If a company cuts corners on security, then in the same way that if I leave my door unlocked and get burgled, I can't make a claim. There's going to be a good living for lawyers establishing what is the required level of security. But if this incentivises senior managers to ask the right questions, then it's probably a good development.
Maybe. If you're buying an insurance policy to cover leaks of information, then almost by definition any claim is going to be the result of lax security. So, why bother buying insurance at all if the insurer can get out of it? The likely result is that those harmed won't be able to collect damages since there will be no insurance, and the company that lost the data will simply declare bankruptcy.
I think there are better precedents. For example, my company is routinely audited by its insurers or other certification bodies. If they spot a blocked electrical panel, that has consequences for the company. The purpose of the audits is to PREVENT bad things from happening, and of course passed audits will support later claims if something bad things happen anyway.
So, why not do the same with "cyber policies" or whatever they're calling them. The insurer states some standard that the policyholder is to be audited against. The policyholder agrees to be audited. If the audit passes, they're in the clear.
And that is what insurance is about - elimination of risk. If you are in charge of some big company you can get the blessing of the appropriate auditors and now it isn't you're fault if something bad happens. It is a bit like having an IT team with skin in the game.
Sure, you can hire what you think is a good IT security team, but how do you really know if you've gotten one? If you buy a cyber insurance policy you're getting that IT audit, but then if you're declared clean and you get burned anyway, that insurance company comes in and puts their money behind their words and pays for your loss. THAT is what insurance is supposed to be.