Let's drop "cyber" for a second.
Suppose some (potentially, foreign state sponsored) actor starts to physically attack/kidnap company employees in company's home country that is starts to affect the bottom line. No one would say "They have to start investing more into security". It would be normal for the company to totally offload the problem on the home state.
Now, getting back to "cybersecurity": why company is supposed to handle it instead of offloading the problem on the state?
Two of the things that struck me about this market are (a) the insurance companies require their customers to get serious about mitigating the risk. Employees all have to attend training on how to avoid kidnapping and what to do when it happens, the insurance customer has to take other measures to limit where they go, the customer has to beef up physical security, etc. And there are some situations they refuse to insure, so that's a big red flag. The insurance company becomes a partner in doing everything they can to prevent kidnappings. and (b) customers are sworn to secrecy and may not reveal that they have this insurance. Employees don't know they are insured against kidnapping. They don't want kidnapped employees spilling the beans.
The insurers have local negotiators in their employ who often have longstanding relationships with the kidnappers.
Anyways, a bit tangential, but I learned a lot about this niche industry, and it gave me more of an appreciation for how insurers can raise the professionalism of their customers in their efforts to minimize risks. A similar approach with the benefit of setting standards could definitely apply to cybercrime insurance.
Because of various arcane feudal remnants, the ownership of certain pieces of land comes with an obligation to pay for repairs to the local church building. This can be very expensive, so buyers of land where there is a possibility that this liability might exist are advised to buy insurance to cover it.
This insurance is very cheap, because it's quite rare for this liability to be discovered- usually it's a one-off payment of about £30-50 on buying the property. It is, however, a standard term in the policy that it is void if you tell anyone that it exists.
The reason for this is that, while the liability for repairs to any given church originally attached to one piece of land, this land has often been subdivided. In this case, the owners of all the pieces of land are jointly and severally liable for repairs- in other words, the church can go after any one of them for the full cost. And, of course, a property owner with insurance is a more attractive target as they're more likely to be able to pay, and to do so without making unpleasant headlines about how they might lose their home because of an obscure mediaeval law.
Moreover, I don't think many tech companies want to give the state the access required to impliment preventative security measures for them, they'd rather role them themselves to maintain control.
Locks are for honest people.
> to impliment preventative security measures for them
That's not a job of the state. The job of the state is to punish (cyber)criminals. And it's not the harshness of the punishment that matters, it's the inevitability.
That's a great slogan. But-- your (cyber)security stance obviously affects your risk. There are things you can do with business model, stance, and organizational controls that absolutely affect your exposure to both cybercrime and real-world crime. Your home state can absolutely provide help in your strategy against (cyber)crime, but surely we also should probably avoid getting blackout drunk and flashing large sums of cash around dense urban cores, too.
We don't have wars where engineers do some work and render soldiers intrinsically immune to grenades but we can prevent buffer overflow attacks by not using bad functions. We don't need to develop new police practice to deal with every new house design or modification.
Especially given that computers themselves are hijackable you cannot rely upon ad bacculum cybersecurity.
To a certain extent it does get offloaded, just like other crimes. But also like other crimes, businesses have a role to play in prevention, and basic competency in security should be expected.
It's 2021. If you employ more security guards than cybersecurity pros, you may be doing it wrong.
