I think many companies are looking to this type of insurance as a shortcut to avoid spending money on implementing actual preventative security measures and to also avoid the dreaded audit of their systems that would reveal their negligence when it comes to information security.

Given the rash of ransomware attacks and breaches of late (Capital One’s insurance policy has a $10 million deductible for $400 million in coverage) I would expect the criteria for getting such insurance to go way up as in much higher deductibles and lower payouts if you can’t prove via an audit by the insurance company that you are at a minimum taking care of the basics for information security.