Why Cybersecurity Insurance Should Be Regulated and Compulsory

Jan Martin Lemnitzer*

*Corresponding author for this work

Research output: Contribution to journalJournal articleResearchpeer-review


This paper argues that promoting and regulating cybersecurity insurance could solve a key problem: despite the well-publicized hacks of businesses across the world and numerous government awareness campaigns, many small- and medium-sized companies (SMEs) in Europe do not practise proper cybersecurity. Introducing compulsory cybersecurity insurance for SMEs would be the single most effective way to achieve cyber resilience in a modern digital economy and protect businesses from both cybercriminals and state-sponsored hackers. Besides setting minimum standards for company cybersecurity and ensuring that post-breach support services are included in every insurance policy, governments must also address significant issues in the emerging cyber insurance market such as removing false incentives regarding ransoms and fines and creating a backstop mechanism to address aggregate risk. Moreover, they should ensure that all claims are collected in one database since this data would transform our understanding of malware threats and the costs they are causing. Combining these measures could unleash the potential of cyber insurance for the protection of all businesses and their customers, especially if the EU adopts a coherent policy for all member states.
Original languageEnglish
JournalJournal of Cyber Policy
Issue number2
Pages (from-to)118-136
Number of pages19
Publication statusPublished - May 2021

Bibliographical note

Published online: 03 Feb 2021.


  • Cybersecurity
  • Cybersecurity insurance
  • Cyber resilience
  • Supply chain cybersecurity

Cite this