When insurers demand proof instead of promises, organizations are pushed to measure cyber risk more carefully, and that changes how security decisions get made.