One example - startups that are looking to sign large enterprise contracts are often prevented from doing so because they don't carry a sufficient level of errors and commissions (E&O) insurance to satisfy customer requirements.
Getting that level of coverage can be difficult because the few people on the insurance side really understand how to price software/security risk, and because the size of contract isn't meaningful to the seller of the policy, though it is critical to the startup in question.
That seems straight-forward to do (although difficult finding great developers to assess this stuff):
- Development process (Agile, Scrum, Waterfall, Panic, etc.)
- Architecture
- Testing processes
- Pentesting
- Credentials of all of the developers
- Credentials of the managers
- Even the presence of physical security
There's already "cybersecurity" insurance and surely someone from that industry could join and tell you how to price security features and processes: https://www.dhs.gov/cybersecurity-insurance
I can't really speak against it not being worth it for the insurance company though. How do you build a cheap but high coverage insurance product for startups that have limited cash?
Getting that level of coverage can be difficult because the few people on the insurance side really understand how to price software/security risk, and because the size of contract isn't meaningful to the seller of the policy, though it is critical to the startup in question.