5 days ago
OT cyber incidents may cost up to USD $329.5 billion globally
A new industry report has estimated that operational technology (OT) cyber incidents could result in global financial losses of up to USD $329.5 billion in the event of a severe but plausible scenario, with business interruption accounting for a significant proportion of the projected losses.
The study, conducted by Marsh McLennan's Cyber Risk Intelligence Centre, used a decade's worth of breach and insurance claims data to determine both the potential financial impact of OT cyber events and the OT security controls that most effectively reduce that risk.
The findings suggest that business leaders, insurers, and security professionals should focus on implementing measurable risk reduction strategies in industrial environments.
According to the report, indirect losses are a major concern, impacting up to 70% of OT-related breaches.
The study models worst-case scenarios in which the global financial risk from such incidents reaches as high as USD $329.5 billion, more than half of which - an estimated USD $172.4 billion - would result from business interruption.
Robert M. Lee, Chief Executive Officer and Co-founder of Dragos, commented on the findings: "Executives are increasingly accountable for managing cyber risks, but many still lack a clear line of sight into OT environments. The ability to quantify OT cyber risk and correlate it to potential financial losses is a game-changer. This report fills a critical gap by translating OT security into measurable financial risk and assessing controls aimed at mitigating that risk."
The key OT cybersecurity controls found to be most strongly correlated with risk reduction are incident response planning (up to 18.5% average risk reduction), defensible architecture (up to 17.09%), and ICS network visibility and monitoring (up to 16.47%).
The analysis leveraged tens of thousands of simulations, representing one of the first statistical attempts to connect specific OT controls with quantifiable financial loss reduction based on real-world data.
Mark Stacey, Vice President, Risk and Resilience Solutions at Dragos, highlighted the importance of understanding OT cybersecurity in business and financial terms: "For years, organisations have lacked the context needed to understand OT cyber risk in business and financial terms. This study fills that gap, linking real-world financial data with OT-specific security controls. It gives executives, risk managers, and insurers the shared language and framework they've been missing to prioritise, invest, and insure with confidence."
The report also examined persistent challenges organisations face in managing and insuring OT cyber risk.
These include an undefined financial impact due to lack of quantifiable data, difficulties in measuring return on investment in OT security measures, and uncertainty in determining which controls should be prioritised.
By mapping the SANS ICS Five ICS Cybersecurity Critical Controls to observed outcomes in industry data and insurance claims, the report aims to provide a practical risk management framework.
This is considered particularly urgent as OT-focused malware threats are on the rise and as regulatory requirements, such as the United States Securities and Exchange Commission's Form 8-K cyber incident disclosure rules, become more stringent for publicly listed companies.
Scott Stransky, Head of the Cyber Risk Intelligence Centre at Marsh McLennan, underscored the significance of translating the implementation of controls into measurable financial benefits: "This report offers new visibility into the financial modeling of OT risk and provides insurers and OT operators alike with the confidence to take action. By statistically linking controls to measurable risk reduction, organisations can better evaluate client readiness and make more accurate, risk-based coverage decisions."
The research indicates that organisations across industrial sectors - such as electricity, manufacturing, oil and gas, water, transportation, mining, and government - stand to benefit from adopting data-driven approaches to OT risk management and demonstrating the financial efficacy of their security investments.
The findings are presented as a resource intended to bridge the information gap for boards, risk executives, and underwriters working to align OT cybersecurity planning with demonstrable financial outcomes in a landscape of evolving digital threats and regulatory obligations.
