Cyber crime insurance policy now covers data breach losses

A recent circuit court ruling held that a company’s ‘computer crime’ policy covered them for losses stemming from a data breach, despite the policy stating otherwise. In the world of cyberinsurance, this is a game changer.

Cyberinsurance has been a hot topic of discussion for academics for at least a decade. We love to differentiate the issues of cyberinsurance from other forms of insurance by highlighting that beyond just problems of information asymmetry (leading to familiar moral hazard and adverse selection), computer systems are of course networked. This poses two separate but related problems. The first issue is a problem for the firm: the security of your network is a function of the degree to which your business partners protect their systems. It’s a familiar problem not just in computer networks, but also with airlines. (See Howard Kunreuther and Geoffrey Heal. (2003). Interdependent security. Journal of Risk and Uncertainty, 26(2-3):231–49). The second issue is a problem for the insurer: correlated failures. It means that an attack on (or failure of) one client’s network, might also signal an attack on (or failure of) another client’s network. We saw examples of this from the recent attack on universities in the US, Europe and Asia. As an insurer, you suffer loss when clients file claims against their policies, and you become profitable only when you pool your risk. However, consider the consequences of now instead of one or two clients filing claims, if they all did. In recent conversations with insurance companies, *this* is what keeps them up at night.

So what makes this ruling so important is that other traditional computer crime policies may now be used to recover losses from data breaches. This is nice for companies that suffer losses, but obviously bad for the insurance carriers. We can be assured that policies are very quickly being updated and revised.

For more information see: .