https://orcid.org/0000-0002-5139-5554
![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
Faced with defending against myriad online threats, businesses are increasingly turning to insurers to purchase cyber-insurance policies that will shield them from bearing the full costs of these incidents. Eager not to miss out on the expanding market, insurers have aggressively ramped up their cyber-insurance offerings, and in doing so, have assumed enormous responsibility—and power—as the arbiters of what types of state-sponsored cyber-attacks are covered by insurance. This article argues that insurance companies are influencing multilateral processes and setting de facto standards around responsible state behavior in cyberspace through their policies on risk and liability for serious cyber-operations and “cyber-war.” It approaches this issue through the lens of the 2017 Russian NotPetya cyber-attack which led to significant legal disputes between many insurers and their policyholders about whether Russia’s behavior constituted a “warlike action” and was therefore excluded from insurance coverage under standard war exclusions.
Acknowledgments
This article builds on prior work published in Wolff (2022a) and Wolff (2021). Whereas those articles focus on the failure of insurers to identify effective countermeasures and security controls as well as the challenges they face in exercising existing policy exclusions to avoid covering state-sponsored cyberattacks, this article focuses on the role these insurers play in the larger multilateral governance ecosystem for establishing international cybersecurity norms.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Additional information
Notes on contributors
Josephine Wolff
Josephine Wolff is an associate professor of cyber-security policy at The Fletcher School at Tufts University. Her research interests include liability for cyber-security incidents, international Internet governance, cyber-insurance, cyber-security workforce development, and the economics of information security. Her first book You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches was published by MIT Press in 2018. Her second book Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks was published by MIT Press in 2022. Her writing on cyber-security has also appeared in Slate, The New York Times, The Washington Post, The Atlantic, and Wired. Prior to joining The Fletcher School, she was an assistant professor of public policy at the Rochester Institute of Technology and a fellow at the New America Cybersecurity Initiative and Harvard’s Berkman Klein Center for Internet & Society.