In my experience, underwriting suffers from a tremendous lack of event data:  essentially all the mortality, morbidity, contributing factors stuff that make up the basis for underwriting life, P&C, house and all other types.  Since there is much reluctance on the part of companies to do this reporting (a complex issue in itself, this reporting), getting the data often proves to be very difficult.  Some of the issues:

1. No legal mandate to report except in specific industry sectors
2. No "safe harbor" method of reporting yet defined:  acquires the data in a sanitized manner without ascribing blame, so to speak.
3. From available data:  separating primary impact from consequential damage
4. Defining mitigations that will impact premium-setting:  what works or not, "better or worse" outcomes, etc.
5. The insurance companies having a minimum set of universally agreed steps insureds must do to get better rates
6. Having solid, proven, accepted metrics everyone can use and regard as "valid and authentic";

There is general agreement on what makes for better programs, reduced troubles, and suchlike.  There is, however, no firm agreement on certain elements.  In health and life, it is well proven and accepted that cutting back on smoking, high fat diets, alcohol intake, stopping bungee-jumping, not working around asbestos (some examples) are almost universally accepted as life-quality extenders and improvers; no guarantee of living to be 90, but no doubt about your health being better (lower risk of illness and disease). 

Cybersecurity, as a methodology looked at for "cause and effect" like healthcare and outcomes often is, simply does not work that way.  Example: your best methods of protection are proof against successful attack, until one of your workforce succumbs to a phish attack and launches malware that enables data theft.  Example:  the most perfect and complete business continuity plan makes no difference if it is not regularly tested or allowed to go stale (happens a lot).  Example:  hackers know the technology as well as we defenders do, and often have the time and money to fund their attacks that we do not have to defend against them.  Their advantages (time, money, single-minded focus) are denied us by business and political realities, and not likely to be overcome.

There is growth and improvement in this field, but there is so much basic structure, analysis, research, and definitive agreement that we are yet years away (maybe a decade or so, hopefully less) from having something valid and accepted widely as we have with other types of insurance. 

My experience up to today is that insurance companies offer insurance products (sometimes in the past called "business interruption insurance") that will plug gaps in their risk management program.  After having read the policy however, I see there are more exclusions for denial of claims, unclear requirements (to be used as risk mitigations) on the policy holders, and are otherwise so open to wide-ranging interpretation by claims adjusters (often unqualified to make such judgments) that they are, truly, of very little practical protective value.  Having them demonstrates due diligence, but they do little else.

I agree with Ross, there is a fundamental lack of event data. The first issue is to define the risk profile of the buyer. Insurers are still not fully able to create competitively priced policies, on the other side underwriters miss to understand the complexity of the insured risks. Furthermore the digital world is changing in a super fast way and this does not help both the parties to asses the current challenges in the right way.

Today's underwriting hasn't changed much, however, the 'real' story is being told more often with accurate depictions of activities the organization has completed during the last policy cycle.
It may be a revamp of contractual obligations of critical vendors providing SOC-2 reports, or a PCI ROC, or other assessments.
It also stems from providing the underwriter with a print out of your LMS training log on phishing and other security matters, to include sensitive data handling for those handling that type of information.
It can be as simple as a data mapping attestation that it has been completed and overlaid with an information classification policy to best support the security controls to protect that information adequately.