I agree with the posters above--don't subsidize bad IT security practices!
If IT security meets certain standards, then by all means pay the claim. If not, then by paying the claim you are subsidizing bad behavior, and when you subsidize something you get more of it.