Josephine Wolff, associate professor of cybersecurity policy for The Fletcher School at Tufts University, who spoke to Carrier Management about growing gaps in understanding of cyber insurance between insurers and policyholders in the accompanying article, “Broken Promises? Policyholders React to Cyber Insurer Exclusions, Claim Denials,” is also the author of a book on the subject: “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks.”

Below are a few of the insights Wolff delivered in excerpts from the concluding chapter of the book:

  • “Carriers have been counting on their ability to collect data and refine risk models to offer coverage in a new market before they understand the risks fully… assuming that time and data will make it possible to use the same techniques they have used for other risks in the past.” But they haven’t been able to do this. One reason: Cyber is not at a single type of risk. Instead, it interconnects with every other type of risk—crime, liability, property, etc.
  • “If public (government) funding is ultimately needed to help cover cyber risk, then insurers will be in a less powerful position to enforce cybersecurity standards.”
  • “Despite all the partnerships with security firms and years of collected claims data, insurers seem to have no greater insight into how to reduce a policyholder’s risk exposure…than they did when the market emerged in the late 1990s.”
  • “If [cyber insurance] doesn’t succeed in bolstering security standards, [it] could actually lead to the deterioration of policyholders’ security practices due to moral hazard.”
  • “The task that falls to insurers in developing cyber insurance is not just to model and understand a new class of risk but also to remodel and rethink every other existing class of risk they cover” because cyber risks are becoming increasingly intertwined with existing risks.
  • “When it comes to tackling cyber risk,…the most important thing insurers can do is to reinvent their old policies rather than write new ones.”