[colorint]

The global financial crisis showed that insurance isn't the answer. The problem with "hedging against all futures" is that the hedging is part of the system, and when the hedge grows to the scale of the thing being hedged, you have to start asking how you hedge the hedge (and so forth). That is, if Equifax can't pay out for a sufficiently large mistake, why would you expect their insurer to be able to do so? And, worse, what if the insurer is "too big to fail," so instead you just have the public serve as the backstop?

Hence I think your latter point is right, executives really need to be more criminally liable. It's hardly unheard of, even if Ken Lay died before sentencing.

[sp332]

I would put it the other way: if you can't afford insurance to cover the potential damage you're doing, then you're not allowed to do it. And I don't mean unforseeable events, I mean something obvious about your business, like creating a single giant repository of data about other people and then not securing it.

Of course the hackers are directly responsible for the damage, but Equifax's negligence sure didn't help. Maybe a fractional multiplier for sharing responsibility.

[inetknght]

Then who insures the insurers? Are insurances the next "too big to fail" type of companies?

[sp332]

Since the insurers are collecting money from lots of companies, maybe even from different industries, the odds of that happening are a lot lower.