They hand it off to other companies that specialize in auditing and overseeing the hack resolvement. If their partner company decide, that it’s worth paying. Then they pay.

If the partner company decides to try and negotiate, they can I guess… Hard to say, never saw how insurance plays out when a true hack occurs.

There is insurance for ransomware. Most companies I know, has bought it (surprisingly popular). I’m not surprised that the companies would be willing to pay

I doubt it would be of any use. Most companies underfinance IT and security, while CISO just writes “rules” on how things should be, instead of overseeing actual hardening.

CEOs on the other hand being financially or criminally responsible, may lead to something.

At least the EU NIS2 directive has the right idea about it

Does anybody know, if there is a metric this could have been based on? Or is it just one of those “I don’t like the country so they are not a real working class”?