This article describing how some companies rely on cybersecurity insurance to offset losses from cyber breaches was insightful to me. "cyber insurance is a post-fail risk offset and it should never replace a proper security program. When businesses overinvest in cyber insurance and underinvest in security controls, they are showing that they expect to be breached and have their insurers solve the problem, even though they won't."
Electric and Gas companies that plan to purchase cybersecurity insurance policies may want to confirm what is/is not covered by these policies and do a cost/benefit analysis to decide whether to invest their money in security controls or insurance premiums. FYI: Fines issued by NERC/FERC are usually not covered by cybersecurity insurance policies. Article is available here: https://www.darkreading.com/risk/the-cold-truth-about-cyber-insurance/a/d-id/1336234