[ikiris]

I'd actually expect this to be the opposite. Insurance is heavily risk analysis based. It sounds like they were choosing to take the risks because either you didn't show them properly, or you don't realize how cheap the actuated cost of non compliance is.

[jtdev]

I follow your reasoning... but no, that wasn’t the case here. A number board members of this org fought for and succeeded in getting increased investment in a true info-sec program due to years of very lax security culture and a series of internal audits elaborating the risk to the org. The CEO and CIO were constantly grossly over budget on pet software dev initiatives, which the board was becoming increasingly concerned with - then here come the info-sec folks with a laundry list of gaping security holes in said over-budget software projects, to which the CEO and CIO proceeded to dodge meetings, ignore risk assessment communications, direct their underlings to exclude and shut out the sec team, and keep the board in the dark. It was a toxic culture, glad I left when I did.