Insuring CyberInsecurity

Insuring CyberInsecurity: does cyber insurance really protect your business? Academic Shauhin Talesh explores the cyber insurance world.

Insuring Cyberinsecurity

Cyber Insurance Basics

Let’s just go over some cyber insurance basics before I dive into the book.

Insurers sell cyber insurance to businesses to protect against technology and internet risks such as ransomware, hacked business web sites, business email compromise (BEC), exposed private data, etc. Your traditional business insurance does not cover these technical events. Any business that is totally reliant on and heavily invested in technology for business success needs to have cyber insurance. More on Cyber Insurance Basics here.

Cyber insurance will not cover your business if you don’t take reasonable care of your technology. That means you have to keeps your systems and software up to date, have antivirus and network security, use a password manager (not a spreadsheet or little book), have an IT consultant with insurance, etc.

Insuring CyberInsecurity

Shauhin Talesh is a professor of Law and also Sociology and Criminology at the University of California Irvine. His book, Insuring Cybersecurity, came out in August 2025 and the University of California Press provides the book as a free PDF and paid physical copy.

It’s not an easy 276 page read: besides the academic language there is a ton of insurance lingo PLUS technology security language to wade through. It is based on the U.S. system of insurance which the Canadian system mirrors for the most part in terms of regulation.

Let me summarize the most important information for those folks who purchase cyber insurance.

Insurance Companies as Symbolic Regulators

Talesh’s main argument is that insurance companies end up as symbolic regulators as politicians defer to insurance companies for legislation/guidelines on data security and privacy. Like the United States, Canada suffers from politicians who like to copy and paste regulations. The recent trend of limiting car insurance accident payouts to tribunals based on insurer guidelines is an example. Also, recent attempts by the federal government to add age blockers to web sites.

Talesh shows that insurance companies have limited success at detecting and responding to cyber risks.

Cyberinsurance Model
Figure 1. Emerging technologies, big data, and information security shape how cyber insurance providers market themselves as assisting organizations in preventing, detecting and responding to cyber risks. Despite limited success, public legal institutions defer to cyber insurance’s potential as a quasi-regulator.

Does insurance make businesses more secure?

Mostly no. In fact an earlier book by Josephine Wolff, Cyberinsurance Policy , documents how cyber insurance actually normalized paying ransomware hackers instead of customers tightening their security and improving their backups.

Insurance companies uses 3rd party security companies who scan the exterior security stance on businesses to decide on risk. Those 3rd party companies do not work with the businesses directly to examine internal risks or even understand the business itself.

Further insurance companies tend to not investigate small businesses security at all, provide a basic questionnaire which they don’t really follow up on and don’t explain exclusions. Just a little insurance theatre not really covering your assets.

Talesh provides in depth examples of the above. I know from working with small business owners what he says is also happening to small businesses in Canada. One naturopath who told me her provincial college insurance provided a cyber security addon but wasn’t clear on what was include or excluded or even asked any questions. I had one client who decided to fill out the questionnaire on their own and got 90% of the answers wrong. Wrong answers equal easy exclusions by the insurers.

More findings of note

Talesh also documents problems with how insurers decide on the cost of risks and the probability. First, most private companies don’t report when they’ve been hacked or the costs of fixing the hack. Second, insurers rely on AI algorithms to come up with insurance determinations. AI is very new technology and not reliable particularly as it is working with a limited data set.

Talesh does raise the question of insurers deciding on risk based on software that gets hacked frequently. I would go further. We have higher car insurance for young male drivers. Why not higher insurance for companies with young male programmers?

One last thought

We really need more writing on cyber insurance for business but writing in plain language by folks who are NOT selling the insurance or selling security checks for insurers.

Tags: ,