Cybersecurity Spillovers

72 Pages Posted: 8 Jul 2021 Last revised: 6 Apr 2022

See all articles by Mark Verstraete

Mark Verstraete

UCLA School of Law

Tal Zarsky

University of Haifa - Faculty of Law

Date Written: July 1, 2021


This Article identifies and analyzes a previously unrecognized source of positive externalities within cybersecurity, which we term “cybersecurity spillovers.” Most commentators have focused on negative externalities and market failures, leading to a pervasive pessimism about the possibility of adequate cybersecurity protections. In response, this Article demonstrates that unique dynamics from cloud computing—most notably, indivisibility—may force cloud service firms to generate spillovers. These spillovers are additional security protections provided to the common cloud users; clients who may have not been willing or able to acquire these security services otherwise. Furthermore, this additional source of security offsets some of the most pernicious effects of negative externalities and market failure which commonly plague the cybersecurity ecosystem.

Alongside its descriptive analysis of cybersecurity spillovers, this Article alerts policymakers about potential analytical tools which can be used to identify the most beneficial spillovers. Moreover, it offers recommendations for specific interventions that will promote spillovers and improve the state of cybersecurity generally. In particular, this Article explains that policymakers could promote indivisibility and strengthen spillovers by tailoring liability rules. Such enhanced liability might incentivize premium cloud service clients to demand robust protections across the entire platform. In addition, the Article addresses the relationship between market concentration and spillovers. It provides recommendations for preserving spillovers even without concentration in the market for cloud storage. And finally, the Article suggests how the government’s cloud services procurement and tender processes can be utilized to amplify the beneficial effects of spillovers.

Keywords: cloud computing, GDPR, cybersecurity, procurement, externalities, 'brussels effect'

Suggested Citation

Verstraete, Mark and Zarsky, Tal, Cybersecurity Spillovers (July 1, 2021). Brigham Young University Law Review, Vol 47(3), p. 929, Available at SSRN:

Mark Verstraete

UCLA School of Law ( email )

Tal Zarsky (Contact Author)

University of Haifa - Faculty of Law ( email )

Mount Carmel
Haifa, 31905

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics