5 days ago
OT cyber incidents could cost USD $329.5b, report warns
Dragos, in partnership with Marsh McLennan's Cyber Risk Intelligence Centre, has published the 2025 OT Security Financial Risk Report detailing the potential financial impact of operational technology (OT) cyber incidents and controls.
The report estimates that global risk exposure associated with OT cyber incidents could reach USD $329.5 billion in extreme scenarios. Notably, 70% of OT-related breaches are shown to result in indirect financial losses, which are often omitted by conventional risk models.
Statistical modelling and financial impact
The study applied a decade of breach and insurance claims data, using tens of thousands of simulations to create what is described as the first statistical model correlating OT security controls with financial loss reduction. This analysis indicates that, in a severe yet plausible event occurring once every 250 years, global OT cyber losses could total USD $329.5 billion, with OT-related business interruption accounting for USD $172.4 billion of that figure.
Three OT security controls emerged as most correlated with risk reduction. Incident response planning could result in up to 18.5% average risk reduction, defendable architecture up to 17.09%, and ICS network visibility and monitoring up to 16.47%. Executives are increasingly accountable for managing cyber risks, but many still lack a clear line of sight into OT environments. The ability to quantify OT cyber risk and correlate it to potential financial losses is a game-changer. This report fills a critical gap by translating OT security into measurable financial risk and assessing controls aimed at mitigating that risk.
These were the words of Robert M. Lee, Chief Executive Officer and Co-founder at Dragos, commenting on the implications of the report for executives seeking actionable guidance.
Barriers to effective OT security
The report identifies three prominent challenges hindering effective OT cyber risk management. These include the absence of clear financial impact data related to OT incidents, difficulties in demonstrating return on investment for OT security controls, and a lack of independent benchmarks to prioritise OT controls. For years, organizations have lacked the context needed to understand OT cyber risk in business and financial terms. This study fills that gap - linking real-world financial data with OT-specific security controls. It gives executives, risk managers, and insurers the shared language and framework they've been missing to prioritize, invest, and insure with confidence.
This was noted by Mark Stacey, Vice President, Risk and Resilience Solutions at Dragos.
Regulatory pressures and industry standards
The publication of the report comes at a time of growing regulatory attention to OT security, including the introduction of rules such as the US SEC's 8-K cyber incident disclosure requirements. The analysis represents one of the first large-scale efforts to map the SANS ICS Five Critical Controls directly to risk reduction percentages, using real-world data.
By providing statistical links between specific controls and measurable risk reduction, the report aims to support both OT operators and insurers in evaluating organisational readiness and making risk-based coverage decisions. This report offers new visibility into the financial modeling of OT risk and provides insurers and OT operators alike with the confidence to take action. By statistically linking controls to measurable risk reduction, organizations can better evaluate client readiness and make more accurate, risk-based coverage decisions.
Scott Stransky, Head of the Cyber Risk Intelligence Centre at Marsh McLennan, explained how the framework may benefit both the insurance sector and OT security decision-makers.
The Dragos 2025 OT Security Financial Risk Report positions itself as a resource for risk executives, (re)insurers, and security leaders seeking quantifiable approaches to managing OT cyber risks and prioritising key security controls in accordance with current sector demands and regulatory frameworks.
