Doing cybersec consulting, the majority of the clients I worked with already had data breach insurance. The funny thing is that such insurance actually just makes it easier for these companies to cheap out on actual security. What's better for the bottom line, paying $50 million for a strong security program (that will probably get hacked anyway), or pay $20 million for a good insurance policy that will just cover all our damages when we get hacked? (the actual path chosen is usually somewhere in the middle, but I hope you see my point)
If the insurance company had to pay out $20B, the plans would either cost a _lot_ or they would have tons of actually legitimate requirements with inspections (like you see with fire insurance of super expensive buildings: you don't get to just buy cheap fire insurance without having tons of procedures in place for mitigating fire).
The data breach insurance I'm aware of does have such requirements, but cybersec standards change so rapidly, and it costs so much to do any decent inspection, that in practice it just doesn't work as well. It's not like a building where fire codes are more or less the same from year to year, and where a fire inspection can be done in less than a week (if not a single afternoon).
Most organizations I've seen have a very complicated risk management formula to determine how much they're willing to spend on things like cybersecurity. I simplified it my original comment, but from what I've seen in the current state of things, insurance is typically on the side of the equation that justifies spending less on security, not more.
