Date / time
28/04/2026
1:00 pm - 2:00 pm
Virtual Lecture
Cyber risks—loss exposure associated with the use of electronic equipment, information technology, and computers—are among the biggest threats facing businesses and consumers. Despite these threats, prevailing research suggests that private organizations are not significantly changing their behavior in response. Although many organizations do have formal cybersecurity policies in place, the majority believe they are insufficiently prepared for a data breach, have not devoted adequate money, training, and resources to protect consumers’ electronic and paper-based information from data breaches, and fail to perform adequate risk assessments. Drawing from interviews, observations, archival research and extensive content analysis of the cyber insurance industry, this book explains why insurers who manage cybersecurity and privacy law compliance among organizations have not been more successful in curtailing breaches. Drawing from organizational sociology and theories of regulation, I offer a “new institutional theory of insurance,” which explains how insurers shape the content and meaning of law among organizations that purchase insurance. In response to vague and fragmented privacy laws and a lack of strong government oversight, insurers offer cyber insurance and a series of risk-management services to their customers. These services convey legitimacy to the public and to insureds, but fall short of improving the robustness of organizations, rendering them largely symbolic. Cyber insurers and managed security companies that they have partnered with have flooded the market with high-level technical tools that they claim mitigate risk; but all they’ve really accomplished is to institutionalize a norm that policyholders need these tools to avoid cybersecurity incidents. Federal and state regulators and industry-based rating agencies have deferred to cyber insurers, without evidence that these tools actually improve security. This deference bubbles up even into private, federal, and state standards, regulations and laws in this area that allow insurers tremendous space to influence and shape cybersecurity policy in society. Insurance companies and affiliated entities are influencing what privacy law and cybersecurity compliance means on the ground. I conclude by offering policy recommendations for how insurers and governments can work together to improve cybersecurity and foster greater algorithmic justice.