Once again we have to ask if the only way cyber-security will be brought under control is through government legislation. Companies may be tempted to view cyber losses as a cost of doing business, like any business risk. This is not a good way to approach the problem, since such costs are always passed back to the customer. As we have seen in the financial services industry, until a regulator with teeth starts to take an interest, risks become part of doing business. The Netherlands is about to introduce tough breach disclosure rules, and this could become a template for the rest of the world.