A Polish Grid Attack Exposes an Insurance Gap for Networked Battery Storage

In December 2025, a cyberattack struck Poland’s power grid. Polish officials said it targeted multiple smaller sources of power at the same time and came very close to causing a blackout. The government said Russia was likely responsible. Several months later, the episode surfaced in a place removed from grid operations: the insurance market that covers battery storage.

The gap. A June 4 report carried by ESS News described a coverage problem that sits at the intersection of two kinds of insurance written for battery storage. Conventional property and business-interruption policies are built to pay for physical damage. Dedicated cyber-liability policies are built to pay for malicious digital acts. A loss that begins as a cyber intrusion and ends as physical damage can fall into the space between the two, unless a cyber policy is specifically structured to cover physical loss alongside the intangible exposures it usually addresses. Battery storage, networked by design and increasingly enrolled in remote dispatch programs, sits squarely on that seam.

The problem is not abstract for the asset class. Underwriters cited in the report note that most commercial battery installations now require both business-interruption and cyber-liability coverage, and that cyber threats already rank among the leading drivers of battery-storage insurance claims. A risk that was once treated as a secondary endorsement has moved closer to the center of how these assets are underwritten.

The pricing problem. The harder difficulty is that the market does not yet have mature frameworks for pricing distributed, networked storage risk. A single large site can be inspected, segmented, and staffed. A fleet of smaller systems spread across many buildings, each with its own management interface and many of them enrolled with third-party aggregators, presents a larger and more varied set of networked entry points, and fewer of those systems carry dedicated security staff. Underwriters pricing that exposure are working without the long loss histories that make conventional property risk legible. The result is coverage that is available but imprecisely priced, a position that serves neither the insurer nor the buyer well once a claim tests the wording of a policy.

The procurement screen. The clearest signal of where the pressure moves next came from a separate transaction in the Baltics. Rolls-Royce Power Systems won a contract to supply a 490 MWh battery project in Latvia, lifting its Baltic storage contract book to 1.5 GWh. The developer, Sunly, attributed its choice of a European supplier to strict cybersecurity requirements rather than to price. The decision turned on provenance: who built the control stack, and under what security regime it was produced.

That logic is beginning to function the way domestic-content rules already do in some markets, as a screen applied before cost rather than after it. A buyer that treats cybersecurity as a qualification criterion narrows the supplier field before the commercial negotiation begins, and rewards vendors that can document how their systems are built and secured. The same screening rationale that justifies paying for a vetted supply chain also reduces the residual risk an insurer would otherwise have to price, which links the procurement decision and the insurance decision more tightly than they used to be.

The policy direction. European policy is moving along the same line. On June 5, the European Commission released a Strategic Roadmap for Digitalisation and AI in Energy, built around accelerating the digital transformation of the grid while hardening it against geopolitical and cyber threats. The roadmap places cyber resilience among the explicit objectives of European energy policy, which gives commercial buyers a regulatory reason to ask suppliers the same questions insurers are starting to ask. No equivalent storage-specific cyber mandate has been adopted in the United States, where buyer behavior on cyber provenance, as with domestic content before it, may run ahead of any formal rule.

The assumption. The Polish attack did not originate in the insurance industry or in a procurement office, but it landed in both. It exposed an assumption embedded in the way networked storage has been insured and bought: that the physical risks of a battery are accidental in nature. As storage comes online connected by default and dispatched remotely, that assumption becomes harder to underwrite and harder to set aside in procurement. The question of who pays for a fire that someone caused on purpose, rather than one that started by chance, is moving from the footnotes of a policy toward the front of a purchasing decision.

Sources