What do you think?
Rate this book
Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks
Why cyberinsurance has not improved cybersecurity and what governments can do to make it a more effective tool for cyber risk management.
As cybersecurity incidents—ranging from data breaches and denial-of-service attacks to computer fraud and ransomware—become more common, a cyberinsurance industry has emerged to provide coverage for any resulting liability, business interruption, extortion payments, regulatory fines, or repairs. In this book, Josephine Wolff offers the first comprehensive history of cyberinsurance, from the early “Internet Security Liability” policies in the late 1990s to the expansive coverage offered today. Drawing on legal records, government reports, cyberinsurance policies, and interviews with regulators and insurers, Wolff finds that cyberinsurance has not improved cybersecurity or reduced cyber risks.
Wolff examines the development of cyberinsurance, comparing it to other insurance sectors, including car and flood insurance; explores legal disputes between insurers and policyholders about whether cyber-related losses were covered under policies designed for liability, crime, or property and casualty losses; and traces the trend toward standalone cyberinsurance policies and government efforts to regulate and promote the industry. Cyberinsurance, she argues, is ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable. An industry built on modeling risk has found itself confronted by new technologies before the risks posed by those technologies can be fully understood.
As cybersecurity incidents—ranging from data breaches and denial-of-service attacks to computer fraud and ransomware—become more common, a cyberinsurance industry has emerged to provide coverage for any resulting liability, business interruption, extortion payments, regulatory fines, or repairs. In this book, Josephine Wolff offers the first comprehensive history of cyberinsurance, from the early “Internet Security Liability” policies in the late 1990s to the expansive coverage offered today. Drawing on legal records, government reports, cyberinsurance policies, and interviews with regulators and insurers, Wolff finds that cyberinsurance has not improved cybersecurity or reduced cyber risks.
Wolff examines the development of cyberinsurance, comparing it to other insurance sectors, including car and flood insurance; explores legal disputes between insurers and policyholders about whether cyber-related losses were covered under policies designed for liability, crime, or property and casualty losses; and traces the trend toward standalone cyberinsurance policies and government efforts to regulate and promote the industry. Cyberinsurance, she argues, is ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable. An industry built on modeling risk has found itself confronted by new technologies before the risks posed by those technologies can be fully understood.
275 pages, Kindle Edition
Published August 30, 2022
13 people are currently reading
31 people want to read
About the author
Josephine Wolff
11 books3 followersJosephine Wolff is Assistant Professor of Cybersecurity Policy at the Fletcher School of Law and Diplomacy at Tufts University. Her writing on cybersecurity has appeared in Slate, the New York Times, the Washington Post, the Atlantic, and Wired.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
February 26, 2023
This is probably the most comprehensive study on cyber insurance. Written by an academic, it reads a little like textbook or stack of research papers with many great references and specific cases. Overall it’s not an easy read by any means unless you’re a fan of legalese or enjoy dissecting diseconomies of insurance sectors, but is a must read for the c-level executives to understand their coverage for fraud or cyber attacks with what level of policy or premium. It is no surprise to see the length that insurers will go in denying claims with different interpretations of cyber war, terrorism or warlike activity or open peril or what constitutes to direct use of computers for fraud.
“What makes cyber risk different is that it is not a single type of risk, that it extends to and interconnects nearly every other type of risk—from crime to liability to property and casualty losses—in ways so unpredictable and unprecedented that it is hard to imagine these actuarial complexities being captured simply by the collection of more data or the use of more sophisticated modeling tools.”
“Not all risks are cyber risks, but, increasingly, all types of risk have cyber components that insurers and their policyholders ignore or isolate at their peril”
“What makes cyber risk different is that it is not a single type of risk, that it extends to and interconnects nearly every other type of risk—from crime to liability to property and casualty losses—in ways so unpredictable and unprecedented that it is hard to imagine these actuarial complexities being captured simply by the collection of more data or the use of more sophisticated modeling tools.”
“Not all risks are cyber risks, but, increasingly, all types of risk have cyber components that insurers and their policyholders ignore or isolate at their peril”
January 17, 2023
If you don't have the time to read this great new book Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks (MIT Press) by Josephine Wolff, let me summarize it in 14 words:
• Company buys cyberinsurance
• They have a breach
• Insurance company denies the claim
• Company litigates
But if you want to educate yourself on cyberinsurance, you owe it to yourself to read every word in this fantastic book.
Virginia Haufler of the University of Maryland has written extensively about the critical role of the insurance industry in shaping global trade. Here, Woolf extends Haufler's theory of how increasing public-sector involvement is required for the development of insurance products intended to govern global risks and examines how it applies to cyber risk, as well as its limitations in the fact of different nations sometimes conflicting interests in security and data protection.
Kenneth Abraham of the University of Virginia is a leading scholar on insurance law. Woolf builds on Abraham's theory to explore the deterrence function of cyberinsurance and its effectiveness in creating incentives for policyholders to prevent losses in addition to spreading losses.
Founded nearly 350 years ago, the Hamburger Feuerkasse (Hamburg Fire Office) is the first officially established fire insurance company in the world. Yet when it comes to cyberinsurance, it is a mere 26 years old.
Woolf does an excellent job of detailing the growing pains of the cyberinsurance industry. She writes that the rise of ransomware caught the industry by surprise and started ebbing away at their profits. They used policy exclusions and got into the minutia of the contractual language to deny the claims, which led to expensive litigation.
As it is a mere infant in the insurance world, one of the problems with cyberinsurance that the book repeatedly makes is the need for more high-quality data on the frequency of security incidents and the costs of incidents and outages.
As cyberinsurance is built upon traditional insurance, the book's first part deals with how traditional insurance works and is structured. While that can be a dry read, it is a needed preamble for the rest of the book. And Wolff has written a fascinating book that details the growth of cyberinsurance and the many challenges (and conflicts) the insurers and policyholders have faced since it was created.
Insurance, at its core, is a hedge against financial loss. But when it comes to data protection and cybersecurity, Woolf argues, quite compellingly, that cyberinsurance has failed to improve cybersecurity.
And that comes back to the need for better data around cybersecurity. The need for more reliable, consistently collected data has been a bane for cyberinsurance underwriters. This lack of robust actuarial data, which is de rigueur for every other insurance product, is sorely needed for cybersecurity. To the degree that no one really knows the costs of a security incident or how often they happen.
And worse than that, large-scale cyberattacks might be fundamentally uninsurable. To the degree that some in the industry are lobbying for government backup, akin to the Terrorism Risk Insurance Act (TRIA), which is a federal program that provides compensation for certain insured losses resulting from acts of terrorism.
This is a fascinating and engaging read for those looking to understand how cyberinsurance works, the nature of information risk, and the direction of this industry. The industry is in its infancy and going through a lot of growing pain. Wolff does a superb job of explaining these pains and what the industry needs to do to reach the levels of its older insurance siblings in the health, auto, and property and casualty insurance sectors.
Cyberinsurance policies are getting more expensive, and many don't cover the attacks the policyholders expected. But as cyberattacks increase constantly, cyberinsurance is becoming more critical. And to understand the importance and significance of cyberinsurance, this is an invaluable reference.
• Company buys cyberinsurance
• They have a breach
• Insurance company denies the claim
• Company litigates
But if you want to educate yourself on cyberinsurance, you owe it to yourself to read every word in this fantastic book.
Virginia Haufler of the University of Maryland has written extensively about the critical role of the insurance industry in shaping global trade. Here, Woolf extends Haufler's theory of how increasing public-sector involvement is required for the development of insurance products intended to govern global risks and examines how it applies to cyber risk, as well as its limitations in the fact of different nations sometimes conflicting interests in security and data protection.
Kenneth Abraham of the University of Virginia is a leading scholar on insurance law. Woolf builds on Abraham's theory to explore the deterrence function of cyberinsurance and its effectiveness in creating incentives for policyholders to prevent losses in addition to spreading losses.
Founded nearly 350 years ago, the Hamburger Feuerkasse (Hamburg Fire Office) is the first officially established fire insurance company in the world. Yet when it comes to cyberinsurance, it is a mere 26 years old.
Woolf does an excellent job of detailing the growing pains of the cyberinsurance industry. She writes that the rise of ransomware caught the industry by surprise and started ebbing away at their profits. They used policy exclusions and got into the minutia of the contractual language to deny the claims, which led to expensive litigation.
As it is a mere infant in the insurance world, one of the problems with cyberinsurance that the book repeatedly makes is the need for more high-quality data on the frequency of security incidents and the costs of incidents and outages.
As cyberinsurance is built upon traditional insurance, the book's first part deals with how traditional insurance works and is structured. While that can be a dry read, it is a needed preamble for the rest of the book. And Wolff has written a fascinating book that details the growth of cyberinsurance and the many challenges (and conflicts) the insurers and policyholders have faced since it was created.
Insurance, at its core, is a hedge against financial loss. But when it comes to data protection and cybersecurity, Woolf argues, quite compellingly, that cyberinsurance has failed to improve cybersecurity.
And that comes back to the need for better data around cybersecurity. The need for more reliable, consistently collected data has been a bane for cyberinsurance underwriters. This lack of robust actuarial data, which is de rigueur for every other insurance product, is sorely needed for cybersecurity. To the degree that no one really knows the costs of a security incident or how often they happen.
And worse than that, large-scale cyberattacks might be fundamentally uninsurable. To the degree that some in the industry are lobbying for government backup, akin to the Terrorism Risk Insurance Act (TRIA), which is a federal program that provides compensation for certain insured losses resulting from acts of terrorism.
This is a fascinating and engaging read for those looking to understand how cyberinsurance works, the nature of information risk, and the direction of this industry. The industry is in its infancy and going through a lot of growing pain. Wolff does a superb job of explaining these pains and what the industry needs to do to reach the levels of its older insurance siblings in the health, auto, and property and casualty insurance sectors.
Cyberinsurance policies are getting more expensive, and many don't cover the attacks the policyholders expected. But as cyberattacks increase constantly, cyberinsurance is becoming more critical. And to understand the importance and significance of cyberinsurance, this is an invaluable reference.
September 11, 2025
This book raises an important point about how cyberinsurance is reshaping the way companies respond to ransomware and data breaches. What often gets overlooked is the impact on consumers whose personal information gets exposed. For instance, in the https://mydatabreachattorney.com/case... data breach sensitive financial details were compromised, highlighting why insurance alone isn’t enough — legal accountability and consumer rights matter just as much.
Displaying 1 - 3 of 3 reviews