Latest news with #CyberRiskIntelligenceCentre
Techday NZ
5 days ago
- Business
- Techday NZ
OT cyber incidents may cost up to USD $329.5 billion globally
A new industry report has estimated that operational technology (OT) cyber incidents could result in global financial losses of up to USD $329.5 billion in the event of a severe but plausible scenario, with business interruption accounting for a significant proportion of the projected losses. The study, conducted by Marsh McLennan's Cyber Risk Intelligence Centre, used a decade's worth of breach and insurance claims data to determine both the potential financial impact of OT cyber events and the OT security controls that most effectively reduce that risk. The findings suggest that business leaders, insurers, and security professionals should focus on implementing measurable risk reduction strategies in industrial environments. According to the report, indirect losses are a major concern, impacting up to 70% of OT-related breaches. The study models worst-case scenarios in which the global financial risk from such incidents reaches as high as USD $329.5 billion, more than half of which - an estimated USD $172.4 billion - would result from business interruption. Robert M. Lee, Chief Executive Officer and Co-founder of Dragos, commented on the findings: "Executives are increasingly accountable for managing cyber risks, but many still lack a clear line of sight into OT environments. The ability to quantify OT cyber risk and correlate it to potential financial losses is a game-changer. This report fills a critical gap by translating OT security into measurable financial risk and assessing controls aimed at mitigating that risk." The key OT cybersecurity controls found to be most strongly correlated with risk reduction are incident response planning (up to 18.5% average risk reduction), defensible architecture (up to 17.09%), and ICS network visibility and monitoring (up to 16.47%). The analysis leveraged tens of thousands of simulations, representing one of the first statistical attempts to connect specific OT controls with quantifiable financial loss reduction based on real-world data. Mark Stacey, Vice President, Risk and Resilience Solutions at Dragos, highlighted the importance of understanding OT cybersecurity in business and financial terms: "For years, organisations have lacked the context needed to understand OT cyber risk in business and financial terms. This study fills that gap, linking real-world financial data with OT-specific security controls. It gives executives, risk managers, and insurers the shared language and framework they've been missing to prioritise, invest, and insure with confidence." The report also examined persistent challenges organisations face in managing and insuring OT cyber risk. These include an undefined financial impact due to lack of quantifiable data, difficulties in measuring return on investment in OT security measures, and uncertainty in determining which controls should be prioritised. By mapping the SANS ICS Five ICS Cybersecurity Critical Controls to observed outcomes in industry data and insurance claims, the report aims to provide a practical risk management framework. This is considered particularly urgent as OT-focused malware threats are on the rise and as regulatory requirements, such as the United States Securities and Exchange Commission's Form 8-K cyber incident disclosure rules, become more stringent for publicly listed companies. Scott Stransky, Head of the Cyber Risk Intelligence Centre at Marsh McLennan, underscored the significance of translating the implementation of controls into measurable financial benefits: "This report offers new visibility into the financial modeling of OT risk and provides insurers and OT operators alike with the confidence to take action. By statistically linking controls to measurable risk reduction, organisations can better evaluate client readiness and make more accurate, risk-based coverage decisions." The research indicates that organisations across industrial sectors - such as electricity, manufacturing, oil and gas, water, transportation, mining, and government - stand to benefit from adopting data-driven approaches to OT risk management and demonstrating the financial efficacy of their security investments. The findings are presented as a resource intended to bridge the information gap for boards, risk executives, and underwriters working to align OT cybersecurity planning with demonstrable financial outcomes in a landscape of evolving digital threats and regulatory obligations.
Techday NZ
5 days ago
- Business
- Techday NZ
OT cyber incidents could cost USD $329.5b, report warns
Dragos, in partnership with Marsh McLennan's Cyber Risk Intelligence Centre, has published the 2025 OT Security Financial Risk Report detailing the potential financial impact of operational technology (OT) cyber incidents and controls. The report estimates that global risk exposure associated with OT cyber incidents could reach USD $329.5 billion in extreme scenarios. Notably, 70% of OT-related breaches are shown to result in indirect financial losses, which are often omitted by conventional risk models. Statistical modelling and financial impact The study applied a decade of breach and insurance claims data, using tens of thousands of simulations to create what is described as the first statistical model correlating OT security controls with financial loss reduction. This analysis indicates that, in a severe yet plausible event occurring once every 250 years, global OT cyber losses could total USD $329.5 billion, with OT-related business interruption accounting for USD $172.4 billion of that figure. Three OT security controls emerged as most correlated with risk reduction. Incident response planning could result in up to 18.5% average risk reduction, defendable architecture up to 17.09%, and ICS network visibility and monitoring up to 16.47%. Executives are increasingly accountable for managing cyber risks, but many still lack a clear line of sight into OT environments. The ability to quantify OT cyber risk and correlate it to potential financial losses is a game-changer. This report fills a critical gap by translating OT security into measurable financial risk and assessing controls aimed at mitigating that risk. These were the words of Robert M. Lee, Chief Executive Officer and Co-founder at Dragos, commenting on the implications of the report for executives seeking actionable guidance. Barriers to effective OT security The report identifies three prominent challenges hindering effective OT cyber risk management. These include the absence of clear financial impact data related to OT incidents, difficulties in demonstrating return on investment for OT security controls, and a lack of independent benchmarks to prioritise OT controls. For years, organizations have lacked the context needed to understand OT cyber risk in business and financial terms. This study fills that gap - linking real-world financial data with OT-specific security controls. It gives executives, risk managers, and insurers the shared language and framework they've been missing to prioritize, invest, and insure with confidence. This was noted by Mark Stacey, Vice President, Risk and Resilience Solutions at Dragos. Regulatory pressures and industry standards The publication of the report comes at a time of growing regulatory attention to OT security, including the introduction of rules such as the US SEC's 8-K cyber incident disclosure requirements. The analysis represents one of the first large-scale efforts to map the SANS ICS Five Critical Controls directly to risk reduction percentages, using real-world data. By providing statistical links between specific controls and measurable risk reduction, the report aims to support both OT operators and insurers in evaluating organisational readiness and making risk-based coverage decisions. This report offers new visibility into the financial modeling of OT risk and provides insurers and OT operators alike with the confidence to take action. By statistically linking controls to measurable risk reduction, organizations can better evaluate client readiness and make more accurate, risk-based coverage decisions. Scott Stransky, Head of the Cyber Risk Intelligence Centre at Marsh McLennan, explained how the framework may benefit both the insurance sector and OT security decision-makers. The Dragos 2025 OT Security Financial Risk Report positions itself as a resource for risk executives, (re)insurers, and security leaders seeking quantifiable approaches to managing OT cyber risks and prioritising key security controls in accordance with current sector demands and regulatory frameworks.
