They aren't, they buy hacking insurance.
Yep, that's a thing.
I was hitherto unaware such a thing existed; thank you for mentioning it. Having now become acquainted with the term, I am alarmed that the data breach phenomenon is now so prevalent hacking insurance
has become a thing.
Of course, it is possible this might turn out to be a positive development. Insurance companies do not enjoy paying claims, hence the development of groups like Underwriters Laboratories that set standards and improved things (i.e. gave manufacturers standards that helped to make products safer and less likely to explode, choke infants, etc.).
Having said that:
It's cheaper than tackling the real problems and being pro-active. The law in most cases says "within reason", it's intentionally vague because one size doesn't fit all but that also means companies are allowed to decide for themselves what's reasonable. The bare minimum, which is what most opt for, is ridiculously minimal.
I suspect you are right and the actuality is that things like hacking insurance are merely an effort to lend a veneer of dignity to an ungodly mess. Companies being seen to carry hacking insurance is one thing, the insurance firms actually paying off on claims quite another.
Along those same lines, it would be interesting if companies like Apple have "helped" (or are about to help) legislators write laws that assign caps on what damages consumers will be awarded in the event of a data breach.
No one takes I.T. seriously until it bites them on the a$$, it's the same thing with backups.
Well, there is taking things seriously and then there is being
forced to take things seriously (like backups).
When I first heard about the 2017 Equifax data breach, I really did think something meaningful would emerge from it. "What", I wondered, "will the penalty be for those responsible? A trip before the firing squad? Stint in a Bolivian prison? One-way ticket to Tierra del Fuego, perhaps?"
Needless to say, I did not have to wait long to find out and the penalty turned out to be more of a punchline than any sort of meaningful penalty. I haven't really kept up since then, so it is possible that the Americans have become quite serious about penalising corporations that do not secure their date in the half-decade since that happened.
My understanding of the FAANGs and companies that handle large amount of data like them is that, once you reach a market cap of US$1 billion, you may do whatever you wish. They do not appear to have any real incentive to keep sensitive personal information secure because they can simply buy off any legislators ambitious enough to want to rein them in with legislation or, failing that, they can simply hire lobbyists that will "help" write such legislation.
I think I would take the 2FA business a lot more seriously if I were the one allowed to choose the second authenticated factor. The fact that corporations, not consumers, are the ones doing the choosing tells me everything I need to know.
The only real hope I hold out for change in this affair is for a widely-known authority on security (e.g. Bruce Schneier) to raise such a fuss that Apple, Google and Microsoft simply cannot ignore it. To my mind, bad publicity is about the only thing left these firms will respond to (and then only half the time).