Mitigating Moral Hazard in Cyber-Risk Insurance

Description

Over the last decade, electronically stored data has become both an indispensable asset and emergent liability for companies that transact business online. Almost weekly, data breaches and computer crimes make national headlines, compounding the public’s demand for adequate protection of sensitive consumer information. Increasingly, entities doing business in the information age find that traditional commercial general liability insurance policies do not cover the loss or theft of electronic data, leaving those entities with a sizable gap in insurance coverage in the event of a data breach.

In response to this coverage gap, insurers have begun underwriting cyber-risk insurance policies to specifically address the perils of e-commerce. These policies range from coverage for losses and fines associated with data breach notification statutes, to comprehensive indemnity from consumer class action suits, infrastructure remediation costs and credit monitoring for affected individuals. Similar to more established types of insurance, however, cyber-risk coverage is not immune from the traditional vulnerabilities of the insurance marketplace, including moral hazard and adverse selection.

This Article seeks to provide insurers and policymakers with a suggestion for mitigating moral hazard in the cyber-risk insurance market. Through an analysis of information security regulation and public policy considerations, this Article proposes an information exchange that insurers and regulators may use to share loss data, claim costs, and compliance audits of insureds, in an effort to more effectively price cyber-risk coverage and thereby reduce the moral hazard presented by insureds that possess insufficient information security infrastructure. Admission to this information exchange is predicated on two conditions: First, an insurer must pledge to discount premiums for entities that employ information security infrastructure that sufficiently protects consumer custodial data as matter of public policy; and second, insurers writing cyber-risk coverage must contribute their own loss data to this information exchange.

The result of this proposal is a recommendation for an information-sharing platform, which encourages insurers to pool loss data and differentiate premiums for preferred risks. Because cyber-risk insurance is neither a market-driven private enterprise engaged in the unrestrained pursuit of profit, nor a tightly regulated, monopolistic public utility, this Article seeks to balance the autonomy of insurers with the public’s need for adequately secured personal information to create a system that simultaneously mitigates moral hazard for insurers while encouraging the adequate protection of consumer data.