This is an interesting spin on the GDPR (general data protection regulation) approaching in May 2018. Previous post on this topic.
If companies do not comply with the requirements they can be fined.
I wonder, though, if this will increase reliance on offloading the information and security risk to insurance. For the same reason that residential insurance refuses to cover older houses with knob-and-tube wiring, or other “uninsurable” feature. So when insurance companies start to play in this space, in a more perfect world the insurance company would want verification that the insured party is already exercising good security practices and enforcing policies along the lines of “best practices” for that industry. DHS has some information for you in this area: https://www.dhs.gov/cybersecurity-insurance
The Chamber of Commerce is also getting some play: https://securityledger.com/2017/06/chamber-of-commerce-floats-guidelines-for-cyber-credit-ratings — a cybersecurity rating for businesses, like a credit rating, should raise the bar on how businesses take actions to protect their (and your) information.