Before the model: the volume side of the cyber repricing
The Mythos argument was that cost of offence had collapsed. The volume of offence had already risen 13-fold before that collapse registered. Institutional capital is still pricing the old world.
Mythos announced a capability event and the market is now pricing the capability frame. The 2025 operational data shows the volume frame had already moved before Mythos registered. Between January and September 2025, Sweden recorded 733 reports of GPS interference affecting airliners in its airspace (Myndigheten för samhällsskydd och beredskap, quarterly reports), against 55 across all of 2023. The 13-fold rise was traced by Swedish and Nordic aviation authorities to devices operating out of Kaliningrad and adjacent Russian territory. The tempo acceleration preceded the capability collapse. The capability collapse has arrived on top of a tempo that had already accelerated.
The Mythos piece argued that the roughly $20bn cyber insurance market (Aon Reinsurance Market Dynamics, 2024) and the $1.5 trillion US investor-owned utilities sector (EEI member-company market-capitalisation aggregate, 2025) were underwritten against a world that had ceased to operate. That argument still stands. The missing frame in the Mythos reading is that the world had already ceased operating before the capability event registered. Institutional capital is pricing the old world twice: once against a capability event still generalising, and once against an operational tempo that accelerated through 2025 while the capability frame was still hypothetical.
What the 2025 data actually shows
Grey-zone activity against European infrastructure has industrialised since February 2022. The 2025 public record, across Nordic aviation authorities, national broadcasters, NATO Baltic Sentry updates, and CEPA’s incident compilations, resolves into four separable categories, each measured, attributed, and, where possible, named.
The GPS interference figure leads. 733 against 55 across a nine-month window is that 13-fold increase, source-traced by the Swedish MSB to devices operating out of Russian territory. Confirmed drone incursions at European airports, compiled from UKAB, EASA, and Eurocontrol data and tracked in CEPA’s aviation incident compilation, rose from 40 in 2018 to 90 through 10 November 2025. Three airport closures from autumn 2025 are on the public record: Vilnius (Lithuanian State Border Guard Service, October 2025), Copenhagen (Danish Transport Authority, Reuters reporting, late September 2025), and Munich (Bavarian State Police statement, Financial Times, early October 2025). Around Easter 2025, approximately 30 telecommunications towers in Sweden were sabotaged without anything being stolen (SVT reporting, April 2025), which rules out ordinary criminality. Polish Prime Minister Donald Tusk publicly attributed the May 2024 Warsaw Marywilska 44 shopping mall arson to Russian intelligence services (Tusk statement, October 2024; Polish Internal Security Agency ABW). In the weeks before the February 2025 snap Bundestag election (held 23 February 2025 following the December 2024 confidence-vote collapse of the Scholz coalition), hundreds of cars were sabotaged in Germany by small-time criminals recruited via Viber at 100 euros per car (BBC reporting). On 1 November 2025, three Bulgarians were convicted in a French court for destabilisation acts including pig’s heads placed at a mosque; defence counsel openly admitted “we suspect” Moscow’s hand (BBC reporting, November 2025).
None of these is a capability event. They do not require frontier AI. They require a Kremlin willing to run grey-zone operations at scale, a supply of recruited gig workers, and the technical sophistication of a competent 2015 state programme. That supply exists. It has scaled.
This body of evidence has been written about at state level, in policy-adjacent publications addressed to institutional readers who think about critical national infrastructure in the foreign-and-defence frame. Elisabeth Braw at the Atlantic Council has been tracing the pattern through 2024 and 2025, and the CEPA aviation compilation tracks the subsidiary incident set. The primary audience for that body of evidence has been state-level and policy-adjacent institutions. Principals who own operational infrastructure inside the corridor of effect, Baltic shipping interests, regional utilities, data centres adjacent to European defence supply chains, mid-cap telecoms with cross-border exposure, remain an under-addressed audience. Those same principals have been pricing cyber risk as an operational SG&A line against a threat model measured before any of the above had happened.
Why the arithmetic moves
A competent cyber insurance book has been underwritten against a decade of claims data in which attack volume was constrained by the scarcity of human expertise and, less visibly, by the political cost to the attacking state of being identified. Both constraints are weaker in 2026 than they were in 2020. The 2022 invasion signalled that one major state actor no longer cares about being identified. The Viber-and-100-euros recruitment model signalled that the expertise constraint can be worked around for a class of disruptive attacks that do not require expertise, only willingness.
For the actuarial model, the consequence is not that the next claim is bigger. The consequence is that the claims are increasingly correlated. A single recruitment channel, a single reconnaissance apparatus, and a single strategic instruction set can generate simultaneous events against multiple insured counterparties on the same weekend. That is the failure mode insurance math handles poorly. Capacity withdraws before repricing, because repricing requires a new actuarial model and capacity withdrawal requires only a boardroom decision.
For the operating asset, the consequence is that the SG&A line is underwriting a probability the business has no way to measure. A notional £300,000 annual IT operating cost on a regional utility, illustrative rather than drawn from a specific audit in this piece, looks defensible against a 2020 threat model. Against the 2025 ground truth, it is an acknowledgement that the utility is tolerating an exposure it has not priced. On one operational platform I audited last quarter, the CFO quoted the cyber line at one number and the CIO quoted it at roughly twice that, and neither was in the room when the other one answered. The two figures measured different things against different threat models, but the capital plan treated them as the same line.
My read is that Baltic-exposed and CNI-adjacent cyber books are mispriced by something like one-and-a-half to three times current premium, and I would stake that position against any broker offering continued capacity on 2023 terms. The question settles inside twelve months, probably in the reinsurance cycle.
What a principal with direct exposure should be asking
If you are the family office holding a Baltic or North Sea shipping interest, a mid-cap Nordic or Polish telecom, a regional utility with cross-border supply, or a data centre in the corridor of European defence exposure, the 2025 operational data changes what you should be asking the broker this quarter. Two questions, running them against the portfolio this month.
First, which assets in the portfolio sit inside the corridor of effect described by the 2025 operational data: Baltic and North Sea shipping, northern European regional telecoms, utilities with cross-border supply, data centres adjacent to European defence supply chains, and defence manufacturers or their tier-one suppliers? For each, pull the cyber line from the management accounts and pair it with the threat model it was built against. If the budget still reflects a 2020 compliance baseline, it is probably too low for a 2025 environment defined by higher tempo and higher correlation.
Second, what does the insurance stack actually transfer. The correlated-claim structure of the new world breaks the diversification assumption cyber insurers have been operating under. A policy priced against independent-events math will pay a different amount than a policy priced against correlated-events math, and the counterparty difference between those two worlds is the insurer’s capital position eighteen months out. Worth asking the broker, in writing, what correlation assumption sits behind the current cover.
One further question belongs on the list, sequenced after the first two. Which capital events over the next twenty-four months are exposed to a sudden repricing? Refinancings, recapitalisations, secondary offerings, exits, long-term service-contract renewals. A repricing event landing mid-capital-event is the difference between a planned transaction and a distressed one.
These are capital questions that cyber prices. The usual sequence, ask the broker first, then the CIO, then the CFO, each answering within the frame of their own discipline, is what produced the current mispricing. Answering them requires holding capital architecture, technical architecture, and operational execution in the same room.
What would make this wrong
Three conditions would flatten the argument.
The first is that the 2025 grey-zone tempo was already the peak. If Baltic Sentry patrolling holds through 2026 with no further cable incidents, if drone incursions at European airports plateau or reverse from the 90-count 2025 figure, and if GPS interference reports stabilise rather than continue their trajectory, the volume argument loses force. Observable on this: the NATO Baltic Sentry quarterly updates and the CEPA drone incident compilation, measurable at 6 and 12 months.
The second is that attribution complexity breaks down. If the specific sourcing of GPS interference to Russian cities turns out to be less firmly established than the 2025 reporting claimed, or if the criminal-recruitment pattern in the Warsaw and German arson cases turns out to be bidirectional or commercially motivated, the named-state-actor clarity weakens and the argument reverts to general cyber risk. Observable on this: reporting from Bellingcat, the Atlantic Council’s Digital Forensic Research Lab, and national broadcaster investigations, measurable in any cycle that runs a specific falsification piece on the 2025 attribution set. 12-month window.
The third is that insurance capacity stays intact through 2026. If the Lloyd’s syndicates writing cyber continue to offer the same limits on Baltic-exposed and CNI-exposed counterparties at comparable pricing, the market is signalling confidence in its own model. Either the market is right and the argument here is wrong, or the market has not yet priced in the evidence and the adjustment is pending. A year of capacity data from the Lloyd’s Market Association would clarify which.
The working assumption under this memo is that at least one of those three softens and at most one holds. Mark the memo against the observable state in six and twelve months.
What I do not yet know
The Mythos piece closed by observing that the frame had become visibly wrong with one public capability announcement. The 2025 ground-truth evidence shows the frame had already moved on the volume axis before that announcement registered. What I do not yet know is whether the Lloyd’s syndicates reprice first or withdraw capacity first, and the brokers I have asked in the last month do not know either. The reinsurance market tends to do one before the other, and which comes first materially changes the capital-event math for any exposed principal.
The question that matters is less about which way the market moves and more about which refinancing in the portfolio lands inside the window before the market has settled on a direction. If you are running that calculation now on a specific asset and reach an answer different from mine, I would be interested to hear what you conclude.
Gopal Patel is principal at Navaro Advisory; prior roles include CTO at Auriens and operational audits across services, institutional hospitality, and AI-native procurement.