It's even worse. Big companies are creating their own (captive) insurance firms : https://www.sueddeutsche.de/wirtschaft/cyberrisiken-cyberversicherung-basf-airbus-michelin-miris-1.5...
Article is in german but online translation features should help 🙂
In 2018, few were listening when Warren Buffett was asked if his insurance companies would get into cyber insurance. His answer was a clear no.
“We don’t want to be a pioneer on this ... I think anybody that tells you now they think they know in some actuarial way either what [the] general experience is like in the future, or what the worst case can be, is kidding themselves.” (source : https://www.cnbc.com/2018/05/05/warren-buffett-cybersecurity-risk-is-uncharted-territory-its-going-t...)
He wasn't wrong and those pioneers are now eating their shorts.
If you're a security professional today and you're not explaining to your principals that ransomware is not insurable, you should ask yourself serious questions.
Sic semper tyrannis.