I worked for a SMB at one time and even in those days, they chose to be self-insured. I then move to a Global organisation who also chose not to purchase cyber insurance.
Recently there have been many articles around cyber insurance, the cost and ultimately the fact that most if not all of the insurers are refusing to pay. This is due to language in policies and sometimes a misunderstanding.
I did hear one bright thought on the (ISC)2 quarterly update that they are attempting to work with Insurance companies on language, etc. I hope that they follow through on this and develop a checklist (probably not the right word) for both insurers and insurees to use when evaluating policies.
However, we all know from experience that insurance companies do not necessarily like to pay (ever have an auto accident or home insurance claim) and if they do, your premiums will increase in subsequent years.