Don't the insurance companies have their own cyber security policies and teams?
Assuming the insurance companies are protecting themselves against malware, ransomware, cyber attacks, etc, they should have internal policies they have for their own use.
They should, in theory have an IT team, cyber security team, etc.
After all, insurance companies, generally being billion dollar organisations, should have their own internal mechnisms for cyber defence.
So if all the insurance companies get together, and figure out what they are all doing for themselves, make a standard that captures the policies, procedures, etc.
And use that as a baseline for the customers who are purchasing cyber security insurance.
Am I missing something? Or am I wrong in thinking this should be a relatively easy way to get a standard that they can all agree to.
Hell, maybe even create an organisation which liases with all the insurance companies to check what they are doing, and create yearly standards, which all insurance companies and client organisations have to follow.