When Insurance Fails: Why Financial Liability Cannot Regulate Cyber
Part 3 of 5: The Collapse of the Enforcement Mechanism
In nuclear regulation, insurance companies did what governments and international agencies could not: they created binding compliance. Insurance underwriters, motivated by simple actuarial self-interest, forced nuclear operators to join safety organizations, maintain expensive safety cultures, and share operational data. This mechanism worked so well that it became the hidden foundation of global nuclear governance.
Cyber regulation is trying to replicate this model. Insurance should be the enforcement mechanism. Cyber insurance policies should require secure development practices. Insurers should demand proof of compliance. Financial incentives should drive security investment across the industry.
This is failing. Badly. And understanding why requires understanding the fundamental differences between insuring nuclear power plants and insuring cyber risk.
How Nuclear Insurance Became a Regulator
Let's start with the original problem. In the 1950s, private insurance companies would cover nuclear plants only to a maximum of $60 million per accident. The Atomic Energy Commission's own classified studies estimated that a worst-case accident could kill 45,000 people and cause $17 billion in property damage.
The math was impossible. No private market would support nuclear power at that liability level. Congress solved this with the Price-Anderson Act of 1957, which created a tiered liability system:
- Reactor operators would maintain private insurance up to $60 million
- Beyond that, the federal government would cover up to $500 million
- Beyond that, Congress would have to appropriate additional funds (politically difficult, serving as a cap on how bad an accident could be allowed to get)
This shifted risk from private insurers to taxpayers. But it also created an unexpected feedback loop: precisely because the government was now backing catastrophic losses, private insurers suddenly had incentive to invest in preventing them. If an accident happened, insurers would face losses (up to their coverage limit), but they'd also face massive increases in premiums to recoup those losses. The cost of prevention became lower than the cost of a single large accident.
Enter INPO. When the nuclear industry created INPO after Three Mile Island, private insurance companies made a crucial decision: they would only insure reactors that were INPO members in good standing. This turned a voluntary industry organization into mandatory regulation. You couldn't operate without insurance. You couldn't get insurance without INPO membership. Therefore, you had to join INPO and accept its standards.
The Brussels Convention extended this globally. European nations agreed that all signatories would contribute to a compensation fund for nuclear accidents, with contributions proportional to each nation's reactor capacity. This made each nation a financial stakeholder in every other nation's nuclear safety. France couldn't ignore reactor safety in the UK, because an accident in the UK would trigger contributions from French taxpayers. Every nation now had economic incentive to ensure every other nation maintained high safety standards.
The result was a "community of fate"—everyone was financially bound together. An accident harmed not just the operator or the nation where it happened, but potentially all members of the mutual insurance pool.
This created a powerful incentive system: operators competed to be recognized as having the best safety practices, because that reputation affected their insurance costs and their ability to operate internationally. Safety innovation became a competitive advantage. Information sharing became routine, because disclosing near-misses and lessons learned was cheaper than learning the hard way through actual accidents.
Why This Model Made Sense for Nuclear
Nuclear insurance worked as a regulatory mechanism because of three specific features of nuclear risk:
1. Risk concentration: A reactor accident is a discrete, localized event with bounded consequences. You can calculate the maximum plausible loss—the worst earthquake, the worst cooling failure, the worst combination of human error and equipment failure that could realistically occur. Insurance companies can model this. They can price it. They can require preventive measures that reduce the probability below some acceptable threshold.
2. Operator stability: Nuclear reactors are run by large, regulated utilities with long operating histories and deep capital bases. These are not fly-by-night operations. A utility planning to operate a reactor for 40 years has strong incentive to maintain it properly. That long time horizon makes insurance-based regulation effective—the operator knows that skimping on safety today will cost them in higher premiums tomorrow.
3. Regulatory clarity: Nuclear regulators can verify compliance through site visits, document review, and interviews with staff. A regulator can inspect a reactor and determine whether it meets safety standards. Insurance companies can demand proof of compliance. The compliance itself is observable and verifiable.
Why This Model Is Disintegrating for Cyber
Cyber insurance is collapsing under the weight of problems that nuclear insurance never had to face.
1. Risk is unbounded and diffuse
A cyber attack on a power grid could shut down electricity for millions of people across multiple states. But the attack might also affect hospital systems, water treatment, financial markets, and data centers. The cascading failures are unpredictable. You cannot calculate a maximum plausible loss, because the attack surface is global and the interdependencies are hidden.
More fundamentally, cyber risk is not a single event with localized consequences—it's a continuous stream of low-level breaches, data exfiltration, ransomware incidents, and supply chain compromises that combine in complex ways. The damage from a single attack might be modest, but the total damage from 10,000 simultaneous attacks across a sector could be catastrophic. Insurance companies cannot price this.
This is why cyber insurance premiums have become increasingly expensive and the terms increasingly restrictive. Insurers are essentially saying: we don't understand this risk well enough to price it fairly, so we're going to charge a lot and exclude as much as possible.
2. Operator incentives are inverted
A nuclear utility planning a 40-year operational life has incentive to invest in long-term safety. A software company operating in a 5-year competitive cycle has incentive to ship features fast and patch security problems later. The time horizons are incompatible.
More subtly, for nuclear operators, the cost of prevention (expensive safety systems) is borne by the operator and passed to ratepayers. The cost of failure (accident liability and insurance premiums) is also borne by the operator and ratepayers. This creates alignment: the operator pays for both prevention and failure, so it chooses prevention.
For cyber, the cost structure is completely different. A software company invests in security (expensive). A customer uses that software. A different company attacks the software (or the network running it). The damage is borne by multiple parties—the software company, the affected customers, infrastructure operators, insurance companies, sometimes entire sectors.
No single actor bears the full cost of failure. Therefore, no single actor has adequate incentive to prevent it. The costs are diffused across the entire ecosystem, while the benefits of not investing in security (faster time-to-market, lower development costs) accrue to the individual firm.
3. Compliance is invisible and unverifiable
A nuclear regulator can inspect a reactor and verify that safety systems are installed, maintained, and tested. A cyber insurance company cannot inspect a company's source code, test its security practices, or verify that the software is actually secure. The compliance itself is invisible.
This creates a fundamental market failure. Insurance companies are supposed to use the threat of premium increases to incentivize security investment. But how do they know whether an insured company is actually implementing security? They rely on self-reporting, third-party audits, and detection after breach. All of these are lagging indicators. By the time you discover a breach, the damage is done.
Some cyber insurers try to mitigate this by requiring compliance certifications like ISO 27001. But these certifications are largely audits of process, not of actual security. A company can be ISO 27001 certified and still get hacked. The certification provides false confidence without real risk reduction.
4. Attribution and causation are unclear
Nuclear insurance works because causation is clear. A reactor melts down, it's because of specific equipment failure or human error or design flaw. You can investigate, determine the cause, assign responsibility, and ensure similar failures don't happen elsewhere.
Cyber causation is murky. A company gets hacked. But was it because of their security practices, or because of a zero-day vulnerability nobody knew about? Was it because an employee fell for a phishing email, or because that phishing attack was sophisticated enough to fool most people? Was it because a vendor's software was compromised, meaning the company using the software had no reasonable way to prevent the attack?
When the cause is unclear, the feedback loop breaks. The company can't learn what to fix. Insurance companies can't accurately price risk based on preventive measures. The incentive structure collapses.
The Result: Insurance as Moral Hazard
Cyber insurance has largely devolved into a form of moral hazard and risk transfer, not risk reduction.
Companies purchase cyber insurance not because it incentivizes them to be more secure, but because the premium is cheaper than the expected cost of a breach. In other words, they're doing the calculus: "What's the probability we'll get breached? What's the expected damage? Would a breach be cheaper or more expensive than our annual cyber insurance premium?" If the answer is that the insurance is cheaper than the expected loss, they buy it—but they don't necessarily invest in security.
Insurance companies, recognizing this perverse incentive, have responded by making policies increasingly restrictive. They exclude coverage for "known vulnerabilities." They require proof of specific security practices as a condition of coverage. They impose higher deductibles. They cap payouts at levels far below realistic losses.
The result is an insurance market that is both expensive and inadequate. Companies pay high premiums and still face catastrophic uninsured losses if a major breach occurs. Small and mid-sized companies simply can't afford cyber insurance and therefore operate uninsured, which means a major breach could bankrupt them.
Why Price-Anderson Can't Be Replicated for Cyber
Some policy experts have suggested replicating the Price-Anderson model for cyber—having the government backstop cyber liability in the same way it backstops nuclear liability. This would presumably create the incentive structure needed for insurance to work.
This proposal misunderstands the reasons Price-Anderson worked.
In nuclear, the government backstop made sense because:
- There were only a few dozen reactor operators in the world, making a mutual insurance pool feasible
- The catastrophic loss was rare—an accident that big happens maybe once per century across the entire global fleet
- The infrastructure was essential (electricity) and provided ongoing value, so society had reason to support its existence even with catastrophic risk
Cyber risk has none of these features.
First, the number of entities exposed to cyber risk is in the billions. Every person with an email address, every business with a network, every connected device is potentially affected. A mutual insurance pool with billions of participants would be unmanageable.
Second, cyber attacks are not rare tail events—they're constant, ongoing, and growing. It's not one catastrophic loss per century; it's thousands of incidents per day. The insurance pool would face constant claims, not rare events.
Third, much cyber risk is created by actors (nation-states, criminal organizations) that operate outside normal market mechanisms. You can't insure against an attack by a country with superior resources and strategic objectives. Insurance presumes a rational risk-taker responding to price signals. It doesn't work against adversaries motivated by geopolitical goals or ideological objectives.
A government cyber liability backstop would rapidly drain the treasury as claims mounted. It would create indefinite government subsidy of an industry that arguably needs to invest in security rather than offload risk to taxpayers. And it would not solve the fundamental problem: insurance cannot regulate cyber risk effectively.
The Deeper Problem: Information Asymmetry
The core reason insurance fails as a regulatory mechanism for cyber is information asymmetry.
In nuclear, the regulator (and the insurer) could verify compliance. You could inspect the reactor, run tests, interview staff, review maintenance records. The information asymmetry between the regulator and the regulated operator was manageable.
In cyber, the information asymmetry is vast and growing. A company's security practices, threat landscape, and actual security posture are largely invisible to insurers. A cyber attacker knows more about a company's vulnerabilities than the company's own security team does. The defenders operate in darkness while the attackers have clear intelligence.
This information asymmetry means that insurance companies cannot price cyber risk accurately. They cannot verify compliance. They cannot create effective incentive structures. They're essentially selling a product they don't understand to people who are equally uncertain about their own risk.
When information asymmetry is this severe, markets fail. The insurance market for cyber is failing because it's operating with fundamentally incomplete information.
What Happens When the Enforcement Mechanism Breaks
The nuclear model worked because it created a chain of enforcement: government regulation → insurance requirements → operator compliance → information sharing → continuous improvement. Remove any link, and the chain breaks.
Cyber regulation has broken the chain. Insurance cannot enforce compliance effectively. Therefore, there's no binding requirement for operators to implement security practices. Therefore, information sharing remains ad hoc and incomplete. Therefore, the industry learns slowly from incidents and mistakes propagate across the ecosystem.
Companies secure the parts of their systems where insurance companies or regulators are watching. Everything else defaults to the minimum defensible standard. And when a major breach happens, the response is damage control and notification requirements—not the kind of systematic improvement that nuclear operators adopted after Three Mile Island.
The result is a cyber landscape where security improvements lag threat evolution by years. Vulnerabilities known to attackers remain unpatched in corporate networks for months. Attack techniques are replicated across thousands of organizations because there's no mechanism forcing widespread adoption of defensive countermeasures.
Nuclear was able to create what some researchers called a "community of fate"—everyone in the industry was bound together by mutual insurance and regulatory frameworks, so everyone had incentive to help everyone else be more secure.
Cyber has the opposite: a "community of competition" where information about vulnerabilities is hoarded, where security practices are proprietary secrets, where companies compete more intensely than they collaborate, and where the asymmetry of information about risks is so severe that no single actor can make rational investment decisions.
The Institutional Void
This brings us to a critical realization: nuclear solved the governance problem through insurance and capital markets, not through the IAEA or other formal institutions. But cyber cannot solve the problem through those same mechanisms because cyber risk is fundamentally different.
This means cyber needs a different governance model entirely. One that doesn't rely on insurance companies to enforce compliance, because insurance companies can't do that effectively. One that doesn't assume rational actors responding to price signals, because some actors are motivated by geopolitics or ideology. One that doesn't require verification of compliance, because cyber compliance is largely invisible.
What would that model look like?
That's the subject of Part 4: Rethinking Cyber Governance for a Domain Where Insurance Fails.
But first, the lesson for today: the assumption that cyber can be regulated through market mechanisms (insurance, capital requirements, liability standards) is largely false. Those mechanisms work when risk is concentrated, causation is clear, actors are rational, and compliance is verifiable. Cyber has none of these properties.
The cyber industry has spent the last decade trying to build nuclear-style governance without understanding that nuclear-style governance only works because of the specific economic and technical properties of nuclear power plants. Replicate the institutional framework without the underlying economic mechanisms, and you get the appearance of governance with the reality of anarchy.
The insurance market for cyber has proven this point. It's becoming increasingly expensive, restrictive, and ineffective. Companies that need protection most can't afford it. Companies that can afford it often don't get covered for the risks that actually matter. And the liability regime is so fragmented and unclear that it creates perverse incentives rather than correcting them.
Until cyber governance stops trying to force-fit the nuclear model and starts building something designed for cyber's actual properties, this situation will only get worse.
Member discussion