By Jay P. Kesan & Carol M. Hayes. Full text here.
Cybersecurity is an increasingly important element of infrastructure and commerce. Courts are starting to shape the doctrine of third-party liability for cyberattacks and data breaches. For businesses that rely on computers and the Internet, these developments affect their bottom line. There is a lot of interest in managing these emerging cyber risks and associated cyber losses, and many companies are looking to insurance policies for coverage.
Unfortunately, commercial general liability policies are becoming narrower as insurers increasingly remove electronic data from the scope of coverage. Cyberinsurance is becoming increasingly available, but the market for these policies is plagued by informational asymmetries, data scarcity, and high potential for moral hazard problems.
In this Article, we examine insurance as a risk management tool in the cybersecurity context, with special emphasis on the emerging market for cyberinsurance and how to overcome the dangers to this market’s effectiveness and growth through better risk assessment. In order to understand the legal risk in policy coverage, we present an empirical study and findings regarding litigation concerning insurance coverage for cyber harms involving intangible property, digital data, and cybersecurity. Our work emphasizes the need for developing cyber-specific insurance products, instead of relying on commercial general liability (CGL) policies to cover cyber losses. We urge that collaboration between the government and private sector will be necessary to better estimate the technological risk in this cyber environment for insurance purposes. We also analogize the cyberinsurance market to the Workers’ Compensation system and the National Flood Insurance Program (NFIP) and analyze the lessons that can be drawn from them.