In this month's debate, experts discuss whether or not companies should be obligated to sign up for cyber insurance.
FOR
David Navetta, partner, InfoLawGroup LLP
AGAINST
John Michener, chief scientist, Casaba
Cyber insurance is a valuable resource for businesses to use, but mandates are a potentially destructive way to go about it. Cyber threats are not uniform and different businesses face different threats. A business handling credit card processing has different issues than one handling medical records. Contractors handling classified data fall under different regulatory authority than banks – although both report to the U.S. government about their security. Right now, companies can shop around for a wide range of cyber insurance policies that are appropriate to their individual needs. A governmental mandate to have “appropriate” insurance would be effectively unenforceable and a regulatory approach would soon result in the imposition of relatively rigid security and compliance controls that could have significant impact on business operations. Rather than mandating insurance, companies should be liable for the cost of their compromises and let them manage the ensuing risk by some combination of internal security investments, cost acceptance and insurance.
For more about cyber insurance, check out this month's cover story, Insuring success.