Dec 27 2016

Carrots and Sticks – Incentivized Cybersecurity Measures

The Economist argues that, “Incentives need to change for firms to take cybersecurity more seriously.

Businesses need both carrot and stick with regard to cybersecurity measures. Yes, legislation will force companies to do the bare minimum; but leaders need to see the upside of creating a thorough cyber risk management program which will make sharing of cyber breaches and mistakes more palatable for corporate boards.

A small investment in cybersecurity can pay huge dividends in the future. There are simple policy and procedure steps any firm can make without significant cost, for example: An Information Security Risk Assessment can illustrate where the company can make incremental improvements without a large capital cost; Cyber Hygiene training is a great way to ensure your teammates reduce simple mistakes, such as clicking on a link in a phishing email.

Insurance carriers already reward companies that take these simple steps; usually a reduction in policy premiums, but more than that – an insurance policy that will be customized, instead of vague and generic. Cyber Insurance is still the Wild West, meaning there is no continuity or consistency with how policy limits are set or claims are paid.

If the government really wants to continue to legislate, a great balance would be to reward companies that work toward building a cyber risk management program (complete with cybersecurity policy and procedures as well as Cyber Hygiene training) with tax breaks or similar.

Sticks are good; carrots are better.