Kyle D. Logue & Adam B. Shniderman

Abstract

Ransomware attacks are becoming increasingly pervasive and disruptive, resulting in ransom demands becoming more exorbitant. Payments for ransom costs are increasingly being covered by insurance, which may offer coverage for a variety of cyber-related losses. Some commentators have expressed concern over this market phenomenon. Specifically, the concern is that the presence of insurance is making the ransomware problem worse based on the following theory: because there is ransomware insurance that covers ransom payments, and because paying the ransom is often far cheaper than paying the restoration and business interruption costs covered under the policy, there is an increased tendency to pay the ransom-and a willingness to pay higher amounts. This fact, known by the criminals, increases their incentive to engage in ransomware attacks, which increases the demand for insurance. And the cycle continues. This Article demonstrates that the picture is not as simple as this story would suggest. Insurance offers a variety of pre-breach and post- breach services that are aimed at reducing the likelihood and severity of a ransomware attack. Thus, over the long-term, cyber insurance has the potential to lower ransomware-related costs, even without government intervention. As recent research has shown, however, insurers have not yet fully embraced their potential role as ex ante and ex post regulators of cyber risk-a role for which they are especially well-suited. This Article discusses reasons why that might be the case and offers suggestions for how government intervention may help. Among these suggestions is a limited ban on indemnity for ransomware payments with exceptions for cases involving threats to life and limb, which would be an expanded version of what is already in place with the Office of Foreign Assets Control’s (“OFAC”) sanctions program. We also explain how a government regulator, such as  the OFAC, could serve a coordinating function to help cyber insurers internalize the externalities associated with the insurers’ decisions to reimburse ransomware payments-a role that is played by reinsurers in the context of kidnap-and-ransom insurance. Finally, we consider the idea of a federal mandate requiring property and casualty insurers to provide coverage for the costs of ransomware attacks but exclude coverage for the ransomware payments.

Harold Weston

Erin Kenneally

Asaf Lubin

Abstract

The study of the interaction between law and technology is more critical today than ever before. Advancements in artificial intelligence, information communications, biological and chemical engineering, and space-faring technologies, to name but a few examples, are forcing us to reexamine our traditional understanding of basic concepts in torts and insurance law. Yet, few insurance professionals and scholars will identify themselves as working in the field of “law-and-technology.” For many of them, technology is “just a fact about the world like any other,” as Ryan Calo once put it, not one that always merits “special care.”‘ This short paper is an attempt to build a first-of-its-kind bridge between these two scholarly silos. Directed at an insurance audience, the paper attempts to draw attention to a body of law-and-technology scholarship that has so far gone mostly unnoticed by insurance professionals. The paper is built on the premise that insurance lawyers, whose business model depends on the mitigation of losses from technological harm, are not dramatically dissimilar from their law-and-technology counterparts. Both are fascinated by the same set of questions: if when, and how, might  private and public regulation mitigate losses resulting from technological risk. The paper draws key concepts from the law-and-technology literature to explore the effectiveness and utility of regulation in mitigating risks from emerging, evolving, and disruptive technologies. The paper further identifies the different phases in technology’s life cycle and discusses the challenges that each of these phases introduces on the insurance market. Relying on cyber insurance as its primary case study, the paper concludes by applying these insights to an assessment of a recent state-wide regulation, the New York Cyber Insurance Risk Framework, the first of its kind in the country. The paper demonstrates the promise and pitfalls of this type of regulation, taking into account broader trends in the cyber insurance market.

Josephine Wolff

Bryan H. Cunningham & Shauhin A. Talesh

Abstract

The year 2020 was a wake-up call, for the world and specifically for the cyber insurance ecosystem. The COVID-19 global pandemic reminded insurers, observers, and policymakers that actual or newly plausible attacks-including catastrophic cyberattacks-could pose existential threats to the cyber insurance ecosystem. This article examines this risk through a hypothetical catastrophic cyberattack, interviews with sixty participants across the cyber insurance ecosystem, and recent scholarly work. We find that the risk of a catastrophic cyberattack to the solvency of the global insurance ecosystem is real and that cyber insurers have not, as yet, fulfilled their promise to meaningfully improve our collective cyber hygiene. We examine several key reasons for these findings, including both a lack of data and of stability in the cyber insurance market, problems of attribution in cyberspace, and increasing uncertainty about the enforcement of war exclusions in cyber insurance coverage disputes. We offer a prioritized and interconnected set of proposals to shore up the cyber insurance ecosystem and incentivize needed improvements to our overall cyber hygiene. Specifically, we propose the “Catastrophic Cyberattack Resilience Act,” which would create a federally-funded financial backstop for the cyber insurance ecosystem. In order to be eligible for such backstopping, insurers would be required to: comply with new data and infrastructure security and cyber incident reporting requirements; accept United States Government certifications of attribution as conclusive; and forego enforcement of war exclusions in stand-alone cyber policies. Although scholars have explored aspects of the topics covered in this article, we believe ours is the first article to rely on in-depth interviews across the cyber insurance ecosystem, to specifically incorporate key findings and recommendations of the Cyberspace Solarium Commission and recent guidance from one of the first U.S. state financial regulators to address these issues in cyber coverage, and to provide a draft legislative solution addressing these reform needs, with specific implementing language. We offer these proposals not as a “silver bullet” but as part of an urgently needed debate to spur meaningful action before-not after-the catastrophe(s) likely to come, particularly in the absence of such reforms.

Travis Luis Pantin

Abstract

From its early eighteenth-century beginnings, modern insurance law has been governed by what can be described as a “non-responsibility” requirement: the insured cannot recover for losses that it caused through its own misbehavior. Although this principle might seem intuitive-you should not be able intentionally to burn down your own home and then get paid for it-scholars continue to debate both the range of the principle’s application and its underlying rationale. Current theories of the requirement tend to argue that instrumental goals, such as the minimization of moral hazard or the maximization of victim compensation, ought to determine whether an insured can get coverage for its own bad acts. Yet these approaches fail to describe insurance law as it currently exists. This Article advances a new framework that corrects this deficiency. The framework identifies two distinct elements of the “non-responsibility” requirement: (1) the insured must have had substantial control over the act that caused the loss; and (2) the insured’s act must be something that is generally regarded as inherently wrong, rather than merely prohibited. When an insurer can demonstrate both elements, coverage is almost always disallowed. In making this argument, the Article aims to explore and articulate insurance law’s internal logic, rather than study it from the perspective of an external discipline. There are multiple benefits to this approach. First, it more accurately describes insurance law as it exists today, as well as its historical evolution. Second, it provides a normatively attractive account of the “non-responsibility” requirement’s central role in contemporary insurance law. Finally, the internalist theory of insurance law can help us better predict and justify extensions of private insurance-law concepts into vital policy areas such as healthcare and unemployment.

Franziska Arnold-Dwyer

Abstract

This paper examines how the contractual framework of existing insurance products for consumers and small businesses can be adjusted to help them reduce their net GHG emissions, and thereby facilitate the transition to a sustainable net-zero economy (= Net-Zero Aligned Insurance Products; “NZAIPs”). NZAIPs could give rise to legal and regulatory issues, and this paper considers how these issues could be addressed to create a legal environment that provides safe and fair market conditions for NZAIPs.

Margaret Murolo

Vincent Yesue