Insurance and enterprise: cyber insurance for ransomware

Anja Shortland, Tom Baker*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

7 Citations (Scopus)


Selling insurance gives insurers an incentive to manage insured risks. The “insur- ance-as-governance” literature demonstrates that insurers often make insurance con- ditional on ex ante risk reduction or mitigation. But insurance governs in support of enterprise, not security for its own sake. Tight underwriting inhibits enterprise— not only for insured businesses but also for the business of insurance. This paper highlights ex post loss reduction as a form of insurance-based governance. Drawing on interviews with industry insiders, we explore how insurers addressed the evolv- ing problems of moral hazard, uncertainty and correlated losses since the 1990s. We find that cyber insurance developed sophisticated remedies to contain liabilities and quickly restore affected IT systems, but largely left security decisions to the insured. This facilitated enterprise in the short run but undermined security in the longer term: funding and expediting ransom payments encourages further attacks. As businesses improved their resilience, cybercriminals adapted and ransoms esca- lated, calling insurability into question. Yet there remains little appetite for imposing restrictive conditionality in this highly competitive market. Instead, insurers have turned to governments to contain criminal threats and cushion catastrophic losses.
Original languageEnglish
JournalGeneva Papers on Risk and Insurance
Early online date4 Dec 2022
Publication statusE-pub ahead of print - 4 Dec 2022


Dive into the research topics of 'Insurance and enterprise: cyber insurance for ransomware'. Together they form a unique fingerprint.

Cite this