I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.

Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.