Absolutely wild. Sounds like there were organizational problems where the correct technically-minded people weren't invited into the vendor eval process for that "insurance" provider, nor were they given the ability to push back on insane requirements from a customer.

This is a symptom of hiring the cheapest, least sophisticated box-ticking compliance and insurance providers. How do I know? Because I've worked with more than I want to count. And that's all that they know how to do. Sure, they'll give you the certification, or the insurance, but it will be non-stop pain starting the day you sign the contract with them.

A real, competent provider/insurer would take the problem on head-on and be the adviser that you are hiring them to be. They would advise you about the real, actual risks and positives. Then you would have air-cover to go tell the customer during the procurement stage to go pound sand. Insane that you would actually allow a prospective customer to dictate how you do things internally. That also smacks of the customer not having the technical sophistication to even know about the things they are demanding, they just read about the random lines they can throw in a contract because others did.

This industry is fucked and deserves every ounce of comeuppance coming its way.