Insurance and Enterprise: Cyber Insurance for Ransomware

Geneva Papers on Risk and Insurance, Vol.48, p.275, 2023

U of Penn, Inst for Law & Econ Research Paper No. 22-41

25 Pages Posted: 28 Oct 2022 Last revised: 12 Sep 2023

See all articles by Tom Baker

Tom Baker

University of Pennsylvania Carey Law School

Anja Shortland

King's College, London

Date Written: October 27, 2022

Abstract

Selling insurance gives insurers an incentive to manage insured risks. The “insurance as governance” literature demonstrates that insurers often make insurance conditional on ex ante risk reduction or mitigation. But insurance governs in support of enterprise, not security for its own sake. Tight underwriting inhibits enterprise – not only for insured businesses but also the business of insurance. This paper highlights ex post loss reduction as a form of insurance-based governance. Drawing on interviews with industry insiders, we explore how insurers addressed the evolving problems of moral hazard, uncertainty, and correlated losses since the 1990s. We find that cyber insurance developed sophisticated remedies to contain liabilities and quickly restore affected IT systems, but largely left security decisions to the insured. This facilitated enterprise in the short run but undermined security in the longer term: funding and expediting ransom payments encourages further attacks. As businesses improved their resilience, cybercriminals adapted and ransoms escalated, calling insurability into question. Yet there remains little appetite for imposing restrictive conditionality in this highly competitive market. Instead, insurers have turned to governments to contain criminal threats and cushion catastrophic losses.

Keywords: Insurance markets, risk assessment & management, cybercrime, cyberattack, ransomware, data breaches, governance, liability, moral hazard, loss reduction & mitigation, government intervention

JEL Classification: G22, G28, K24

Suggested Citation

Baker, Tom and Shortland, Anja, Insurance and Enterprise: Cyber Insurance for Ransomware (October 27, 2022). Geneva Papers on Risk and Insurance, Vol.48, p.275, 2023, U of Penn, Inst for Law & Econ Research Paper No. 22-41, Available at SSRN: https://ssrn.com/abstract=4260517

Tom Baker (Contact Author)

University of Pennsylvania Carey Law School ( email )

3501 Sansom Street
Philadelphia, PA 19104
United States
215-746-2185 (Phone)

HOME PAGE: http://www.law.upenn.edu/cf/faculty/thbaker/

Anja Shortland

King's College, London ( email )

Strand
London, England WC2R 2LS
United Kingdom

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
120
Abstract Views
521
Rank
393,969
PlumX Metrics