Re: "cyber attack coverage"
Cyber security is hard to do well. There a bunch of are easy things -- which should be mandatory things to do. And there are hard things to do. Effectively combatting human nature is by definition hard, if not impossible to do. Some, perhaps many, people simply lack the ability to recognize a dodgy URL, regardless of how many classes they're given and videos they're shown. Some, perhaps many, people will fall to scammers' tricks ("Hi, Dan, this is Matt in Accounting. There's something wrong with the system, and my password doesn't work on our SAP server. It's got some data I need to pull together a report the boss is screaming for, and I've called IT, but they're really busy and the voice system says the queue time is currently at 40 minutes. Can you do me a major big and loan me your password to the accounting interface module? I know you're really not supposed to, but it's just this once and it'd get me out of a huge jam. Oh, thank you ever so much ..."), no matter how many seminars they're sent to.
It's generally not because people are "stupid" (yes, some people are stupid, but on the average, they are not). It's a genetic thing about how their minds work. And because of that, no matter how skilled and diligent and well-supported your cybersecurity team is, eventually, a scammer will get through.
Software patches are a different kettle of worms. Some patches eliminate needed functionality, some patches are themselves buggy, and it's a crap-shoot whether a particular 0-day exploit can be successfully used against your company or not.
You have to face knowing at some day in the cybersecurity wars, you are going to lose. That is what the insurance is for.
Finger-pointing won't help, but, humans being humans, that too will continue.
(Icon 'cause they -- Boards of Directors, and insurance companies -- want to escape paying.)