The U.S. water sector is increasingly vulnerable to cyber threats, highlighted by recent breaches such as the one at American Water Works Co. Inc., which compromised millions of customer records. Many public water systems remain at risk due to insufficient cybersecurity regulations. In this context, cyber insurers are emerging as key partners in enhancing security measures.

Insurers are moving away from traditional underwriting to proactive risk management. Multiple cyber insurers are now assessing policyholders' cybersecurity infrastructure, helping utilities identify and address vulnerabilities. “Cyber insurance is a tool to improve our resilience. It’s not the solution,” says Sezaneh Seymour from Coalition. Nevertheless, in the absence of strict regulations, these initiatives can significantly reduce risks; Coalition reported a 90% reduction in vulnerabilities for its covered water entities within six months.

The water sector’s fragmentation complicates matters, with over 150,000 utilities—many small and underfunded—often neglecting cybersecurity. An EPA alert found that over 70% of inspected systems failed to meet basic requirements for risk assessments and emergency plans. This fragmentation leaves smaller utilities particularly exposed, making them attractive targets for cybercriminals.

Regulatory support remains weak. An EPA initiative aimed at requiring cybersecurity assessments for drinking water systems was blocked last year, leaving many utilities without enforceable protections. Experts warn that, without mandatory regulations, the risk of cyberattacks will continue to rise.

Insurers are beginning to play a pivotal role by not only providing coverage but also fostering improvements in cybersecurity practices. However, many utilities still lack the resources to meet insurance requirements.

The future of cybersecurity in the water sector will depend on how cyber insurance and regulatory frameworks interact. As more utilities seek coverage, insurers' stringent standards could drive essential improvements in security. Larger utilities can help smaller ones elevate their cybersecurity postures, creating a more resilient infrastructure.

We are at a critical moment where decisive actions by insurers, regulators, and utilities will shape the resilience of our water systems against growing cyber threats.