Cyber insurance is meant to be a backstop for catastrophic operational failure. For critical infrastructure it is increasingly not. Insurers, regulators, and owners have allowed a misalignment to develop between the scale and fragility of our infrastructure and the narrow, conditional nature of the coverage designed to protect it.

Three structural gaps stand out and they are simple to name: exclusions that swallow coverage, underwriting that shifts risk rather than reduces it, and systemic exposures that no single policy can meet. Each gap interacts with the others and multiplies the potential for cascading failure.

First, exclusions. Since NotPetya the market has moved to tighten language around state-backed cyber activity and warlike action. Lloyd’s market guidance and new model clauses require clearer cyberwar exclusions, and many carriers now rely on those or similar clauses to limit exposure. That change creates real coverage uncertainty for operators of power grids, water systems, pipelines, and health networks because modern attacks often sit in a gray area between criminal extortion and state-enabled operations. Courts have pushed back in some cases, but the patchwork of policy language leaves operators exposed to litigation and to unexpected denials.

Second, underwriting is increasingly control-driven. Insurers are rewarding strong cyber hygiene with lower prices and broader limits while tightening terms or withdrawing capacity for risks with poor controls or high third-party dependence. That is rational from a balance-sheet perspective, but it leaves publicly essential networks that cannot retrofit quickly - local water authorities, smaller municipal electric utilities, regional hospitals - with thin coverage or expensive gaps. The result is a two-tiered resilience picture: large, well-funded operators get both security and insurance; the rest shoulder retained risk.

Third, systemic and supply-chain exposure. Cyber events in 2024 and 2025 proved how fast a single failure can propagate through dependent services and suppliers. Insurers themselves warn that systemic scenarios are under-modeled and under-managed. Policies with per-event or per-location limits do not match the geography or interdependence of modern infrastructure networks. That mismatch creates an uninsurable tail risk where losses accumulate beyond market capacity.

These gaps show up in three practical ways that matter to national security planners.

1) Attribution and denial risk. If an insurer invokes a war or nation-state exclusion, coverage may be denied while attribution debates play out. Operators cannot afford a months-long attribution standoff when services are degraded. Legal precedent on this point is mixed; Merck won a key appellate ruling that narrow readings of war exclusions can preserve coverage, but that ruling sits alongside market changes that explicitly narrow cover for state-backed operations. The net effect is unpredictability in a crisis.

2) Third-party blind spots. Many critical systems rely on a small number of vendors and cloud providers. Insurers price and limit exposure for these concentration risks, but policyholders often lack visibility into their nth-party exposures or the extent to which a vendor outage will trigger their own coverage. Without contractual clarity between supplier SLAs and insurers’ definitions of covered outages, response and recovery are slower and more expensive.

3) Underinsurance and underreporting. Incident reporting and claims patterns shape insurer models. The FBI’s 2024 IC3 data show ransomware and extortion remain heavy drivers of losses against infrastructure and other targets. When operators avoid reporting to preserve reputation or because policy terms are ambiguous, the market loses signal needed to price systemic risk correctly. That feedback loop can depress capacity or push premiums beyond what many public operators can pay.

What to do. There is no single fix. Start with clarity in policy language and public-private coordination to address systemic exposure.

  • Standardize exclusions and the attribution process. Regulators and market bodies should drive a narrow, testable definition for cyberwar and state-backed attacks so coverage is predictable during crises. Courts and contract drafters will continue to matter, but a standardized market baseline removes leverage from ambiguous clauses.

  • Create a government backstop or layered capacity for systemic events. Private markets will not carry unbounded systemic tail risk. A targeted reinsurance facility or CAT-style backstop for nation-scale cyber events would preserve market capacity for smaller, insurable incidents while protecting citizens from catastrophic service loss. This is not a subsidy for negligence. It is a market design step to prevent systemic collapse.

  • Compel minimum reporting and reporting standards. Faster, mandatory reporting for critical infrastructure incidents, with liability protections for good-faith disclosures, will improve insurer models and expedite mitigation. The federal role here is coordination and safe harbor for information sharing.

  • Tie insurance incentives to pragmatic resilience investments. Underwriting should reward not only checklists but demonstrable operational resilience: segmented networks for OT, tested recovery plans, vendor concentration limits, and tabletop-proven incident playbooks. Public funds can accelerate upgrades where municipalities or small operators cannot finance them.

Final point. Cyber insurance is not a substitute for operational security. It is an amplifier of risk decisions. For critical infrastructure, the goal must be to reduce failure probability while creating reliable, testable financial protections for the losses that remain. If policymakers, owners, and insurers fail to close the coverage gaps I have described, they will not just pass liability around. They will leave whole communities exposed to outages and cascading harm. The fix is legal clarity, shared modeling for systemic scenarios, targeted public capacity, and practical investments in resilience. Do those things and insurance will function as intended. Ignore them and the next major outage will show how brittle the system has become.