Suggested Annual Corporate Cyber Budget Elements

Posted on by Barry

Suggested annual corporate cyber budget elements

At this point-in-time on January 2, 2024, I think there are several budget elements which corporations should include, or consider including, in the list of known and probable (continual) annual cyber expenditures.

My suggested annual corporation cyber budget elements are the:

  1. Cost of creating and maintaining a cyber insurance program (which could mean purchasing multiple insurance policies from multiple insurers to get the coverage your corporation requires on advice from your insurance broker and is inclusive of self-insurance [retention] and / or payments to whatever cyber captives your company participates);
  2. Compliance costs with government cyber security regulations for every country your corporation conducts commerce;
  3. Fines to regulators in every country your corporation conducts commerce for supposed non-compliance with the government’s cyber security regulations;
  4. Payments for lawsuits lost in court cases for supposed non-compliance with cyber regulations in every country your corporation conducts commerce;
  5. Payments to cyber hackers (unless a government lawfully mandates against paying payments of certain kinds (e.g. ransom) in one or more of the countries your corporation conducts commerce);
  6. Continual salary and benefits to salaried CISOs (or CSOs) and their teams employed by your corporation or to third party CISOs (e.g., vCISOs, vCSOs) and their teams or some combination;
  7. Cost of purchasing or leasing software and services from Cyber Advisory & Service Protection Firms (e.g. firms that provide cyber advice, cyber audits, cyber loss modeling, MSPs, or other cyber services to support your company becoming cyber resilient).

I believe, however, that some time in the future, corporations will eliminate (the insurance carrier selling coverage component of) item #1 in the list because insurers will stop selling cyber insurance. (Insurers should not offer coverage for terrorism, business interruption during a global pandemic, or cyber risks.)

Cyber regulation compliance will not stop or slow down cyber-attacks

I believe that corporations will be subject to fines for non-compliance to government cyber regulations by clients, prospects, and government regulators even if your corporation complies with every aspect of the government cyber regulations.

Why?

Because adherence to government cyber regulations will not stop your corporation from being repeatably cyber-attacked … and there will be far too many people (even people who should know better) who will believe the reason for the continual cyber-attacks is your corporation’s non-compliance with cyber regulations.

Happy New Year !!

2024 is a leap year. I have an extra day this year to comment that cyber risks are uninsurable. An extra beat on the drum, so to speak.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.