Why Cybersecurity Insurance Should Be Regulated and Compulsory

Jan Martin Lemnitzer*

*Corresponding author af dette arbejde

Publikation: Bidrag til tidsskriftTidsskriftartikelForskningpeer review


This paper argues that promoting and regulating cybersecurity insurance could solve a key problem: despite the well-publicized hacks of businesses across the world and numerous government awareness campaigns, many small- and medium-sized companies (SMEs) in Europe do not practise proper cybersecurity. Introducing compulsory cybersecurity insurance for SMEs would be the single most effective way to achieve cyber resilience in a modern digital economy and protect businesses from both cybercriminals and state-sponsored hackers. Besides setting minimum standards for company cybersecurity and ensuring that post-breach support services are included in every insurance policy, governments must also address significant issues in the emerging cyber insurance market such as removing false incentives regarding ransoms and fines and creating a backstop mechanism to address aggregate risk. Moreover, they should ensure that all claims are collected in one database since this data would transform our understanding of malware threats and the costs they are causing. Combining these measures could unleash the potential of cyber insurance for the protection of all businesses and their customers, especially if the EU adopts a coherent policy for all member states.
TidsskriftJournal of Cyber Policy
Udgave nummer2
Sider (fra-til)118-136
Antal sider19
StatusUdgivet - maj 2021

Bibliografisk note

Published online: 03 Feb 2021.


  • Cybersecurity
  • Cybersecurity insurance
  • Cyber resilience
  • Supply chain cybersecurity