Cyber insurance and private governance: The enforcement power of markets

Abstract

AbstractIn the last half decade, cyber insurance has emerged as a multi‐billion‐dollar industry with the authority to set and enforce standards of security behavior. Although cybersecurity has become a concern of national policymakers, insurers appear to have supplanted the state to play an influential role in governing some aspects of client behavior. This paper explores private governance by cyber insurance firms and evaluates two competing explanations for its emergence – either that the private sector advanced to set and enforce cybersecurity standards for financial gain, or that the state retreated from its responsibility to regulate and private sector actors filled the gap only as necessary. To find an answer between these explanations, this article develops a single outcome case study of the American cyber insurance industry. Following a theoretical introduction to private governance and its manifestation through insurance, the article examines the insurance process and its application in cybersecurity, the key role of standards, and the mechanism of enforcing those standards. The article concludes by identifying key elements of this market‐based enforcement and discussing implications for crafting effective private governance in other domains and public policy.