia is a leading scholar on insurance law. Wolff builds on Abraham’s theory to explore the deterrence function of cyberinsurance and its effectiveness in creating incentives for policyholders to prevent losses in addition to spreading losses.

Founded nearly 350 years ago, the Hamburger Feuerkasse (Hamburg Fire Office) is the first officially established fire insurance company in the world. Yet when it comes to cyberinsurance, it is a mere 26 years old.

Wolff does an excellent job of detailing the growing pains of the cyberinsurance industry. She writes that the rise of ransomware caught the industry by surprise and started ebbing away at their profits. They used policy exclusions and got into the minutia of the contractual language to deny the claims, which led to expensive litigation.

As it is a mere infant in the insurance world, one of the problems with cyberinsurance that the book repeatedly makes is the need for more high-quality data on the frequency of security incidents and the costs of incidents and outages.

As cyberinsurance is built upon traditional insurance, the book’s first part deals with how traditional insurance works and is structured. While that can be a dry read, it is a needed preamble for the rest of the book. And Wolff has written a fascinating book that details the growth of cyberinsurance and the many challenges (and conflicts) the insurers and policyholders have faced since it was created.

Insurance, at its core, is a hedge against financial loss. But when it comes to data protection and cybersecurity, Wolff argues, quite compellingly, that cyberinsurance has failed to improve cybersecurity.

And that comes back to the need for better data around cybersecurity. The need for more reliable, consistently collected data has been a bane for cyberinsurance underwriters. This lack of robust actuarial data, which is de rigueur for every other insurance product, is sorely needed for cybersecurity—to the degree that no one really knows the costs of a security incident or how often they happen.

And worse than that, large-scale cyberattacks might be fundamentally uninsurable—to the degree that some in the industry are lobbying for government backup, akin to the Terrorism Risk Insurance Act (TRIA), which is a federal program that provides compensation for certain insured losses resulting from acts of terrorism.

This is a fascinating and engaging read for those looking to understand how cyberinsurance works, the nature of information risk, and the direction of this industry. The industry is in its infancy and going through a lot of growing pains. Wolff does a superb job of explaining these pains and what the industry needs to do to reach the levels of its older insurance siblings in the health, auto, and property and casualty insurance sectors.

Cyberinsurance policies are getting more expensive, and many don’t cover the attacks the policyholders expected. But as cyberattacks increase constantly, cyberinsurance is becoming more critical. And to understand the importance and significance of cyberinsurance, this is an invaluable reference.

Ben Rothke

Senior Information Security Manager, Tapad

Risk Management & Governance

cyber insurance cyberattacks

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community