Public Policy and The Insurability of Cyber Risk

5 Journal of Law and Technology at Texas 45 (2022)

65 Pages Posted: 21 Sep 2019 Last revised: 8 Aug 2022

See all articles by Asaf Lubin

Asaf Lubin

Indiana University Maurer School of Law; Berkman Klein Center for Internet & Society; Yale University - Information Society Project; Federmann Cybersecurity Center, Hebrew University of Jerusalem Faculty of Law

Date Written: September 12, 2019


In June 2017, the food and beverage conglomerate Mondelez International became a victim of the NotPetya ransomware attack. Around 1,700 of its servers and 24,000 of the company’s laptops were suddenly and permanently unusable. Commercial supply and distribution disruptions, theft of credentials from many users, and unfulfilled customer orders soon followed, leading to losses that totaled more than $100 million. Unfortunately, Zurich, which had sold the company a property insurance policy that included a variety of coverages, informed Mondelez in 2018 that cyber coverage would be denied under the policy based on the “war exclusion clause.”

This case, now pending, will be a watershed moment for the cyber insurance industry, highlighting the great ambiguity around the insurability of certain types of cyber risk and the scope of coverage that insurers will provide in the case of a cyber incident. The literature on the insurability of cyber risk has focused all of its attention on questions of economic efficiency and viability. Scholarship has, for example, examined the actuarial challenges in cyber risk modeling and the likelihood for adverse selection resulting from information asymmetries and lack of historical claims data. Scholars have so far avoided a different set of considerations rooted not in economics but rather in public policy analysis of societal values.

This paper lays the framework for such an analysis. Relying on traditional insurance and torts jurisprudence the paper makes the public policy case for limited legal interventions in the indemnification of three controversial categories of cyber harm: (1) acts of cyber terrorism or state-sponsored cyber operations; (2) extortion payments for ransomware attacks; and (3) administrative fines for violations of statutory data protection regulations. In so doing, the paper highlights systemic challenges to cyber insurance underwriting while explaining insurers’ role in increasing societal cyber posture by reducing the likelihood of moral hazard and suboptimal cyber-norms enforcement.

Keywords: Insurance, Cybersecurity, Risk, Ransomware, Data Breach, Cyber Terrorism, Cyber Warfare, Data Protection, GDPR, Risk Management, Economic Efficiency, Public Policy

Suggested Citation

Lubin, Asaf, Public Policy and The Insurability of Cyber Risk (September 12, 2019). 5 Journal of Law and Technology at Texas 45 (2022), Available at SSRN: or

Asaf Lubin (Contact Author)

Indiana University Maurer School of Law ( email )

Office #322
211 S. Indiana Avenue
Bloomington, IN 47405
United States
8128556403 (Phone)

HOME PAGE: http://

Berkman Klein Center for Internet & Society ( email )

Harvard Law School
23 Everett, 2nd Floor
Cambridge, MA 02138
United States

Yale University - Information Society Project ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Federmann Cybersecurity Center, Hebrew University of Jerusalem Faculty of Law

Mount Scopus
Mount Scopus, IL 91905

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics