Insurance and enterprise: cyber insurance for ransomware

Abstract Selling insurance gives insurers an incentive to manage insured risks. The “insurance-as-governance” literature demonstrates that often make conditional on ex ante risk reduction or mitigation. But governs in support of enterprise, not security for its own sake. Tight underwriting inhibits enterprise—not only businesses but also the business insurance. This paper highlights post loss as a form insurance-based governance. Drawing interviews with industry insiders, we explore how addressed evolving problems moral hazard, uncertainty and correlated losses since 1990s. We find cyber developed sophisticated remedies contain liabilities quickly restore affected IT systems, largely left decisions insured. facilitated enterprise short run undermined longer term: funding expediting ransom payments encourages further attacks. As improved their resilience, cybercriminals adapted ransoms escalated, calling insurability into question. Yet there remains little appetite imposing restrictive conditionality this highly competitive market. Instead, have turned governments criminal threats cushion catastrophic losses.