Market Incentives and Cybersecurity: Fixing the Broken System Before It Breaks Us

Insurance was suggested as another key ingredient, with the expectation that it could encourage investment in cybersecurity to reduce premiums. A comparable case could be found in the maritime industry, where insurer requirements drove shipping companies to implement effective anti-piracy measures.

However, it was generally felt that the cyber insurance industry was not functioning effectively. This could be due to a lack of appropriate data to allow insurers to price risk, as well as concerns around escalating threats driving premiums up to unaffordable levels. The root causes of this market failure are unclear, and further research would be useful.

Ultimately, it was generally agreed that market incentives had a role but could only go so far. There will be a need for the government to regulate and mandate certain behaviors, backed by the credible threat of strong enforcement and penalties. It was noted that it was the threat of directors going to jail that made companies take workers’ health and safety seriously. We have seen regulators pursuing the imposition of significant financial penalties on organizations after major data breaches. But do we need to go further and pursue criminal charges in cases of gross negligence resulting in major cyber incidents?

When discussing such stronger regulation, some suggested that it should be targeted towards upstream providers. While the Department of Home Affairs has not directly asked about this in its consultation on the strategy’s second horizon, the consensus from our discussion was that a key goal should be ensuring products and services are secure-by-design as a matter of course. Suppliers need to be incentivized to ensure they do not sell something that is unsafe. Given that this duty of care would need to include vetting onward supply chains, suppliers may not be able to do that all on their own, so there may need to be some flexibility in who we hold accountable.

Cybersecurity is not just an IT issue; it is a shared responsibility and an economic imperative. Only by ensuring resilience can we confidently adopt new technology and realize its benefits. The discussion underscored that the next horizon of the cyber security strategy would require a mix of incentives—including regulation, market forces and cultural change—to realize the government’s objective of building a secure and resilient digital economy.

Rajiv Shah is a fellow at ASPI and managing director of MDR Security. Debi Ashenden is director of the Institute for Cyber Security at the University of New South Wales. This article is published courtesy of the Australian Strategic Policy Institute  (ASPI).

Leave a comment

Register for your own account so you may participate in comment discussion. Please read the Comment Guidelines before posting. By leaving a comment, you agree to abide by our Comment Guidelines, our Privacy Policy, and Terms of Use. Please stay on topic, be civil, and be brief. Names are displayed with all comments. Learn more about Joining our Web Community.