Law Commons^™

Cyber Plungers: Colonial Pipeline And The Case For An Omnibus Cybersecurity Legislation, Asaf Lubin

Articles by Maurer Faculty

The May 2021 ransomware attack on Colonial Pipeline was a wake-up call for a federal administration slow to realize the dangers that cybersecurity threats pose to our critical national infrastructure. The attack forced hundreds of thousands of Americans along the east coast to stand in endless lines for gas, spiking both prices and public fears. These stressors on our economy and supply chains triggered emergency proclamations in four states, including Georgia. That a single cyberattack could lead to a national emergency of this magnitude was seen by many as proof of even more crippling threats to come. Executive Director of …

Combating Ransomware: One Year On, V. Gerard Comizio, Gary Corn, William Deckelman, Karl Hopkins, Mark Hughes, Patrick Mccarty, Sujit Raman, Kurt Sanger, Ari Schwartz, Melanie Teplinsky, Jackson Colling

Joint PIJIP/TLS Research Paper Series

No abstract provided.

Insurance And Enterprise: Cyber Insurance For Ransomware, Tom Baker, Anja Shortland

All Faculty Scholarship

Selling insurance gives insurers an incentive to manage insured risks. The “insurance as governance” literature demonstrates that insurers often make insurance conditional on ex ante risk reduction or mitigation. But insurance governs in support of enterprise, not security for its own sake. Tight underwriting inhibits enterprise – not only for insured businesses but also the business of insurance. This paper highlights ex post loss reduction as a form of insurance-based governance. Drawing on interviews with industry insiders, we explore how insurers addressed the evolving problems of moral hazard, uncertainty, and correlated losses since the 1990s. We find that cyber insurance …

The Law And Politics Of Ransomware, Asaf Lubin

Articles by Maurer Faculty

What do Lady Gaga, the Royal Zoological Society of Scotland, the city of Valdez in Alaska, and the court system of the Brazilian state of Rio Grande do Sul all have in common? They have all been victims of ransomware attacks, which are growing both in number and severity. In 2016, hackers perpetrated roughly four thousand ransomware attacks a day worldwide, a figure which was already alarming. By 2020, however, ransomware attacks reached a staggering number, between 20,000 and 30,000 per day in the United States alone. That is a ransomware attack every eleven seconds, each of which cost victims …

Newsletter, Winter 2022

Newsletter

No abstract provided.

The Case For Banning (And Mandating) Ransomware Insurance, Kyle D. Logue, Adam B. Shniderman

Law & Economics Working Papers

Ransomware attacks are becoming increasingly pervasive and disruptive. Not only are they shutting down (or at least “holding up”) businesses and local governments all around the country, they are disrupting institutions in many sectors of the U.S. economy — from school systems, to medical facilities, to critical elements of the U.S. energy infrastructure as well as the food supply chain. Ransomware attacks are also growing more frequent and the ransom demands more exorbitant. Those ransom payments are increasingly being covered by insurance. That insurance offers coverage for a variety of cyber-related losses, including many of the costs arising out of …

Public Policy And The Insurability Of Cyber Risk, Asaf Lubin

Articles by Maurer Faculty

In June 2017, the food and beverage conglomerate Mondelez International became a victim of the NotPetya ransomware attack. Around 1,700 of its servers and 24,000 of the company’s laptops were suddenly and permanently unusable. Commercial supply and distribution disruptions, theft of credentials from many users, and unfulfilled customer orders soon followed, leading to losses that totaled more than $100 million. Unfortunately, Zurich, which had sold the company a property insurance policy that included a variety of coverages, informed Mondelez in 2018 that cyber coverage would be denied under the policy based on the “war exclusion clause.” This case, now pending, …

Insuring Against Cyber Risk: The Evolution Of An Industry (Introduction), Christopher French

Journal Articles

Cyber risks are the newest risks of the 21st century. The breadth and cost of cyber attacks are astonishing. Worldwide damages caused by cyber attack are predicted to reach $6 trillion by 2021. Between 2015 and 2017, ransomware damages alone increased from $325 million to approximately $5 billion. In 2017, WannaCry ransomware shut down over 300,000 computer systems across 150 countries.

On April 13, 2018, the Penn State Law Review held a symposium to discuss the evolution of cyber risks and cyber insurance. The symposium was comprised of an eclectic group of legal practitioners and scholars who presented four articles. …

Send Us The Bitcoin Or Patients Will Die: Addressing The Risks Of Ransomware Attacks On Hospitals, Deborah R. Farringer

Law Faculty Scholarship

“You just have 10 days to send us the Bitcoin. After 10 days we will remove your private key and it's impossible to recover your files.” Message to Medstar employees. Within a span of just a few months in the spring of 2016, fourteen hospitals (four hospital systems) experienced ransomware attacks resulting in an inability for the hospitals to access any of their electronic medical records, including necessary patient data. Knowing that hospitals must have access to this data in order to appropriately treat and monitor patients, those responsible for the attacks requested a bitcoin payment as ransom for the …