Why cyber insurance won’t cover the next generation of attacks
Summary
Geopolitical cyberattacks are no longer confined to governments or critical national infrastructure; they now hit ordinary organisations, supply chains and healthcare providers. The article uses the March 2026 Stryker incident and the NotPetya precedent to show how insurers have tightened policy language and expanded war or state-sponsored exclusions. That shift, coupled with attribution challenges and the blurring line between criminal and state-linked actors, leaves many organisations exposed to potentially catastrophic uncovered losses.
The piece outlines how exclusions have proliferated, why traditional P&C silent-cyber fallbacks are disappearing, and why a denied claim can turn a breach into a balance-sheet crisis. It ends with practical actions CIOs and executive teams must take now: audit policies, treat worst-case scenarios as self-insured, build operational resilience, and align security with finance and the board.
Key Points
- Nation-state and state-linked cyber operations are now a mainstream enterprise risk, not an edge case.
- Insurers have increasingly added explicit exclusions for state-sponsored, war or terrorism-related cyber events, narrowing coverage.
- Past incidents like NotPetya set legal and commercial precedents that pushed insurers to rewrite policy language.
- Attribution ambiguity (criminal vs state actor) complicates claims and can lead to denied coverage.
- Silent cyber and P&C cover assumptions are becoming unreliable as insurers close gaps.
- When war exclusions apply, payout is often binary: full cover or nothing—leaving firms to self-insure large losses.
- Uncovered costs include forensics, remediation, legal/regulatory defence, business interruption, third-party claims and reputational damage.
- CIOs must audit policies with legal and finance, quantify uncovered scenarios, and prioritise resilience (air-gapped backups, segmentation, zero trust, MFA).
- Market trends show narrowing cover and no imminent regulatory or federal backstop; self-insurance and captive structures are becoming essential.
Context and Relevance
This article is crucial for CIOs, CISOs, risk officers and boards. As geopolitical tensions rise, insurers gain stronger legal basis to invoke exclusions, making it likely firms will face uncovered major losses. The analysis connects industry trends, legal outcomes and recommended governance changes—so organisations can translate policy wording into financial and operational action. It also links to broader trends: outsourcing of state capabilities to criminal groups, the rise of supply-chain collateral damage, and evolving underwriting that ties insurability to technical architecture.
Why should I read this?
Short version: if you care about your organisation not getting nailed by a surprise multi-million-pound hole in the balance sheet, read this. It tells you exactly why your current cyber policy might be a placebo for nation-state-style attacks and what to do before things go belly-up. It’s a quick, practical wake-up call for people who don’t want to learn coverage gaps the expensive way.
Practical takeaways for leaders
Do a full policy audit with legal and finance. Assume the worst and practise recovery without an insurance cheque. Invest in resilience (air-gapped backups, segmentation, zero trust, MFA) and set up CIO–CFO governance to quantify and fund uncovered exposures. Consider captive insurance or other balance-sheet strategies where appropriate.