In 2013, I was the federal energy sector lead for the NIST Cybersecurity Framework, which included a robust discussion on cybersecurity incentives. Unsurprisingly, cyber insurance became a large part of the discussion.

Ten years later, the landscape has shifted significantly , but we're still having the same debates around the appropriate role of risk transfer mechanisms for cybersecurity-- specifically the concerns around critical infrastructure:
https://www.lawfaremedia.org/article/if-cyber-is-uninsurable-the-united-states-has-a-major-strategy-problem