Book written by Josephine Wolff

Book review by Ben Rothke

Bottom Line

I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.

Review

If you don't have the time to read Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks (MIT Press) by Josephine Wolff, let me summarize it in 14 words:

• Company buys cyberinsurance
• They have a breach
• Insurance company denies the claim
• Company litigates

But if you want to educate yourself on cyberinsurance, you owe it to yourself to read every word in this fantastic book.

Virginia Haufler of the University of Maryland has written extensively about the critical role of the insurance industry in shaping global trade. Here, Woolf extends Haufler's theory of how increasing public-sector involvement is required for the development of insurance products intended to govern global risks and examines how it applies to cyber risk, as well as its limitations in the fact of different nations’ sometimes conflicting interests in security and data protection. 

Kenneth Abraham of the University of Virginia is a leading scholar on insurance law. Woolf builds on Abraham's theory to explore the deterrence function of cyberinsurance and its effectiveness in creating incentives for policyholders to prevent losses in addition to spreading losses. 

Founded nearly 350 years ago, the Hamburger Feuerkasse (Hamburg Fire Office) is the first officially established fire insurance company in the world. Yet when it comes to cyberinsurance, it is a mere 26 years old. 

Woolf does an excellent job of detailing the growing pains of the cyberinsurance industry. She writes that the rise of ransomware caught the industry by surprise and started ebbing away at their profits. They used policy exclusions and got into the minutiae of the contractual language to deny the claims, which led to expensive litigation. 

As it is a mere infant in the insurance world, one of the problems with cyberinsurance that the book repeatedly makes is the need for more high-quality data on the frequency of security incidents and the costs of incidents and outages. 

As cyberinsurance is built upon traditional insurance, the book's first part deals with how traditional insurance works and is structured. While that can be a dry read, it is a needed preamble for the rest of the book. And Wolff has written a fascinating book that details the growth of cyberinsurance and the many challenges (and conflicts) the insurers and policyholders have faced since it was created. 

Insurance, at its core, is a hedge against financial loss. But when it comes to data protection and cybersecurity, Woolf argues, quite compellingly, that cyberinsurance has failed to improve cybersecurity. 

And that comes back to the need for better data around cybersecurity. The need for more reliable, consistently collected data has been a bane for cyberinsurance underwriters. This lack of robust actuarial data, which is de rigueur for every other insurance product, is sorely needed for cybersecurity. To the degree that no one really knows the costs of a security incident or how often they happen. 

And worse than that, large-scale cyberattacks might be fundamentally uninsurable. To the degree that some in the industry are lobbying for government backup, akin to the Terrorism Risk Insurance Act (TRIA), which is a US federal program that provides compensation for certain insured losses resulting from acts of terrorism.

This is a fascinating and engaging read for those looking to understand how cyberinsurance works, the nature of information risk, and the direction of this industry. The industry is in its infancy and going through a lot of growing pains. Wolff does a superb job of explaining these pains and what the industry needs to do to reach the levels of its older insurance siblings in the health, auto, and property and casualty insurance sectors. 

The recent massive Caesars Entertainment and MGM ransomware hacks highlight how adversaries today are upping their game. The Wall Street Journal reported that Caesars had paid roughly half of the $30 million its attackers demanded in exchange for a promise that they wouldn't release stolen customer data. 

One of the hedges companies are using against these attacks is cyberinsurance. But the challenge is that many cyberinsurance are reticent to pay when they feel that the victim company did not perform adequate cybersecurity due diligence to obviate the attack in the first place. 

Cyberinsurance policies are getting more expensive, and many don't cover the attacks the policyholders expected. But as cyberattacks increase constantly, cyberinsurance is becoming more critical. And to understand the importance and significance of cyberinsurance, this is an invaluable reference. 

No reasonable driver gets into a car without first acquiring auto insurance. Similarly, no reasonable CIO, CTO, or CISO will operate in an environment where they do not have cyberinsurance. In 2023, they would be derelict in their duties if they did otherwise.

In conclusion, cyberinsurance is now de rigueur. For those who want to understand the current state of cyberinsurance and its criticality to IT in general, and cybersecurity specifically, Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks is a fundamental title. And a worthy candidate for the Canon.