That insurance already exists. Periodic review by security pros is pretty much worthless, however. Nearly every company that has been hit had review by security pros, and many had compliance certifications.
What exactly are these security "pros" doing? I just don't understand how the ransomware guys could destroy the snapshot backup copies of the database in my desk drawer. Why don't companies with this much data to protect have air-bridged offsite backups?
How good are these reviews really? I'm thinking of top tier security pros on the calibre of Project Zero/Google. Doubt most hacks would have gotten past a thorough audit by those folks.
No material difference from a defense perspective. Offensive prowess does not result in defensive prowess. Just look at the Android bug bounty program [1], only $250K for an remote kernel arbitrary code execution, or Apple [2], $250K for a one-click kernel arbitrary code execution. To be fair though, that is on the high end of security, you could probably totally compromise any Fortune 500 company for less than that. And no, I am not joking or exaggerating that is actually a serious statement.
Really all these audits do is validate your security. If they find something at a price point then you are probably vulnerable at that price point. Think of it like a live-fire test of a bulletproof vest against a gun. If a bullet goes through then you probably can not protect against that. If it does not go through, you still can not be certain that it actually does provide comprehensive defense against that gun and bullet, but it is at least not totally ineffective. In the current state of the industry, any competent audit will find multiple critical vulnerabilities at these price points. It is like shooting an airsoft pellet at a "bulletproof vest" and seeing it pierce through. It is so fundamentally flawed that testing against a real gun (better offensive specialist) is kind of meaningless since to actually solve the problems you already need to completely redesign everything. Unfortunately, most companies who get such audits done think the takeaway is that the places the airsoft pellet went through must be the only problems, so if they just patch them up then everything else must be good because nothing pierced those other pieces instead of realizing that observable quality defects in one place probably means there are many unobserved quality defects in other places.
This is the point. Any review process that's sufficiently mechanical to be duplicated at scale becomes a box-[ticking|checking] exercise with little actual value. E.g. you can verify that backups are made and can be restored but how do you find mission critical data that isn't subject to backup?
