Estimated reading time: 5 minutes
The NCSC now links most attacks on UK critical infrastructure to hostile states. That collides with how cyber policies handle war. A utility goes dark. And the darkness cascades. Investigators trace the intrusion to a hostile state. Then the cyber insurer turns to its war exclusion.
That sequence is now the central question for critical national infrastructure cyber insurance. The UK’s National Cyber Security Centre says hostile states sit behind most attacks on the systems that run the country.
In a speech at RUSI on June 17, NCSC chief executive Dr Richard Horne said his teams handled more than 200 incidents affecting critical national infrastructure in the year to May 2026. Around 75% were believed to be linked to state actors. He named Russia, China, and Iran.
Critical National Infrastructure Cyber Insurance Faces an Attribution Problem
Horne’s wording matters to insurers. He said the attacks were “believed to be linked” to states. Cyber insurance turns that careful phrasing into a coverage problem.
Most cyber policies carry a war exclusion. Those exclusions tightened after Lloyd’s issued market guidance and after the NotPetya litigation tested what counts as an act of war. Both fights came down to attribution.
The gap is now obvious. The NCSC can say an attack is probably state-linked. An insurer must decide whether it is legally an act of war. Those are not the same standard. State-aligned attacks in the gray zone sit precisely between them.
Why Critical Infrastructure Is the Hardest Risk to Insure
Critical infrastructure concentrates the losses insurers fear most. Operators run operational technology, hold essential services, and cannot easily absorb downtime. A single outage can cascade across a region.
Horne also warned that attackers are pre-positioning inside these systems for future conflict. He cited the Volt Typhoon campaign. Dormant access creates a harder insurance question than an active breach.
A quiet foothold may sit undetected for years. It can then activate during a crisis, when war exclusions are most likely to bite. That timing turns a covered intrusion into a contested claim.
The exposure grows with aging and edge technology. Horne said too many incidents happen because the fundamentals are not in place. Underinsurance follows when operators underestimate how far an outage can spread.
You Rely on It Even If You Don’t Run It
You may not run critical infrastructure. But you still depend on it. Every café, college and corner shop relies on power, water, payments and telecoms. So do sports franchises and the community sports centres beneath them.
When a state hits the grid, the loss does not stop there. It cascades to everyone downstream. We explored this digital dependency on a recent podcast with SonicWall’s Michael Crean.
For those businesses, the question is contingent business interruption. Does your policy pay when an attack you never suffered still shuts you down?
Regulation Becomes an Underwriting Signal
The UK is not leaving this to the market alone. The Cyber Security and Resilience Bill is passing through Parliament. It will use regulation to force improvements at operators of essential services.
That changes the underwriting conversation. Insurers already treat multi-factor authentication as a baseline. Compliance with the new Bill will likely become a similar signal for critical infrastructure accounts.
Operators that meet the standard should find cover easier to place. Those that lag may face higher retentions, tighter terms, or declined risks.
What This Means for Boards and Buyers
Horne urged executives to stop treating cyber as a risk to manage and to treat it as a contest to win. He put the point bluntly.
“In cyberspace, we are not preparing for tomorrow’s conflicts, to some degree we are fighting them today.”
The NCSC also expects AI to sharpen the threat. It judges that by 2028, attackers will likely use AI to exploit known flaws in legacy infrastructure at scale.
For buyers, three actions follow. Read your war exclusion and test it against a state-attributed attack. Model a conflict-driven shutdown in your continuity plan. Treat resilience regulation as table stakes, not a finish line.
The reassurance many operators rely on is thinner than it looks. A standard cyber policy may not answer when the attacker is a state.
FAQ – Critical National Infrastructure Cyber Insurance
Not always. Most policies carry a war exclusion that can apply to state-backed attacks. Whether it bites depends on how the attack is attributed and how the clause is worded.
It is a clause that removes cover for losses tied to war or hostile state action. Lloyd’s tightened the language across the market, and the NotPetya cases showed how contested it can be.
It will force essential-services operators to raise their defences. Insurers are likely to treat compliance as an underwriting signal, much as they already treat multi-factor authentication.
It concentrates high-severity exposure. Operators run operational technology, support essential services and face cascading outages. State pre-positioning adds dormant risk that can surface during a crisis.
Related Cyber Insurance Posts
- AI Cyber Insurance Coverage Gaps: The Losses Willis Says Your Policy Won’t Pay
- Does Cyber Insurance Cover Scams? It Depends(Opens in a new browser tab)
- UK Cyber Insurance Industry Unites to Combat Ransom Payments(Opens in a new browser tab)
- Would Cyber War Force US Government to Bail Out Losses? (Opens in a new browser tab)
- Roll Out of Lloyd’s Cyber War Exclusion Dazes and Confuses Market (Opens in a new browser tab)