Governance via Insurance: Cyber Insurance Companies as Regulatory Intermediaries – Implications on Israeli Policymaking

By: David Levi-Faur

Cyber insurance companies are increasingly taking over regulatory roles of cybersecurity governance in the United States. Growing supply and demand for insurance have created a market of more than 500 companies that in 2016 reached 2 billion dollars (NAIC, 2016). Beyond the practice of risk-spreading, insurance carriers use their risk mitigation experience to carry regulatory roles of standard-setting and compliance-management for their customers, practically participating in cybersecurity governance as regulatory-intermediaries that implement and enforce regulation (Talesh, 2017). Therefore, this study asks how and why U.S. cyber insurance companies conduct regulatory-intermediation roles of risk-prevention across market sectors? Further, how the practice of risk-assessment and cyber expertise building among U.S. insurance companies can be translated to the Israeli eco-system? Through a comparative analysis of cyber risk-management practices deployed by insurance companies in the U.S. market, this study aims to assess the quality of cyber risk-prevention strategies, explain the political origins of these practices, and adapt & apply successful practices on the Israeli market. The development of insurance companies from deploying risk-spreading mechanisms to taking over responsibilities of risk-prevention strategies within their clients’ organizations has not been studied in the cybersecurity or private-governance literature. Their increasing influence and newly emerging regulatory roles require scholarly attention to understand an emerging risk-regulation practice and explain the origins of the capacity growth of regulatory-intermediaries in the regulatory process. In addition, cyber risk-management practices from the U.S. insurance industry can be translated into policy recommendations for stimulating Israel’s cyber insurance market.