The policy sat on the CFO's desk for three years, quietly renewed at $2.3 million annually, a financial security blanket that turned out to be made of tissue paper.
When a North Korean-linked ransomware group locked down Baltimore-based logistics firm Meridian Freight Partners in February 2026, encrypting 14 terabytes of operational data and demanding $47 million in Monero, the company's cyber-insurance carrier did something that shocked the industry: it paid nothing. Zero. Citing a "state-sponsored actor exclusion" buried in Section 14(b) of the policy's fine print, the insurer walked away clean β and perfectly legally.
Meridian Freight is not alone. Across the United States and Western Europe, a quiet catastrophe is unfolding in boardrooms and courtrooms simultaneously. The cyber-insurance model, once celebrated as the financial backbone of corporate resilience, is fracturing under the weight of a threat it was never designed to absorb.
The Exclusion Clause That Ate the Industry
The problem did not appear overnight. Lloyd's of London first mandated that its syndicates exclude state-sponsored cyberattacks from standard commercial policies in August 2022. By 2024, that language had migrated into the boilerplate of virtually every major carrier β Chubb, AIG, Beazley, Travelers β each drafting their own variation of what the industry now coldly calls "the war exclusion."
The logic was actuarially sound: insurers cannot model, price, or absorb systemic, nation-state-level risk the way they can absorb a ransomware attack by a criminal collective operating out of eastern Europe for profit. When a government deploys cyberweapons as an instrument of foreign policy, the potential for cascading, economy-wide damage resembles a natural catastrophe more than a discrete corporate incident.
The problem is attribution β and that is where the entire structure collapses for policyholders.
"The exclusion clauses are written with extraordinary ambiguity," says Dr. Priya Venkataramaiah, a cyber-risk economist at the Brookings Institution. "Insurers are not required to prove state sponsorship beyond a reasonable doubt. They are required only to assert it plausibly, and in the current threat environment, almost any sophisticated ransomware group can be loosely tied to a state actor with enough circumstantial evidence."
Attribution Is the New Legal Battlefield
In 2025, the U.S. Cybersecurity and Infrastructure Security Agency formally attributed 61% of high-impact ransomware incidents to groups with "confirmed or probable" ties to Russia, China, Iran, or North Korea. That statistic, intended to inform national security policy, handed insurers a loaded legal weapon.
Consider the math from a carrier's perspective. If the majority of significant attacks carry some state-nexus attributable language, the exclusion can theoretically apply to the majority of the largest, most expensive claims. The result is a financial instrument that collects premiums during calm weather and evacuates the building when the storm hits.
Three separate federal lawsuits filed in Q1 2026 β involving a Texas hospital network, a California semiconductor manufacturer, and a Chicago-based financial clearinghouse β are all challenging denial-of-coverage decisions based on state-actor exclusions. Legal analysts expect these cases to reach circuit courts by late 2027, but for companies that need liquidity now, litigation is cold comfort.
The Premium Paradox
Here is the cruel irony shredding corporate risk budgets: even as coverage shrinks, premiums have not.
Cyber-insurance rates climbed an average of 34% in 2025, according to the Risk & Insurance Management Society's annual benchmarking survey. Carriers justify the increases by pointing to rising incident frequency and the escalating cost of incident response, forensic investigation, and regulatory defense β costs that remain covered even when the core ransom and recovery payout is excluded.
What companies are now purchasing, in practical terms, is an expensive policy that covers the ambulance ride but not the hospital stay.