Authors: Shauhin Talesh

Abstract:

Cyber risks--loss exposure associated with the use of electronic equipment, computers, information technology, and virtual reality--are among the biggest threats facing businesses and consumers. Despite these threats, private organizations are not significantly changing their behavior in response. Although many organizations do have formal cybersecurity policies in place, the majority believe they are insufficiently prepared for cybersecurity incidences, and have not conducted proper risk assessments or invested necessary training and resources to protect consumers’ electronic information. Drawing on empirical observations over the past 5 years, this article explains why insurers who manage cybersecurity and privacy law compliance among organizations have not been more successful in curtailing breaches. The analysis draws on Talesh's “new institutional theory of insurance,” which explains how insurers shape the content and meaning of law among organizations that purchase insurance. In response to vague and fragmented privacy laws and a lack of strong government oversight, insurers offer cyber insurance and a series of risk-management services to their customers. These services convey legitimacy to the public and to the insureds but fall short of improving the robustness of organizations, rendering them largely symbolic. Cyber insurers and managed security companies have flooded the market with high-level technical tools that they claim mitigate risk, but all they've really accomplished is to institutionalize a norm that policyholders need these tools to avoid cybersecurity incidents. Federal and state regulators and industry-based rating agencies have deferred to cyber insurers without evidence that these tools actually improve security.

Keywords: regulation, compliance, insurance, cybersecurity, privacy law, organizations, risk management

Procedia PDF Downloads 0