Josephine Wolff - Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks

INFORMATION POLICY SERIES

Edited by Sandra Braman

The Information Policy Series publishes research on and analysis of significant problems in the field of information policy, including decisions and practices that enable or constrain information, communication, and culture irrespective of the legal siloes in which they have traditionally been located as well as state-law-society interactions. Defining information policy as all laws, regulations, and decision-making principles that affect any form of information creation, processing, flows, and use, the series includes attention to the formal decisions, decision-making processes, and entities of government; the formal and informal decisions, decision-making processes, and entities of private and public sector agents capable of constitutive effects on the nature of society; and the cultural habits and predispositions of governmentality that support and sustain government and governance. The parametric functions of information policy at the boundaries of social, informational, and technological systems are of global importance because they provide the context for all communications, interactions, and social processes.

A complete list of the books in the Information Policy series appears at the .

CYBERINSURANCE POLICY

RETHINKING RISK IN AN AGE OF RANSOMWARE, COMPUTER FRAUD, DATA BREACHES, AND CYBERATTACKS

JOSEPHINE WOLFF

The MIT Press

Cambridge, Massachusetts

London, England

2022 Massachusetts Institute of Technology

This work is subject to a Creative Commons CC-BY-NC-ND license.

Subject to such license, all rights are reserved.

The MIT Press would like to thank the anonymous peer reviewers who provided comments on drafts of this book. The generous work of academic experts is essential for establishing the authority and quality of our publications. We acknowledge with gratitude the contributions of these otherwise uncredited readers.

Library of Congress Cataloging-in-Publication Data

Names: Wolff, Josephine, author.

Title: Cyberinsurance policy : rethinking risk in an age of ransomware, computer fraud, data breaches, and cyberattacks / Josephine Wolff.

Description: Cambridge, Massachusetts : The MIT Press, [2022] | Series: Information policy series | Includes bibliographical references and index.

Identifiers: LCCN 2021045988 | ISBN 9780262544184 (paperback)

Subjects: LCSH: Computer insurance. | Computer securityManagement. | CyberspaceSecurity measuresManagement. | Computer crimesPrevention. | Risk management.

Classification: LCC HG9963.5 .W65 2022 | DDC 658.4/78dc23/eng/20220114

LC record available at https://lccn.loc.gov/2021045988

d_r0

For Perri Klass and Larry Wolff, who took care of the Chompo Bar until I was ready to give it to Gloria (who is not yet old enough to eat a whole Chompo Bar).

It was the day before Francess little sister Glorias birthday. Mother and Gloria were sitting at the kitchen table, making place cards for the party.

Frances was in the broom closet, singing:

Happy Thursday to you,

Happy Thursday to you,

Happy Thursday, dear Alice,

Happy Thursday to you.

Who is Alice? asked Mother.

Alice is somebody that nobody can see, said Frances. And that is why she does not have a birthday. So I am singing Happy Thursday to her.

Today is Friday, said Mother.

It is Thursday for Alice, said Frances. Alice will not have h-r-n-d, and she will not have g-k-l-s. But we are singing together.

What are h-r-n-d and g-k-l-s? asked Mother.

Cake and candy. I thought you could spell, said Frances.

I am sure that Alice will have cake and candy on her birthday, said Mother.

But Alice does not have a birthday, said Frances.

Yes, she does, said Mother. Even if nobody can see her, Alice has one birthday every year, and so do you. Your birthday is two months from now. Then you will be the birthday girl. But tomorrow is Glorias birthday, and she will be the birthday girl.

That is how it is, Alice, said Frances. Your birthday is always the one that is not now.

A Birthday for Frances, Russell and Lillian Hoban, 1968

LIST OF TABLE

Comparison of coverage in 2010 and 2018 cyberinsurance template policies developed by Travelers and Zurich.

Freedom, rights, and democracy are words that often come up when we talk about information policy, but as Josephine Wolff makes clear in Cyberinsurance Policy, risk should also be there as well. The word was coined mid-fifteenth century by the Italian shipping insurance industry, concerned as it was about riscothat which cutsthe reefs that threaten cargo on high seas. Historian of statistics Alain Desrosieres points to the launch of the first secular democracy in France in the late eighteenth century as the moment when that field became formalized. Historians of insurance such as Franois Ewald and Daniel Defert document its first stages of development by actuaries who had to distinguish among not only types of risk, but also population segments, behaviors, causal thresholds, and other matters we now think of as the subjects of social science.

Actuaries did so in order to develop insurance products that combine these diverse types of data according to a particular set of rules. This makes insurance a form of political imaginary itselfone that, according to anthropologist Mary Douglas and political scientist Aaron Wildavsky, in turn depends upon the extent to which any given combination of individuals recognizes itself as a group and on the extent and nature of rules considered appropriate for governance. Thomas Hobbes was big on risk, seeing its assessment as the basis of all political arrangements. From that regard, the dominance of the Chinese cybersecurity insurance market in 2019 by the four firms Cyberinsurance Policy tells us abouttwo American, one German, and one Swissis particularly interesting.

It has already been over four decades since Ulrich Beck explained that our capacity for coping with risk has gone down as technological and societal complexity have risen. Causal relations arent always discernible, and thus accountability can be impossible to assign. Damaging processes may not become visible until long after irreversible harm can be prevented. The range of types of cybersecurity risk, as Josephine Wolff so superbly walks us through, is vast and multiplying. It is deeply intertwined with every other category of risk so far contemplated, and will become ever more so. Identifying perpetrators can be difficult or impossible, as can all of the types of harm caused or the actual cost of any of it.

The author carefully works through each of the policy options available to governments, offering shrewd critical insight regarding just why each has been discussed for so long without much in the way of effective action. It has been up to national governments and the European Union to develop cybersecurity-related policies on behalf of all parties, but the major cybersecurity insurance firms are transnational. Insurers look to states for forms of supportdata, funding pools, technical standard setting, and guidanceprovided for other of their products. Governments do not yet make these things available, but at the same time insurers also shy from the increase in regulation that is a necessary concomitant of the use of such policy tools.