Insuring Cyberinsecurity

A free ebook version of this title is available through Luminos, University of California Press’s Open Access publishing program. Visit www.luminosoa.org to learn more.

Despite the massive costs associated with data breaches, ransomware, viruses, and cyberattacks, most organizations remain thoroughly unprepared to safeguard consumer data. Over the past two decades, the insurance industry has begun offering cyber insurance to help organizations manage cybersecurity and privacy law compliance, while also offering risk management services as part of their insurance packages. These insurers have thus effectively evolved into de facto regulators—yet at the same time, they have failed to effectively curtail cybersecurity breaches. Drawing from interviews, observations, and extensive content analysis of the cyber insurance industry, this book reveals how cyber insurers' risk management services convey legitimacy to the public and to insureds but fall short of actually improving data security, rendering them largely symbolic. Speaking directly to broader debates on regulatory delegation to nonstate actors, Shauhin A. Talesh proposes a new institutional theory of insurance to explain how insurers shape the content and meaning of privacy law and cybersecurity compliance, offering policy recommendations for how insurers and governments can work together to improve cybersecurity and foster greater algorithmic justice.