The 2025 Operational Technology Security Financial Risk Report issued this month by Dragos in collaboration with Marsh McLennan provides a comprehensive analysis of the financial impact of cyber incidents on operational technology (“OT”) assets worldwide. In this article, we highlight some of the key themes of the report and remind policyholders how they can leverage their insurance portfolio to protect against these cyber risks.

What is Operational Technology?

According to the UK’s National Cyber Security Centre, OT is defined as technology that interfaces with the physical world. OT refers to the hardware and software systems that monitor and control physical devices, processes, and infrastructure within industrial environments. Unlike traditional information technology, OT is focused on the direct management of machinery and equipment. Examples of OT include industrial control systems (ICS), which oversee manufacturing processes; supervisory control and data acquisition (SCADA) systems, which enable remote monitoring and control of critical infrastructure such as water treatment plants; and distributed control systems (DCS), which manage complex, continuous processes in industries like oil and gas or chemical production. These systems are essential for ensuring the safe, efficient, and reliable operation of industrial facilities.

OT cyber risk encompasses threats to critical infrastructure and industrial control systems, leading to operational disruptions, safety hazards, and significant financial losses. 

OT Cyber Risks Report

Drawing on a decade of insurance claims data and advanced statistical modeling from Marsh McLennan’s Cyber Risk Intelligence Center, Marsh’s enterprise-wide global cyber data, analytics, and modelling center of excellence, the report offers critical insights for risk managers, insurers, and OT operators. It quantifies potential losses from OT cyber breaches, evaluates the effectiveness of key cybersecurity controls, and delivers actionable recommendations for using insurance as a key tool in mitigating financial risk in industrial environments.

The report estimates that on a worst-case basis up to $329.5 billion per year is at risk globally from OT cybersecurity incidents, with $172.4 billion specifically tied to business interruption (“BI”) claims. Even in more typical years, average annual OT-related cyber risk is projected at $31.1 billion. Notably, indirect costs incurred due to a cyber security event—such as operational shutdowns and ripple effects across supply chains—often exceed direct damages, especially for larger organizations. Therefore, insurance coverage for OT cyber risks can play a crucial role in offsetting these potentially catastrophic financial losses, particularly for BI and indirect costs that may otherwise be difficult to absorb by the business.

Key risk drivers

OT cyber risk is not uniform across sectors or regions. The manufacturing, building automation and warehousing, and oil and gas industries face the highest likelihood of OT-related breaches, with North America experiencing the most frequent events. Revenue size, industry type, and geographic location all significantly influence both the probability and potential severity of incidents.

Understanding these risk drivers enables policyholders to work with insurers to tailor coverage and policy terms that address their unique risk profiles.

Top challenges in managing and insuring OT cyber risk

The report identifies three persistent challenges for OT risk management and insurance:

1. Undefined financial impact: Historically, the financial consequences of OT cyber incidents have been difficult to quantify, complicating risk assessment and insurance underwriting. This has made it challenging for policyholders to secure adequate coverage and for insurers to price policies appropriately.
2. Difficulty calculating return on investment: Without clear data on risk reduction, justifying investments in OT security controls has been challenging for business leaders. However, demonstrating the implementation of effective controls can improve insurability and potentially lead to more favorable policy terms.
3. Prioritization of controls: A lack of independent data on the effectiveness of specific controls has hindered OT operators’ ability to prioritize cybersecurity initiatives. The report’s findings help policyholders identify which controls are most valued by insurers and can have the greatest impact on coverage and premiums.

Security controls to manage cyber risk

A central contribution of the report is its data-driven assessment of the SANS ICS 5 Critical Controls for OT cybersecurity. The SANS ICS 5 Critical Controls for OT cybersecurity is a framework of five outcome-focused, intelligence-driven measures designed to protect industrial control systems from cyber threats. 

By mapping historical claims data to these mitigation measures, the report quantifies their average risk reduction potential:

• Incident Response Plan: 18.46%
• Defensible Architecture: 17.09%
• ICS Network Visibility & Monitoring: 16.47%
• Secure Remote Access: 12.18%
• Risk-Based Vulnerability Management: 13.87%

These percentages provide a benchmark for organizations to estimate the financial value of targeted security investments. Importantly, insurers increasingly consider the presence and maturity of these controls when assessing insurability, setting policy terms, and determining premiums. Policyholders who can demonstrate robust implementation of these controls may benefit from enhanced coverage options and reduced insurance costs.

Recommended next steps for policyholders

To reduce OT cyber risk and associated financial exposure, policyholders should:

• Review existing insurance policies to ensure they provide adequate coverage for OT cyber risks, including BI and indirect costs.
• Work with insurers and brokers to understand how the implementation of critical controls can improve insurability and potentially reduce premiums.
• Develop and regularly test OT-specific incident response plans and document these efforts for insurance purposes.
• Build defensible network architectures and establish comprehensive OT network visibility and monitoring, as these measures are often required or incentivized by insurers.
• Implement risk-based vulnerability management and enforce secure remote access policies, focusing on controls that are recognized by insurers as reducing risk.
• Maintain open communication with insurers to stay informed about evolving coverage options and requirements.