Insuring Cyber Insecurity: How Cyber Insurance Undermines Cybersecurity Among Businesses
HTML-код
- Опубликовано: 28 ноя 2023
- Shauhin Talesh, Nov. 2, 2023. Cyber risks-loss exposure associated with the use of electronic equipment, computers, information technology, and virtual reality-are among the biggest threats facing businesses and consumers. Despite these threats, prevailing research suggests that private organizations are not significantly changing their behavior in response. Although many organizations do have formal cybersecurity policies in place, the majority believe they are insufficiently prepared for a data breach, have not devoted adequate money, training, and resources to protect consumers’ electronic and paper-based information from data breaches, and fail to perform adequate risk assessments. Drawing on empirical observations over the past 5 years, this talk offers an explanation for why insurers who manage cybersecurity and privacy law compliance among organizations have not been more successful in curtailing breaches. The analysis draws on Talesh’s “new institutional theory of insurance,” which explains how insurers shape the content and meaning of law among organizations that purchase insurance. In response to vague and fragmented privacy laws and a lack of strong government oversight, insurers offer cyber insurance and a series of risk-management services to their customers. These services convey legitimacy to the public and to insureds, but fall short of improving the robustness of organizations, rendering them largely symbolic. Cyber insurers and managed security companies have flooded the market with high-level technical tools that they claim mitigate risk; but all they’ve really accomplished is to institutionalize a norm that policyholders need these tools to avoid cybersecurity incidents. Federal and state regulators and industry-based rating agencies have deferred to cyber insurers, without evidence that these tools actually improve security.
