[rapind]

I’d be OK with that if it was unpreventable. I think there needs to be a burden on the business to show they had some level (TBD) of security practices and policies.

I’d prefer if they had to have insurance so the market can determine how much crappy security would cost them.

We should want to minimize these instances.

[toomanybeersies]

Trying to enact policy via the second order effects of the tax code is a terrible idea.

If companies should meet a minimum standard of security practices and policies, then this should be legislated. Same as fire codes and OH&S standards.

If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance.

[rapind]

"If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance."

This is what I'm saying. It's a far better solution than subsidizing bad security practices w/ tax. Require insurance and the insurance companies will ensure you have decent security practices (or pay a lot more). If you can't afford it for your business, well then your business can't compete in the market.

Obviously the details matter though. It would be rough at first, but eventually insurance companies would have a vested interest in quality security audits.