Don't change the ban, change the insurance policy.
The law is right to keep pen testers with unknown-coloured hats at bay. The problem is obtaining permission to carry out defensive screening. Emailing the hapless outfit with "Hi, can I run a fake cyberattack on you?" can hardly have a good response rate.
We need a regulatory regime where insurance companies put your permission in the small print and are then able to delegate the research to approved cybersecurity operations.