Who Pays for Digital Risk? Insuring Tech Infrastructure in an Unstable World

The following excerpt is from Chapter 5 — Shifting Sands: A Middle East in Conflict and Transition.

Digital infrastructure is increasingly exposed to geopolitical, climate, and cyber risks that are more interconnected and harder to contain. While traditional insurance mechanisms continue to absorb many physical and supply chain disruptions, cyber risk presents deeper structural challenges due to attribution difficulties and systemic exposure. As disruptions begin to cascade across systems, the question of who ultimately bears the cost becomes more difficult to answer, pointing to growing gaps in how risk is currently understood and insured.

Digital infrastructure has become the backbone of the global economy, yet it is increasingly exposed to a widening spectrum of risks. From geopolitical tensions resulting in tariffs and sanctions, to climate-driven or natural disasters, to cyber or kinetic attacks, the systems underpinning modern connectivity—data centres, undersea cables, cloud networks, and energy grids—are being tested in unprecedented ways. Given the central role of digital infrastructure in national development strategies across the region, the current situation in the Middle East further underscores the need to develop insurance frameworks that account for potential regional instability.

What makes these risks more challenging is not just their scale, but their interconnected nature: disruptions rarely remain contained, instead cascading across supply chains, financial systems, and physical infrastructure. This raises the question of who ultimately bears the cost, and whether existing systems that insure against disruption are equipped to absorb it.

Risks to Digital Infrastructure: Supply Chain, Physical Damage, and Cyber Attacks

In recent years, a convergence of shocks has highlighted the fragility of interconnected technological systems. Geopolitical conflict has had immediate and cascading effects on infrastructure and trade. Amid regional instability in the Middle East, fuel prices for cars and aeroplanes have risen by between 30 and 50 percent compared to the start of 2026.^[1] Transportation costs and associated delays affect the construction and maintenance of technology infrastructure globally, with effects extending through supply chains and the timelines of data centres and other digitally critical real estate projects.

Figure 1: Petrol Price Hikes Amid the Middle East Crisis

Source: The Guardian^[2]

Beyond construction, disruptions to supply chains of digital components in the manufacturing of critical technologies have increased the fragility of technology industries. These include the drawnout back-and-forth export control measures between AI superpowers, the US and China, which have taken turns restricting access to key inputs and technologies. Most notably, restrictions on advanced semiconductor chip sales under the Biden administration in 2022 led China to impose export controls on gallium and germanium in July 2023.^[3] Trump’s tariff orders of up to 100 percent in April 2025 similarly prompted China to tighten export controls in October on rareearth elements and magnets used in consumer electronics, cars, jet engines, and radar systems.

At the same time, natural disasters and kinetic security risks underscore the extent to which digital infrastructure is physically situated and exposed to disruption. Extreme weather events such as rising temperatures, flooding, and storms are already placing strain on energy grids, data centres, and connectivity hubs, particularly in climate-exposed regions.^[4] These assets are also vulnerable to deliberate physical targeting in conflict settings. Indeed, the recent escalation has exposed the vulnerability of energy facilities and data centres across the Middle East, with multiple sites affected since February 2026.^[5]

Cyber risk adds another layer of vulnerability to digital infrastructure, often arising from hidden weaknesses in code or basic operational failures. The SolarWinds hack in 2019, for example, involved attackers inserting malicious code into trusted Orion software updates, which were then distributed to customers and used to gain access to the computer systems of many international companies and organisation including Microsoft, Intel, Cisco, and even US government agencies. This lasted months before the malware was discovered.^[6]

In addition to software vulnerabilities, basic human error can create entry points for major cyberattacks. The Colonial Pipeline ransomware attack in May 2021, which disrupted fuel supplies across the US East Coast, was traced to a single compromised password that did not have multi-factor authentication.^[7] These dynamics underscore how overlapping physical, supply chain, and digital vulnerabilities can drive systemic disruption, raising challenges for how such risks are understood by insurers.

Insuring Risk: Increase in Exposure, Increase in Claims

The financial consequences of the increasing frequency and severity of disruptions are already visible in insurance markets. Global insured losses from natural hazards reached approximately US$137 billion in 2024, surpassing the previous year’s record.^[8] Supply chain disruptions have also translated into notable insured losses, with global insurance broker Aon finding that business interruption—often driven by supply chain breakdowns—and cyberattacks are among the top global risks causing losses for companies.^[9]

Figure 2: Top Global Risks in 2025

Source: Aon^[10]

Insurance plays a crucial role in distributing and managing risks associated with technological infrastructure. At the physical level, property insurance and business interruption coverage protect against damage to facilities and resulting income loss. Where infrastructure is affected by conflict, natural disasters, or accidents, these policies support recovery, as seen in the aftermath of Hurricane Ida in August 2021, which generated approximately US$36 billion in insured losses.^[11]

For more complex scenarios, specialised forms of coverage are increasingly important, particularly in regions exposed to geopolitical risk. Supply chains and physical security issues are critical to insure where infrastructure and trade routes are directly exposed to conflict-related disruption. Contingent business interruption insurance helps firms manage supply chain disruptions, while political risk and political violence insurance cover losses arising from conflict and government action. However, while these traditional lines have shown relative clarity and reliability in responding to such events, coverage in the digital domain— particularly for cyber risk—remains far less certain.

The Limits of Insurability: Cyber Risk in a Grey Zone

In the digital domain, cyber insurance covers data breaches, ransomware, and outages, including operational and recovery costs. However, unlike more established lines of coverage, cyber insurance remains contested and underdeveloped: insurers have increasingly introduced exclusions for war and state-backed cyberattacks due to the potential for losses to exceed market capacity, while attribution of attacks to specific actors remains difficult and legally untested.^[12]

Despite its importance, insurance is not a comprehensive solution to cyber risk, with many policies excluding high-impact scenarios. Insurers often exclude war or state-backed attacks, citing the potential for systemic losses. Since coverage often depends on whether an attack is classified as state-backed, claims become difficult to resolve, particularly where attribution is technically complex and politically contested. This was seen in the Mondelez–Zurich dispute following the 2017 NotPetya attack, where a US$100-million claim was initially denied under a war exclusion clause before being settled in 2022.^[13]

Events affecting multiple policyholders simultaneously, such as widespread cyberattacks or supply-chain disruptions, can generate losses beyond insurers’ capacity. The problem is compounded by adverse selection: firms with the greatest cyber exposure have the strongest incentive to buy coverage, skewing the insured pool toward higher-risk clients.^[14]

Without mechanisms to incentivise robust security practices, insurance alone may not reduce underlying vulnerabilities. In practice, this requires firms to move beyond risk transfer and invest in risk reduction. Given that many cyber incidents can be traced back to human error or misconfiguration, strengthening internal processes is also critical. These constraints suggest that cyber risk is beginning to outgrow traditional insurance models, pointing to the need for a broader approach to managing digital disruption.

Conclusion: Towards a More Resilient System

As digital infrastructure becomes more central to economic and societal functioning, the question of who pays for disruption will grow more urgent. Ongoing instability in the Strait of Hormuz shows that while insurance remains an essential mechanism for absorbing and redistributing risk, its effectiveness is uneven across different categories of disruption. Physical damage and supply chain shocks are, to a large extent, still insurable within existing frameworks, but cyber risk exposes deeper structural limitations.

A key lesson is that the increasing interconnectedness of digital infrastructure is blurring the boundary between isolated incidents and systemic events, making losses harder to contain and model. At the same time, the prevalence of human error and operational weaknesses as entry points for cyber incidents underscores that risk cannot be fully transferred through insurance alone. Instead, resilience depends as much on internal practices and preparedness as it does on external financial protection.

Elizabeth Heyes is Junior Fellow, Emerging Technology, at ORF Middle East.

^[1] Lauren Aratani, “US Average Fuel Price Passes $4 a Gallon for First Time in Four Years Amid Iran war,” The Guardian, March 31, 2026, https://www.theguardian.com/ business/2026/mar/31/us-average-fuel-prices-iran-war; Faarea Masud, “Lufthansa Cuts 20,000 Summer Flights as Fuel Prices Surge,” BBC News, April 22, 2026, https:// www.bbc.com/news/articles/cre1r4n5j5wo.

^[2] Aratani, “US Average Fuel Price Passes $4 a Gallon for First Time in Four Years Amid Iran War”.

^[3] “Biden Administration Imposes Sweeping Tech Restrictions on China,” The Guardian, October 7, 2022, https://www.theguardian.com/us-news/2022/ oct/07/biden-administration-tech-restrictionschina#:~: text=3%20years%20old-,Biden%20 administration%20imposes%20sweeping%20tech%20 restrictions%20on%20China,leading%20factories%20 and%20chip%20designers; Jing Zhang, Tamer A. Soliman and Jennifer L. Parry, “China Imposes New Export Controls on Two Minerals Critical to the Manufacture of Semiconductors,” Mayer Brown, July 2023, https://www. mayerbrown.com/en/insights/publications/2023/07/chinaimposes- new-export-controls-on-two-minerals-criticalto- the-manufacture-of-semiconductors; David Lawder and Ahmed Aboulenein, “A Year After ‘Liberation Day,’ Trump Sets New Drug Tariffs, Adjusts Metals Duties,” Reuters, April 3, 2026, https://www.reuters.com/world/ us/year-after-liberation-day-trump-sets-new-drug-tariffsadjusts- metals-duties-2026-04-02/; Gracelin Baskaran, “China’s New Rare Earth and Magnet Restrictions Threaten US Defense Supply Chains,” Center for Strategic and International Studies, October 9, 2025, https://www.csis.org/analysis/chinas-new-rare-earthand- magnet-restrictions-threaten-us-defense-supplychains#:~: text=A5:%20The%20new%20measures%20 mark,of%20backtracking%20on%20its%20commitments.

^[4] Sebastian Moss, “Outage at London Hospitals Cost NHS £14m When Heatwave Brought Down Two Data Centers,” DatacenterDynamics, January 30, 2023, https://www. datacenterdynamics.com/en/news/outage-at-londonhospitals- cost-nhs-14m-when-heatwave-brought-downtwo- data-centers/; Andrew Freedman, “Helene Knocks Top US Climate Center Offline,” Axios, September 30, 2024, https://www.axios.com/2024/09/30/top-us-climatecenter- offline-hurricane-helene.

^[5] “Several Mideast Gulf Energy Sites Hit by Drones,” Argus Media, April 5, 2026, https://www.argusmedia.com/en/ news-and-insights/latest-market-news/2810200-severalmideast- gulf-energy-sites-hit-by-drones; Joseph Jarnecki and Noah Sylvia, “Iranian Data Strikes Shake Global Digital Infrastructure,” Royal United Services Institute (RUSI), March 19, 2026, https://www.rusi.org/exploreour- research/publications/commentary/iranian-datastrikes- shake-global-digital-infrastructure.

^[6] National Cyber Security Centre (UK), “SolarWinds,” NCSC, 2021, https://www.ncsc.gov.uk/collection/ncscannual- review-2021/the-threat/solarwinds.

^[7] William Turton and Kartikay Mehrotra, “Hackers Breached Colonial Pipeline Using Compromised Password,” Bloomberg, June 4, 2021, https://www. bloomberg.com/news/articles/2021-06-04/hackersbreached- colonial-pipeline-using-compromisedpassword? embedded-checkout=true.

^[8] Chandan Banerjee et al., “Natural Catastrophes in 2024: Insured Losses Rise to USD 137 Billion,” Swiss Re Institute, https://www.swissre.com/institute/research/ sigma-research/sigma-2025-01-natural-catastrophestrend. html.

^[9] Aon, A New Era of Converging Risks and Accelerating Disruption, 2025, https://www.aon.com/en/insights/ reports/global -risk-management-survey/ keyfindings? collection=18a5358e-4f8c-4e2d-8fb3- 291c7672dfaa&parentUrl=/en/insights/reports/globalrisk- management-survey#aon-collection-detail-item- {88AB1A5D-42AA-4E52-9EBC-73769726AB28.

^[10] “A New Era of Converging Risks and Accelerating Disruption”.

^[11] Yujie Xue, “Natural Disasters Cost Asia-Pacific US$50 Billion Last Year,” South China Morning Post, January 10, 2022, https://www.scmp.com/business/banking-finance/ article/3162865/natural-disasters-cost-asia-pacific-us50- billion-last-year.

^[12] Lloyd’s Market Association, “Market Bulletin Y5381: State Backed Cyber-attack Exclusions,” Lloyd’s, https:// assets.lloyds.com/media/35926dc8-c885-497b-aed8- 6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20 Cyber-attack%20exclusions.pdf.]

^[13] David Jones, “Mondelē z Settlement in NotPetya Case Renews Concerns About Cyber Insurance Coverage,” Cybersecurity Dive, November 8, 2022, https://www. cybersecuritydive.com/news/mondelez-zurich-notpetyacyber- insurance-settlement/636029/.

^[14] Liam M. D. Bailey, “Mitigating Moral Hazard in Cyber- Risk Insurance,” Journal of Law & Cyber Warfare 3, no. 1 (2014): 1–42, http://www.jstor.org/stable/26432557.