Insurance and Enterprise: Cyber Insurance for Ransomware
Geneva Papers on Risk and Insurance, Vol.48, p.275, 2023
25 Pages Posted: 28 Oct 2022 Last revised: 12 Sep 2023
Date Written: October 27, 2022
Selling insurance gives insurers an incentive to manage insured risks. The “insurance as governance” literature demonstrates that insurers often make insurance conditional on ex ante risk reduction or mitigation. But insurance governs in support of enterprise, not security for its own sake. Tight underwriting inhibits enterprise – not only for insured businesses but also the business of insurance. This paper highlights ex post loss reduction as a form of insurance-based governance. Drawing on interviews with industry insiders, we explore how insurers addressed the evolving problems of moral hazard, uncertainty, and correlated losses since the 1990s. We find that cyber insurance developed sophisticated remedies to contain liabilities and quickly restore affected IT systems, but largely left security decisions to the insured. This facilitated enterprise in the short run but undermined security in the longer term: funding and expediting ransom payments encourages further attacks. As businesses improved their resilience, cybercriminals adapted and ransoms escalated, calling insurability into question. Yet there remains little appetite for imposing restrictive conditionality in this highly competitive market. Instead, insurers have turned to governments to contain criminal threats and cushion catastrophic losses.
Keywords: Insurance markets, risk assessment & management, cybercrime, cyberattack, ransomware, data breaches, governance, liability, moral hazard, loss reduction & mitigation, government intervention
JEL Classification: G22, G28, K24
Suggested Citation: Suggested Citation