Fifty state insurance commissioners could make this more or less happen overnight, except to the extent firms are using something other than cyber coverage to pay ransoms.

In my eyes, this would do almost as much to improve cybersecurity as liability in tort for insecure software.