Investors have already priced in interest-rate shocks and construction bottlenecks. Too few have priced in what will sink a portfolio faster: an operational shock to critical infrastructure that reveals hidden cyber, physical, and supply-chain dependencies. These blind spots do not live in spreadsheets. They live in control rooms, third-party contracts, legacy PLCs, and boardrooms that still treat cybersecurity as an IT line item.

The headline threat is simple. Attacks against energy, transport, telecom, and other critical sectors surged in 2023–2024, driven by ransomware, supply-chain intrusions, and targeted campaigns that seek operational disruption rather than only data theft. The scale is not theoretical. Independent industry analysis reported a roughly 30 percent year-over-year increase in attacks on critical infrastructure between January 2023 and January 2024. At the same time, sector-specific surveys show rising ransom payments, backup compromise, and longer recovery windows for utilities and energy operators. Those operational impacts translate into lost revenue, regulatory penalties, replacement costs, and long tails of reputational damage investors will own.

Insurers and reinsurers are responding in ways the buy-side must watch. The cyber insurance market tightened after large losses and began demanding clearer underwriting metrics tied to third-party risk, OT segmentation, and backup integrity. Leading insurance and broker groups warned that certain systemic cyber losses are edging toward being “uninsurable” without state backstops or public-private loss-sharing mechanisms. That matters for investors because insurance is not a free protection layer you can assume exists at scale; it is an input to valuation, borrowing covenants, and the cost of capital.

Regulatory and national-security moves are closing lanes for complacent capital. U.S. federal activity has prioritized identifying vulnerable control systems and expanding visibility into foreign dependencies that underpin U.S. resilience. Agencies are sending more pre-incident notifications, using authorities to identify exposed operational devices, and elevating foreign critical dependencies as a strategic risk. For investors with cross-border portfolios, this means faster changes to approvals, heightened scrutiny of foreign partners, and the possibility of sudden restrictions on asset transfers or operations. Those are execution risks that reduce price certainty.

Where the market underrates risk

1) Third-party and supply-chain exposure. Sponsors often under-assess software and service providers that connect to OT environments. A breach at a vendor can cascade into a full asset outage. Survey data show many utility attacks began with exploited vulnerabilities or phishing vectors tied to contractors.

2) Backup and recovery assumptions. Operators increasingly report that attackers attempt to compromise backups. When backups are not segregated or are poorly tested, paying a ransom or rebuilding systems can take months. Longer recovery time magnifies business-interruption losses and strains debt servicing.

3) Insurance gap and conditional availability. Coverage exclusions, aggregate limits, and conditional endorsements for state-backed or systemic events can leave investors exposed. Brokers and reinsurers have publicly argued for government-supported mechanisms for truly catastrophic cyber losses. Assume the private market will be selective and more expensive for systemic exposures.

4) Interdependency and concentrated exposure. Modern infrastructure is more interconnected than valuations assume. Power, telecom, and data centers form failure chains. A localized outage at a substation or data-center campus can cascade to tenants, revenue, and contractual penalties across a portfolio. Industry reports document rising counts of vulnerable grid points and expanding attack volumes.

Practical due diligence checklist for investors (short, actionable)

  • Demand quantified cyber risk assessment during diligence. Ask for modeled probable maximum loss scenarios in monetary terms, not qualitative “low/medium/high” labels. Use third-party cyber risk quantification platforms or underwriter-grade scoring.
  • Verify OT/IT segmentation and backup integrity. Require architecture diagrams showing physical isolation, air gaps where appropriate, and documented backup restoration tests with timestamps.
  • Stress-test third-party contracts and service providers. Insert security SLAs, breach notification timelines, and right-to-audit clauses for critical vendors. Model vendor failure as an execution-risk scenario.
  • Reassess insurance assumptions. Obtain current insurer appetite letters and read policy wording on aggregate limits, declareable events, and exclusions for state-backed attacks. Budget for higher premiums or reduced coverage.
  • Price in regulatory and political action. For cross-border assets, evaluate the chances of export controls, sanctions, or forced divestment tied to national-security reviews. Factor longer approval timelines into IRR calculations.
  • Prepare operational contingency plans. Require operators to publish war-room procedures, redundant control paths, and prearranged manual operation plans where digital control fails. Those plans reduce tail risk and preserve value.

Portfolio-level moves

  • Concentration limits. Treat correlated cyber-physical exposure like any other concentration risk. Limit single-vendor or single-grid-node concentration across assets.
  • Security KPIs for governance. Put measurable cyber-physical KPIs in quarterly board reports for infrastructure assets: mean time to patch, backup restore time, third-party SLAs met, and tabletop exercise cadence. Investors who demand these metrics get earlier warning of value erosion.
  • Engage insurers early. Work with brokers that specialize in cyber physical damage and critical-infrastructure coverage to structure wraps and parametric products that address business-interruption tails. Expect higher costs; assume partial coverage until markets widen.

Final assessment

This is not a technological debate. It is a capital-allocation decision. The evidence from government agencies, sector surveys, and insurance-market signals through 2024 shows rising attack frequency, more sophisticated attackers, and an insurance market that will not fully absorb systemic losses without public intervention. Investors who fail to treat cyber-physical fragility as a first-order risk will see returns blow out not because of market cycles, but because the asset cannot operate. Take the obvious step: stop assuming continuity. Force operators to prove it. Price the rest accordingly.