Is there any evidence the insurers are actually driving increased security? Do their policies require certain security standards or backup processes? If they do, it's not a bad start.
Matt Levine wrote a little on the perverse incentives of insurers in this case: "This creates weird incentives. [Insurers] want the risk to be big and dangerous and salient. [Insurers] want everyone to worry about it all the time, so they [get] lots of money for premiums. Then ideally [insurers] help clients avoid the risk, so that [Insurers] can keep more of the premiums, but basically it is a volume business and [insurers would] rather collect more premiums and pay more claims than have fewer of each."
