Harold Weston

Erin Kenneally

Asaf Lubin

Abstract

The study of the interaction between law and technology is more critical today than ever before. Advancements in artificial intelligence, information communications, biological and chemical engineering, and space-faring technologies, to name but a few examples, are forcing us to reexamine our traditional understanding of basic concepts in torts and insurance law. Yet, few insurance professionals and scholars will identify themselves as working in the field of “law-and-technology.” For many of them, technology is “just a fact about the world like any other,” as Ryan Calo once put it, not one that always merits “special care.”‘ This short paper is an attempt to build a first-of-its-kind bridge between these two scholarly silos. Directed at an insurance audience, the paper attempts to draw attention to a body of law-and-technology scholarship that has so far gone mostly unnoticed by insurance professionals. The paper is built on the premise that insurance lawyers, whose business model depends on the mitigation of losses from technological harm, are not dramatically dissimilar from their law-and-technology counterparts. Both are fascinated by the same set of questions: if when, and how, might  private and public regulation mitigate losses resulting from technological risk. The paper draws key concepts from the law-and-technology literature to explore the effectiveness and utility of regulation in mitigating risks from emerging, evolving, and disruptive technologies. The paper further identifies the different phases in technology’s life cycle and discusses the challenges that each of these phases introduces on the insurance market. Relying on cyber insurance as its primary case study, the paper concludes by applying these insights to an assessment of a recent state-wide regulation, the New York Cyber Insurance Risk Framework, the first of its kind in the country. The paper demonstrates the promise and pitfalls of this type of regulation, taking into account broader trends in the cyber insurance market.

Josephine Wolff

Bryan H. Cunningham & Shauhin A. Talesh

Abstract

The year 2020 was a wake-up call, for the world and specifically for the cyber insurance ecosystem. The COVID-19 global pandemic reminded insurers, observers, and policymakers that actual or newly plausible attacks-including catastrophic cyberattacks-could pose existential threats to the cyber insurance ecosystem. This article examines this risk through a hypothetical catastrophic cyberattack, interviews with sixty participants across the cyber insurance ecosystem, and recent scholarly work. We find that the risk of a catastrophic cyberattack to the solvency of the global insurance ecosystem is real and that cyber insurers have not, as yet, fulfilled their promise to meaningfully improve our collective cyber hygiene. We examine several key reasons for these findings, including both a lack of data and of stability in the cyber insurance market, problems of attribution in cyberspace, and increasing uncertainty about the enforcement of war exclusions in cyber insurance coverage disputes. We offer a prioritized and interconnected set of proposals to shore up the cyber insurance ecosystem and incentivize needed improvements to our overall cyber hygiene. Specifically, we propose the “Catastrophic Cyberattack Resilience Act,” which would create a federally-funded financial backstop for the cyber insurance ecosystem. In order to be eligible for such backstopping, insurers would be required to: comply with new data and infrastructure security and cyber incident reporting requirements; accept United States Government certifications of attribution as conclusive; and forego enforcement of war exclusions in stand-alone cyber policies. Although scholars have explored aspects of the topics covered in this article, we believe ours is the first article to rely on in-depth interviews across the cyber insurance ecosystem, to specifically incorporate key findings and recommendations of the Cyberspace Solarium Commission and recent guidance from one of the first U.S. state financial regulators to address these issues in cyber coverage, and to provide a draft legislative solution addressing these reform needs, with specific implementing language. We offer these proposals not as a “silver bullet” but as part of an urgently needed debate to spur meaningful action before-not after-the catastrophe(s) likely to come, particularly in the absence of such reforms.

Travis Luis Pantin

Abstract

From its early eighteenth-century beginnings, modern insurance law has been governed by what can be described as a “non-responsibility” requirement: the insured cannot recover for losses that it caused through its own misbehavior. Although this principle might seem intuitive-you should not be able intentionally to burn down your own home and then get paid for it-scholars continue to debate both the range of the principle’s application and its underlying rationale. Current theories of the requirement tend to argue that instrumental goals, such as the minimization of moral hazard or the maximization of victim compensation, ought to determine whether an insured can get coverage for its own bad acts. Yet these approaches fail to describe insurance law as it currently exists. This Article advances a new framework that corrects this deficiency. The framework identifies two distinct elements of the “non-responsibility” requirement: (1) the insured must have had substantial control over the act that caused the loss; and (2) the insured’s act must be something that is generally regarded as inherently wrong, rather than merely prohibited. When an insurer can demonstrate both elements, coverage is almost always disallowed. In making this argument, the Article aims to explore and articulate insurance law’s internal logic, rather than study it from the perspective of an external discipline. There are multiple benefits to this approach. First, it more accurately describes insurance law as it exists today, as well as its historical evolution. Second, it provides a normatively attractive account of the “non-responsibility” requirement’s central role in contemporary insurance law. Finally, the internalist theory of insurance law can help us better predict and justify extensions of private insurance-law concepts into vital policy areas such as healthcare and unemployment.

Franziska Arnold-Dwyer

Abstract

This paper examines how the contractual framework of existing insurance products for consumers and small businesses can be adjusted to help them reduce their net GHG emissions, and thereby facilitate the transition to a sustainable net-zero economy (= Net-Zero Aligned Insurance Products; “NZAIPs”). NZAIPs could give rise to legal and regulatory issues, and this paper considers how these issues could be addressed to create a legal environment that provides safe and fair market conditions for NZAIPs.

Margaret Murolo

Vincent Yesue

Peter Siegelman

Abstract

There is a well-known conflict of interest between liability insurers and policyholders with respect to the decision to settle or litigate a claim. This short note provides a simple graphical explanation for the problem and grounds it in the way the structure of the parties’ payouts drives their attitudes towards risk. An optional appendix links the insights to the elementary mechanics of financial options.