Industries need cyber insurance more than ever, but the rules are tightening

The cyber insurance environment has changed dramatically over the past five years. Not so long ago, insurers were willing to issue cyber insurance policies at low cost and with little to no due diligence around their customers’ cyber defenses.

Since then, the explosion of ransomware attacks (manufacturing accounted for 68% of incidents in Q1 2025, according to Dragos) and subsequent pay-outs by insurers covering breached businesses have forced insurers into a reckoning on who and what they are underwriting.

See also: What industrial and health care breaches teach us about cyber resilience

As a result, insurance vendors and their brokers are now taking a far more granular approach to vetting a company’s cyber posture before quoting a policy.

Given their vital role in economic and societal well-being, companies in the critical infrastructure sector pose a particularly high risk for cyber insurers. Even as the vetting requirements for IT providers or large enterprises are becoming more concrete, insurers are still assessing their approach to measuring cyber defenses for the critical infrastructure sector.

Several already-existing insurer practices provide a guideline for how these requirements may likely evolve and how such companies should prepare:

Fortify the tech stack

The stronger your defenses, the better your insurability. Fundamentals like firewall topology, monitoring and response are table stakes. Some insurers are offering incentives to customers who go above and beyond—similar to safe driver discounts on auto insurance.

See also: Protecting modern manufacturing systems from socially engineered cyber fraud

For example, organizations are rewarded for implementing robust security measures such as advanced monitoring, proper network segmentation, and data diodes, and hardware that mitigates cyber threats by limiting data transfer to one-way only, preventing malicious code from being injected into secure networks.

Such technology is already widely deployed in the highly regulated nuclear industry, where air-gapping requirements to ensure separation of IT and OT systems are mandated.

Factor OT into the IT security equation

While the nuclear industry has regulated air-gapping, other critical infrastructure industries do not. Of course, all of them want to take advantage of modern IT capabilities―for example, sending data from OT devices to the cloud enables infrastructure asset owners to use remote diagnostic and analysis tools, improve supply chain management, adopt predictive maintenance and schedule planned downtime.

But the benefits of that connectivity also come with risks. Disruption to networked IT systems is painful and costly, but attacks on OT systems can be catastrophic to life and property.

Again, this is where network segmentation and other advanced security measures can prevent cyberattacks from reaching critical OT, which will undoubtedly carry weight with insurers.

Enforce documented cyber policies

Costly forensic investigations, which have sometimes revealed companies not living up to their claimed cybersecurity measures, have escalated insurers’ requirements for verification of cybersecurity infrastructure.

Such misrepresentation is the same issue that inspired the U.S. Defense Department’s Cybersecurity Maturity Model Certification initiative, which enforces a formal mechanism for defense supply chain companies to prove their compliance with a defined set of cyber practices.

See also: What manufacturers risk when they try to patch everything

In the private sector, cyber insurers now want to see proof of operational maturity such as documented access controls, the last time an incident response tabletop exercise was performed, the results of the most recent cyber audit and the like.

While insurers are not network or cyber experts themselves, they want proof, verified by an expert, that these steps are being taken and their results acted upon.

Manage your risk profile

Critical infrastructure companies need to make informed decisions on cybersecurity investments to reduce their risk profile, refine their risk appetite and decide what risk, if any, they may want to transfer. It is important to measure the maturity of their cyber environment, assessing things like critical controls, associated costs and risk tolerance.

See also: With MFT use growing among manufacturers, new findings see critical cybersecurity gaps

Some insurers may offer mechanisms beyond benchmarking and loss averaging based on industry data (inherent risk), weighting the control environment to determine each company’s total residual risk in a specific dollar amount. This is where those extra defenses can make a real difference in lowering risk and helping to drive down premiums.

Tie risk reduction to compliance frameworks

Insurers of critical infrastructure environments will be interested in how closely an operator is adhering to accepted guidance like National Institute of Standards and Technology cybersecurity regulation 800-82, the International Society of Automation/industrial automation and control systems (ISA/IEC) 62443 standard, and the cybersecurity and Infrastructure Security Agency (CISA) cross-sector cybersecurity performance goals.

See also: New report sees big increases in cybersecurity risks for ICS/OT devices

Hardware-enforced security can align directly with frameworks, helping critical infrastructure organizations not only improve their cyber insurance profile but also demonstrate compliance with U.S. cybersecurity standards―often a prerequisite for funding or contract eligibility.

Understand your obligations

It is also very important for companies to understand the coverage and limits of their cyber insurance policy. Research showed that while 91% of companies were carrying a policy, over one quarter of them admitted to not fully understanding its terms and obligations. In certain situations, customers who think they are covered may actually not have that protection.

While maintaining cyber insurance is of course very important, it still cannot protect data, which is ultimately the goal. Realistically, critical infrastructure providers are big targets. Those “extra-mile” defenses will not only help with obtaining insurance coverage at more favorable premiums, but will strengthen cyber posture that prevents breaches in the first place.

See also: OT cybersecurity case study: Flaws found and fixed in widely used industrial network devices

As insurers continue refining their methodologies for analyzing risk across this vital sector, the more proof that a company is taking steps to protect its data, the more competitive that company will be for an insurance provider―and the safer its data will be for the long run.