Advanced persistent threats (APTs) have become the silent assassin of our critical infrastructure. APTs do not produce the traditional cyberattack noise—such as blaring siren alerts and ransomware demands—that typically signal the existence of a threat. In contrast, APTs represent a sophisticated, slow burn designed to be undetectable; the intent of these attacks is to slowly spread throughout industrial networks. For those who own or insure the assets of our critical infrastructure (including power plants and manufacturing facilities), this realization represents an emergency: The tools used to measure and control the APT risks associated with our assets are woefully insufficient.
This alarming assessment is the result of an exhaustive collaborative study conducted by Pal et al. (with authors from Massachusetts Institute of Technology, Georgia Institute of Technology, University of Illinois Urbana Champagne, and the University of Southern California) that appeared in a Winter Simulation Conference 2023 paper titled A Network Theory to Quantify and Bound Cyber Risk in IT/OT Systems and a subsequent journal paper published by the ACM Transactions on Management Information Systems titled How Should Enterprises Quantify and Analyze (Multi-Party) APT Cyber-Risk Exposure in Their Industrial IoT Network? These papers challenge the basic assumptions underpinning today’s cyber-risk management practices. The conclusions reached by Pal et al. are far-reaching, business-critical, educative, and transformative, and will require significant adjustments by enterprise leaders and risk management professionals as they respond to what is arguably one of the most pressing issues of the modern age.
The reason for this enormous gap is not a lack of available capital. Rather, as stated by Pal et al., the gap is due to “the lack of robust quantitative estimates of adverse non-binary impact distributions in IIoT networks post-(Advanced Persistent Threat) (APT) cyber-attacks”—essentially, the inability of insurers to develop reliable pricing models to predict the extent of damage an APT attack would inflict on Critical Infrastructure Networks over time.
One of the most worrying aspects of the gap is the bad incentives it creates. Because they cannot accurately estimate potential losses, risk managers must either charge policyholders prohibitively high premiums or refuse to cover certain Industrial IoT (IIoT) industry segments altogether. Cyber risk managers who fail to provide critical infrastructure operators with adequate coverage leave them with little choice but to absorb immense risks that no single organisation can manage alone.
Together, these two outcomes break the cyber insurance market. As a result, cyber risk managers and organisations cannot properly evaluate or mitigate the systemic risks that advanced APT attacks pose.
Ultimately, this reflects a fundamental problem with how cyber risks are measured—and it is one that affects all stakeholders, including businesses, insurers, and critical infrastructure operators.
“If you cannot quantify loss impact, you cannot manage it,” Pal et al. observe. This is not philosophical theory; it is essential for operations.
The researchers have developed what they call an “attack-defense-impact” model—fundamentally different from earlier models. Their model identifies “the time-varying attack-defense-impact trio as an outcome of a time-dependent Markov-Feller continuous stochastic process.” In practical terms, this means modelling not just when malware moves from node to node within an industrial network, but also measuring the cumulative financial damage resulting from simultaneous infections across assets during the activity.
This distinction is crucial for risk managers. For example, if a pharmaceutical manufacturing plant is infected with APT malware, the company may lose not just one production line but multiple lines due to cascading system failures, with losses multiplying by the hour or day. The CVaR (Conditional Value-at-Risk) metric that Pal et al. emphasise focuses on the “worst-case” financial impact at a given probability level (typically between the 5th and 10th percentiles). Insurance underwriters need this information to set accurate policy pricing levels. Yet enterprise risk assessments generally do not provide such data.
This ostensibly technical discovery has significant real-world implications. Risk management companies—including insurers, asset management firms, and corporate risk divisions—can adopt dramatically different strategies if loss growth is predictable and rises linearly rather than erratically. The researchers state that this pattern creates “a strong incentive for the agency to deploy coverage contract policies that perennially maintain low values of such constants for an organization.”
In other words, losses can be meaningfully managed if arrangements are made in advance. Planning insurance contracts, maintenance schedules, and security measures becomes more efficient when loss trajectories are predictable. Such linear predictability enables businesses to calculate future financial needs and collaborate with risk management partners to ensure sufficient security buffers before an incident occurs.
The researchers argue that “cyber-vulnerability information sharing by individual organizations is a must for cyber-insurers to appropriately price supply chain induced systemic risk.” This requires a level of transparency and cooperation that many enterprises have historically resisted — yet it is increasingly non-negotiable. Risk management companies need visibility into their clients’ actual vulnerability postures, not theoretical security metrics.
The USD 200 billion cyber insurance gap demands complete transformation, not incremental reform. For companies involved in risk and asset management, this means formally investing in cyber risk quantification capabilities and advanced loss modelling. These companies must also collaborate with enterprise clients to build resilient architectures to prevent future cyberattacks, rather than merely reacting to each new one.
Taoan Lu (of JP Morgan Chase, USA) and Bodhibrata Nag (of the Indian Institute of Management Calcutta).
First Published: Mar 17, 2026, 11:43
Subscribe Now