A Book Maintains The Cyber Insurance Paradigm Is A Failure

Barely on the radar 30 years ago, cyber breaches have become a threat to everything from teen-age privacy to the integrity of electrical grids and control of national weapons systems. Almost as soon as they began, breaches ripened from an exotic annoyance into a full-blown plague, and companies began to invoke their commercial general liability (CGL) policies to cover the often substantial associated costs. Coverage issues were complicated by the fact that companies could be “simultaneously a breach victim and, in parallel lawsuits against them, an enabler of cyber breaches,” writes University of California School of law Professor Shauhin Talesh, in her review of Josephine Wolff’s new book, “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks” (MIT Press, 2022).

Carriers balked on the CGL claims, and the courts backed them up. In the book, Wolff is highly critical of what carriers did next: moved all cyber risks into stand-alone policies. She maintains, in the reviewer’s paraphrase, that “developing a comprehensive stand-alone insurance policy for cyber risks is quite different from insuring auto or fire risks because, unlike with cars and fires, it is virtually impossible to articulate all the ways cyber threats could cause harm.” Wolff’s book, according to the reviewer, makes a strong case that the U.S. system is a failure and that most of the world – with the odd exception of one small country – has been making the same mistakes the U.S. has made.