Law Commons^™

Insurance And Enterprise: Cyber Insurance For Ransomware, Tom Baker, Anja Shortland

All Faculty Scholarship

Selling insurance gives insurers an incentive to manage insured risks. The “insurance as governance” literature demonstrates that insurers often make insurance conditional on ex ante risk reduction or mitigation. But insurance governs in support of enterprise, not security for its own sake. Tight underwriting inhibits enterprise – not only for insured businesses but also the business of insurance. This paper highlights ex post loss reduction as a form of insurance-based governance. Drawing on interviews with industry insiders, we explore how insurers addressed the evolving problems of moral hazard, uncertainty, and correlated losses since the 1990s. We find that cyber insurance …

The Law And Politics Of Ransomware, Asaf Lubin

Articles by Maurer Faculty

What do Lady Gaga, the Royal Zoological Society of Scotland, the city of Valdez in Alaska, and the court system of the Brazilian state of Rio Grande do Sul all have in common? They have all been victims of ransomware attacks, which are growing both in number and severity. In 2016, hackers perpetrated roughly four thousand ransomware attacks a day worldwide, a figure which was already alarming. By 2020, however, ransomware attacks reached a staggering number, between 20,000 and 30,000 per day in the United States alone. That is a ransomware attack every eleven seconds, each of which cost victims …

The Case For Banning (And Mandating) Ransomware Insurance, Kyle D. Logue, Adam B. Shniderman

Law & Economics Working Papers

Ransomware attacks are becoming increasingly pervasive and disruptive. Not only are they shutting down (or at least “holding up”) businesses and local governments all around the country, they are disrupting institutions in many sectors of the U.S. economy — from school systems, to medical facilities, to critical elements of the U.S. energy infrastructure as well as the food supply chain. Ransomware attacks are also growing more frequent and the ransom demands more exorbitant. Those ransom payments are increasingly being covered by insurance. That insurance offers coverage for a variety of cyber-related losses, including many of the costs arising out of …

Public Policy And The Insurability Of Cyber Risk, Asaf Lubin

Articles by Maurer Faculty

In June 2017, the food and beverage conglomerate Mondelez International became a victim of the NotPetya ransomware attack. Around 1,700 of its servers and 24,000 of the company’s laptops were suddenly and permanently unusable. Commercial supply and distribution disruptions, theft of credentials from many users, and unfulfilled customer orders soon followed, leading to losses that totaled more than $100 million. Unfortunately, Zurich, which had sold the company a property insurance policy that included a variety of coverages, informed Mondelez in 2018 that cyber coverage would be denied under the policy based on the “war exclusion clause.” This case, now pending, …

Insuring Against Cyber Risk: The Evolution Of An Industry (Introduction), Christopher French

Journal Articles

Cyber risks are the newest risks of the 21st century. The breadth and cost of cyber attacks are astonishing. Worldwide damages caused by cyber attack are predicted to reach $6 trillion by 2021. Between 2015 and 2017, ransomware damages alone increased from $325 million to approximately $5 billion. In 2017, WannaCry ransomware shut down over 300,000 computer systems across 150 countries.

On April 13, 2018, the Penn State Law Review held a symposium to discuss the evolution of cyber risks and cyber insurance. The symposium was comprised of an eclectic group of legal practitioners and scholars who presented four articles. …