I was just watching a video on cybersecurity for electrical utility companies (In case you are interested) and in it, they pointed out that utilities operate on razor-thin margins and that it would be difficult to justify to a board additional spending on cybersecurity when there has not been such an attack going on thirteen years after 9/11.
Another commentator remarked that it would require regulation and the word makes some “scream and jump out the window”. To me, we are talking about an economic externality which requires an external incentive to fix (most likely in the form of a regulation, say authorization to assess a security surcharge).
In general, I feel it’s fair to say that where we see externalities, or at least negative externalities, regulation is called for. Now, the nature of regulation can take the form of something like Clean Air Futures, such regulations are required.