How important will regulation be for the future of U.S cyber?

Is it just me, or does it feel like most companies couldn't care less about cybersecurity?

I feel unless the U.S government steps in and forces companies to invest in a cybersecurity team/operation, there will never be an adequate number of people to protect this country from major cyberattacks.

Do companies feel any obligation to preventing/mitigating cyberattacks? Do they only form a team right after they suffered a breach or are there other incentives?

cyber cybersecurity future regulation