There is a lack of cybersecurity investments in almost every industry. The issue is that the executives making the decisions 1) Usually aren't knowledgable about CyberSec and 2) don't justify the investment because it's not something they can physically point at and take credit for. .
The "economist" proposed a solution: tire cyber-security incidents to the stock market. The approach proposed was something akin to "have someone count and display the incidents of each company and blast radius". I'm not sure if this would actually work.
The other capitalist option is to make cybersecurity insurance mandatory, and impose high fees both to reimburse victims and to some government watchdog/agency (yes, government watchdogs and capitalism can co-exist). Then, it will be in the insurer's best interest to have clients with adequate cybersecurity implementations, and the market can sort it out.
At the same time, we should make sure that any insurance company that chooses to pay the criminals instead loses their license to operate.
