Insurers often require to have Endpoint Detection and Response for all the devices, from a third-party. In-house often won't cut it, even if it makes more practical sense.
But then you can't blame anyone else when shit hits the fan! Isn't that what you're really paying for with EDR? No one is safe from a targeted attack, regardless of software.
In house competence