No necessary so as the company may just pay for insurance from future attacks. Granted insurance companies then will demand some compliance with security check lists, but this feedback loop is very slow.