The upcoming California Consumer Privacy Act and other state laws of its kind are turning cyber insurance policies, already common among organizations that touch lots of consumer data, into a “must-have,” according to Law360.

“Cybersecurity is broken,” claims Asaf Lifshitz, CEO and co-founder of cyber-risk startup Sayata Labs, writing in Insurance Journal. “Cyber insurance can help fix it.” Cyber insurance sales are projected to rise from $2.9 billion this year to $16.7 billion by 2024, an annual increase of 33.8%, according to JD Supra.

What’s driving the growth? Organizations appear to be determining that there’s no completely airtight way of guaranteeing their data is secure. Accordingly, as Gunbritt Kammerer-Galahn of law firm Taylor Wessing writes in Lexology, cyber insurance “does not replace risk management, but it complements the process.”

Some experts worry that the increased role of risk-averse insurers may lead to more organizations paying off hackers in ransomware attacks. Such a payout would generally be cheaper for the victim but costlier for everyone else if it encourages more attacks. With insurance companies in charge, shelling out the ransom could become the “new normal,” according to CIO Dive. Under state laws, like in California, insurers may need to cover organizations’ liability for being “unprepared,” even if they avoided a data breach, according to Dominic Dhil Panakal of law firm Womble Bond Dickinson. This will raise their potential exposure, and organizations will want to read the fine print to be sure they’re covered.

“Will the insurance companies be ready for the deeper scrutiny and tougher punishments for their customers and will insurance customers be ready for the higher premiums likely to come?” asks Panakal, writing in The National Law Review. “And will all this attention lead to better data security at U.S. companies?” He leaves both questions unanswered.