The cost of cyber-insurance has exploded in the wake of a string of attacks on critical infrastructure. Corporate boards are staring down premium hikes of 300% or more, according to industry sources. The reason is simple: insurers are running scared.

Data from the London market, the traditional hub for such policies, shows a sharp spike in ransomware claims during the second half of 2024. Hospitals, power grids, and water utilities were the primary targets. One source, a senior underwriter speaking on condition of anonymity, said: "We are bleeding money. The models we used for years are broken."

This is not just a market correction. It is a reckoning. Companies that were once considered low risk are now being treated like pariahs. The energy sector has been particularly hard hit. After the Colonial Pipeline fiasco, and the more recent attacks on European grid operators, underwriters have slashed capacity. One London broker told me: "If you run a power plant, you are paying through the nose. If you get a policy at all."

But the pain is not confined to the utilities. Manufacturing, logistics, and even law firms are feeling the squeeze. The logic is simple: if a small firm in the supply chain gets breached, it takes down the whole network. Insurers are now demanding that companies prove they have basic cybersecurity hygiene. That means multi-factor authentication, offline backups, and regular patching. Many firms, especially smaller ones, cannot meet these standards.

A document from a major reinsurer, obtained by this newsroom, outlines the new reality. It says: "We will no longer cover ransom payments for attacks that exploit known vulnerabilities that have not been patched within 30 days." This is a game-changer. Companies that drag their feet on security updates are effectively self-insuring.

The regulatory response has been a mess. The US Securities and Exchange Commission has argued for years that cyber risks must be disclosed. But the rules are vague. And the industry's self-regulatory body, the NAIC, has done little more than issue advisories. Meanwhile, the European Union's NIS2 directive is still being transposed into national law. By the time it takes effect, the insurance market may have already collapsed.

Some see opportunity. A few nimble insurers are launching bespoke policies that bundle risk assessment with coverage. One such firm, based in Bermuda, offers a policy that includes a full penetration test and 24/7 monitoring. The CEO told me: "We do not just sell insurance. We sell resilience."

But resilience costs money. And the premiums reflect that. A mid-sized hospital in Ohio reportedly saw its annual premium jump from $50,000 to $200,000. The hospital's CFO said: "We had to cut elective surgeries to afford the policy. That is not sustainable."

The victims of this trend are not just the companies. It is the public. When a hospital cannot afford cyber-insurance, it might not be able to recover from a ransomware attack. Patients suffer. When a water utility opts to self-insure and then gets hit, the water supply is disrupted.

The question is: who will pay for the next big attack? The industry is gambling that it can raise premiums enough to survive. But if the attacks keep coming, and the claims keep piling up, the whole house of cards could collapse. I have seen this pattern before: first a market correction, then a bailout, then regulation. But here, the bailout will not come from government. The Treasury has already said it will not backstop cyber-insurance. That leaves the private sector to sort out its own mess.

For now, the market is in a cold sweat. Sources tell me that some Lloyd's syndicates are quietly reducing their exposure. They are dropping clients and raising rates. The next few months will be telling. If there is a major attack on a city's power grid, the entire industry could grind to a halt.

This is a story that will get worse before it gets better. And the worst part is that nobody knows where the next blow will come from.