Why cyber insurance won't cover the next generation of attacks

The changing threat landscape

Nation-state cyber operations have become a mainstream enterprise risk, and the insurance products most organizations rely on were not built for them.

A different kind of attacker

Cyber insurance was built primarily for a specific threat -- criminal ransomware gangs motivated by financial payouts. That threat is increasingly joined by state-sponsored attackers with very different objectives.

Denny LeCompte, CEO of Portnox Security and a former SolarWinds leader during the Sunburst breach, draws the line precisely. "Insurance is a reasonable tool against ransomware gangs, who operate predictably and respond to economic incentives," LeCompte said. "State actors are optimizing for persistence, not your claims process. Those are fundamentally different risk categories."

The numbers bear this out

According to a World Economic Forum report, geopolitics is now the top factor influencing cyber risk mitigation strategies, with 64% of organizations accounting for geopolitical cyber risk, including critical infrastructure disruption and espionage. Among the largest enterprises, 91% have changed their cybersecurity strategies due to geopolitical volatility.

The criminal-state line is blurring

A Microsoft report found that Russia has outsourced cyber espionage to criminal groups, and Chinese state-linked actors have adopted ransomware tactics specifically to obscure attribution. That ambiguity can directly affect whether a claim gets paid.

Collateral damage reaches every sector

State-sponsored attacks rarely stay contained to their intended targets. NotPetya was designed to target Ukrainian infrastructure but crippled commercial enterprises across multinational supply chains, generating unaccounted cyber losses for organizations with no connection to the original conflict.

The insurance coverage gap

In recent years, a significant cyber insurance coverage gap has emerged between the nation-state-backed attacks enterprises face and the claims insurers are willing to pay.

NotPetya showed the stakes, and insurers rewrote the rules

In 2017, Russian military hackers deployed NotPetya malware as a destructive weapon, causing an estimated $10 billion in global damages. Mondelez filed a claim for approximately $100 million against Zurich American; Merck filed a claim for $1.4 billion. Both invoked war exclusions. A New Jersey court declined to apply the exclusion in Merck's case; Mondelez settled before a ruling.  

Lloyd's of London required its global syndicate to explicitly exclude nation-state-sponsored attacks from standalone policies, effective March 2023. The American Bar Association's 2025 cyber insurance analysis found that many policies now explicitly exclude state-sponsored attacks.

The court outcomes, however, may be doing more harm than good.

"This may be leading to a degree of complacency among business leaders that may be unwarranted in the light of what is going on in Iran," John Bambenek, president of Bambenek Consulting, said. "There is an actual military conflict going on there, and all eyes are on whatever cyber insurance policy Stryker has in what they decide about the matter."

Most enterprises don't know what they've excluded

Cyber insurance exclusions for war and state-sponsored attacks are poorly understood outside specialized risk teams.

"Most small and medium-sized businesses delegate the practice to their insurance broker and typically don't have the in-house expertise to know which specific questions to ask," Nick Kathmann, chief information security officer at LogicGate, explained. "Larger enterprises often audit their policies for these exclusions and have a better understanding of what they need to know."

Attribution is the trap

A key challenge for enterprises facing an attack is accurately determining attribution.

"You're making seven-figure decisions in real time, and the question of who did this and whether your policy covers it gets answered much later, if at all," LeCompte said.

Silent cyber closes the last escape route

Traditional property and casualty (P&C) policies have often been assumed to cover cyber losses without explicitly saying so. As cyber insurance policy exclusions expand, insurers have been quietly closing that gap, and enterprises that assumed a P&C fallback may find that coverage has already been removed.

Financial and operational implications

When an insurer invokes a war exclusion, financial exposure is binary.

"It's essentially a binary question: the insured either gets 100% or 0%, and it's more likely to be 0%," Kathmann said.

The financial scale of an uncovered claim can be staggering.

 "If a state-linked attack is denied, you are effectively self-insuring your most severe loss scenario," said Puneet Bhatnagar, an independent AI and identity security expert who most recently led identity and access management at Blackstone. "The exposure stacks quickly: technical recovery, business interruption and long-tail customer churn. For a global enterprise, this isn't a million-dollar problem. It's a hundred-million-dollar balance sheet event."

The cost categories enterprises absorb entirely on their own include:

• Forensic investigation and incident response.
• Legal and regulatory defense.
• System restoration and identity infrastructure rebuilds.
• Business interruption and lost revenue.
• Third-party claims and supply chain liability.
• Reputational damage and customer attrition.

Exposure varies significantly by sector. Healthcare organizations face the highest average breach costs. IBM's 2025 Cost of a Data Breach Report placed the healthcare average at $7.42 million per incident, with HIPAA exposure layered on top. Critical infrastructure operators face national security scrutiny alongside recovery costs. Financial services firms carry compounded SEC disclosure liability.

Board-level exposure adds a distinct dimension. SEC rules require disclosure of material incidents within 4 business days, and boards that have not understood or disclosed coverage gaps have faced investor litigation running in parallel to the breach itself.

What CIOs and IT executives must do now

Knowing the gap exists is not enough. Effective cyber risk management for CIOs requires action across four areas.

Immediate actions

• Conduct a comprehensive policy audit with legal and risk teams, not a broker summary.
• Identify every war, terrorism and state-sponsored attack clause.
• Assess the gap between assumed coverage and actual protection.
• Quantify potential uncovered loss scenarios in dollar terms before an incident forces that exercise.

Strategic initiatives

• Collaborate with the chief financial officer on alternative risk transfer mechanisms.
• Evaluate captive insurance structures for large enterprises. Parametric insurance will not help.
• Negotiate with insurers for clearer attribution standards and narrower exclusion language at renewal.

Operational resilience

• Shift focus from risk transfer to risk reduction.
• Invest in resilience architecture -- air-gapped backups, network segmentation and zero trust.
• Apply separation of duties and multifactor authentication (MFA) across all systems capable of remote wipe functions, cloud root accounts and infrastructure management tools such as Ansible.
• Develop incident response plans that explicitly assume no insurance coverage.
• Enhance threat intelligence capabilities to identify geopolitical targeting early. "Don't just practice the technical breach. Practice financial recovery assuming the insurance check never arrives," Bhatnagar said.

Cross-functional collaboration

• Establish joint CIO-CFO cyber risk governance
• Educate the board on coverage limitations and residual risk exposure
• Integrate cyber risk into enterprise risk management frameworks
• Align cybersecurity investment with uncovered exposure.

"Developing a coordinated approach across security, risk management, and finance is increasingly viewed as part of leadership's broader duty of care to ensure the organization can withstand significant operational shocks," said Rich Seiersen, chief risk technology officer at Qualys.

The future of cyber insurance

The cyber insurance market is changing, but not in the direction enterprises need.

• How the industry is adapting. The adaptations are narrowing coverage, not expanding it. Global cyber insurance rates declined 6% in Q1 2025, 7% in Q2 and 6% in Q3, according to the Marsh Global Insurance Market Index, while exclusions for nation-state attacks simultaneously expanded. The 2025 Allianz Global Corporate and Specialty report stated that policies are expected to provide less coverage certainty across state-sponsored operations and zero-day exploits.
• Regulatory interventions. No regulatory framework currently requires insurers to cover state-sponsored attacks. "Cyber insurance likely won't be regulated any time soon, and the industry isn't looking to change these exclusions, especially given the number of wars happening right now," Kathmann said.
• Government backstops. Proposals for a federal cyber insurance backstop remain unresolved. The GAO has identified a gap in the existing Terrorism Risk Insurance Program (TRIP) --cyberattacks must be violent or coercive to qualify under TRIP, a threshold most state-sponsored operations do not meet. As of May 2025, those GAO recommendations remain open, with federal agencies still assessing whether a formal cyber insurance response is warranted.
• Why self-insurance and resilience will become more critical. As coverage narrows and no backstop emerges, the financial burden of uncovered attacks lands on the balance sheet. The WEF Global Cybersecurity Outlook 2026 found that 23% of private-sector organizations already rate their cyber resilience as insufficient. Building balance sheet capacity through captive structures and financial reserves is not a future option. It is a current requirement.

Executive takeaway

Cyber insurance remains a necessary part of enterprise risk management. For ransomware, business interruption and data breach liability, it continues to provide meaningful protection. Understanding the limitations of cyber insurance for state-sponsored attacks and nation-state cyber threats has never been more urgent.

The window to act is now. Escalating geopolitical tensions give insurers stronger legal grounds to invoke war exclusions each month. Enterprises that wait for an incident to discover their coverage gaps will find the gap at the worst possible moment.

The organizations best positioned to survive that scenario are the ones building resilience capacity today, not after coverage fails.

"The organizations that figure that out proactively are the ones that will still be able to get meaningful coverage five years from now, because insurance is already moving toward risk-tiered underwriting where your architecture determines your insurability," LeCompte said. "The ones waiting for industry or regulators to close the gap are going to find it has only gotten wider."

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.