This is why I've said for years: If you want to drive best practices and policy with companies you can only do it with liability. Particularly non-insurable and non-tax deductible liability. If a company can't offload civil or criminal penalties to their insurance company and take the tax write down, they suddenly start caring about it.

That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.

> Particularly non-insurable and non-tax deductible liability

Too often liabilities exceed assets, or the liabilities are externalised.

Liability doesn't work as an incentive for many risks. For uncommon but extreme risks, it can be better to roll the dice on company failure than regularly pay low amounts for mitigation.

It is especially effective to ignore liabilities when a company has poor profitability anyways.

And then you see major companies sidestep the costs of their liabilities (plenty of examples after security failures, but also companies like Johnson&Johnson).