Why cybersecurity insurance should be regulated and compulsory

3 min read Original article ↗

ABSTRACT

This paper argues that promoting and regulating cybersecurity insurance could solve a key problem: despite the well-publicized hacks of businesses across the world and numerous government awareness campaigns, many small- and medium-sized companies (SMEs) in Europe do not practise proper cybersecurity. Introducing compulsory cybersecurity insurance for SMEs would be the single most effective way to achieve cyber resilience in a modern digital economy and protect businesses from both cybercriminals and state-sponsored hackers. Besides setting minimum standards for company cybersecurity and ensuring that post-breach support services are included in every insurance policy, governments must also address significant issues in the emerging cyber insurance market such as removing false incentives regarding ransoms and fines and creating a backstop mechanism to address aggregate risk. Moreover, they should ensure that all claims are collected in one database since this data would transform our understanding of malware threats and the costs they are causing. Combining these measures could unleash the potential of cyber insurance for the protection of all businesses and their customers, especially if the EU adopts a coherent policy for all member states.

Acknowledgments

The author would like to thank the numerous interviewees in the cyber insurance industry who generously shared their time and expertise, and Danny Steed, Daniel Woods, Asaf Lubin and the journal’s reviewers for further suggestions that improved the paper. The author is also grateful for the feedback received upon presenting earlier drafts of the paper at the University of Southern Denmark’s IR department, the 2019 Hague Cyber Norms conference and the Department of Digitalization, Copenhagen Business School.

6 This information is based on an interview with an ENISA employee conducted on 24 July 2019 and was confirmed in October 2020 by Laura Heuvinck, personal assistant to the Executive Director.

19 For this and other insights in this section I am grateful to Danny Steed, former project lead of the UK’s Cyber information sharing partnership.

21 See the speech of 26 February 2019 cited in fn. 5.

22 This information is based on an interview with an Insure Europe staff member conducted in July 2019.

Additional information

Notes on contributors

Jan Martin Lemnitzer

Jan Martin Lemnitzer teaches cyber security at the Department of Digitalisation, Copenhagen Business School. He holds a PhD from the London School of Economics and was formerly Director of Studies at the Changing Character of War programme, Oxford University and Assistant Professor at the Center for War Studies, University of Southern Denmark. He has published widely on the emergence of global norms from the middle of the nineteenth century until today. He was co-organiser of the 2018 Odense Cyber Security conference (together with the ECFR) funded by the Danish Tech Ambassador and researches the emergence of cyber norms, national cyber strategies, the potential of cyber security insurance and the question of neutrality in cyber space.