Filing cyber insurance claims has become a tough journey for many industrial organizations, especially because more policies now exclude coverage for attacks linked to nation-states or ‘war-like’ incidents. Take Lloyd’s of London, for instance; they mandated in 2023 that their policies won’t cover losses from state-backed cyber incidents. This leaves organizations stuck in a difficult spot, as proving a cyberattack came from a nation-state is incredibly tough, and insurers have various reasons they can use to deny a payout. Even with a policy in hand, many firms could find themselves exposed when it matters most.
Insurance companies and underwriters, in response, began getting stricter about what risks they’re willing to take on in operational technology (OT) environments. Legacy equipment, patching gaps and limitations, availability demands, and safety constraints are increasingly integrated into underwriting models, pushing higher premiums, stricter renewals, and, in some instances, outright refusal to insure risky environments. Insurers have been known to want to see details like asset inventories, SBOMs, and complete risk profiles to understand their exposure, raising the bar for what organizations must share.
Some insurers are experimenting with incentives, supplying premium reductions for deploying OT-specific safeguards, including continuous monitoring, IT-OT segmented architectures, and structured patch programs.
A Marsh McLennan study found that incident response planning in OT environments delivered an average risk reduction of 18.5%, directly influencing how policies are priced. The financial stakes are escalating. Global OT cyber risk exposure is projected to surpass $300 billion, with indirect losses amounting to nearly 70 percent of breaches. Severe scenarios put potential OT cyber losses at $329.5 billion worldwide, driven by cascading disruptions across industrial ecosystems. Manufacturing alone accounts for about 15.6% of OT breaches, while North America and Europe face the highest incident rates.
Claims data underscore the challenge. Ransomware accounts for 81 percent of claims involving recovery costs, while business email compromise and funds transfer fraud together make up 60 percent of the most frequent cases. Average cyber insurance losses stand near $100,000 per claim, with crisis response services for small and mid-sized businesses averaging $111,000. Yet nearly a quarter of claims encounter exclusions or limitations that result in reduced or denied payouts.
For industrial clients, the outcome is clear. As OT insurance claims are complex, time-consuming, and often contested, they require extensive forensic validation and are vulnerable to restrictive policy language, leaving coverage uncertain at precisely the moment organizations need it most.
Filing ICS cyber claims proves difficult amid exclusion clauses
Industrial Cyber spoke with insurance experts about the hurdles industrial organizations face when filing cyber insurance claims for ICS incidents, especially when exclusions like nation-state attribution are involved.
Gabe DiGiamberardino, vice president and client advisor in Marsh McLennan’s US cyber practice, told Industrial Cyber that in general, the energy and power utility sector has experienced a lower frequency of claims recently compared with other industrial industries.
“At Marsh, we focus on negotiating coverage terms that will better prepare for potential future incidents. For clients relying on operational technology, key coverage issues include separating coverage for the infrastructure owned or operated by the client from exclusion against broader failures of critical infrastructure,” DiGiamberardino said. “For a cyber operation carried out by a nation-state, we emphasize clear definitions of how an exclusion is triggered to maintain coverage.”
Regarding attribution, DiGiamberardino said it can be a critical element for resolving cyber claims. “Like other questions of fact, the insurer bears the responsibility to prove not only that a nation-state carried out the operation but also that its operation met the specific threshold for the defined act of war. Keeping those burdens of proof with the insurer benefits clients and reduces the burden on insureds.”
Daniel Carr, head of cyber at Ariel Re, told Industrial Cyber that when it comes to nation-state attribution, scrutiny is required, yet the bar toward specifically excluding coverage for such instances remains rather high indeed. “A more significant concern is the choice of policy, such that, if it isn’t tailored for the needs of ICS clients who face a greater risk of physical damage from cyberattacks, the terms of coverage may be incongruent from the outset.”
“Standard cyber policies often do not account for the physical-damage potential of ICS attacks. As a result, clauses that exclude ‘war-related’ incidents may overlook cases where state-linked malware destroys equipment or creates a threat to safety,” Carr added. “Overall, these challenges encourage ICS-exposed customers towards exploring more specialised cyber insurance products. These are available in the market but do require additional consideration over and above the more generally available product solutions.”
“Industrial cyber incidents are hampered more by a lack of ICS specialists than by insurance limits, since these systems differ greatly from standard IT networks,” Cameron Brown, head of cyber threat and risk analytics at Ariel Re, told Industrial Cyber. “Although insurance for industrial cyber risks is evolving, the urgent need is for experts who can accurately assess, contain, and remediate ICS-specific threats. Cyber response teams, often aligned with insurers and claims counsel, must cover many industries, technologies, and incident types, making true ICS expertise uncommon.”
Brown added that “Determining whether an attack originates from a nation-state actor is technically complex and often inconclusive. ICS environments lack the logging and forensic visibility of IT networks, making it hard to gather irrefutable evidence of state sponsorship.”
Attribution is one of the most significant hurdles, George Mawdsley, head of risk solutions at DeNexus, told Industrial Cyber. “If a cyber incident is suspected to involve state-linked actors, broad nation-state or war exclusions can be triggered, making claims contentious. Proving or disproving such attribution is complex, and in OT environments, the situation is made harder by limited logging in legacy systems and the need to avoid disrupting production during forensic investigations.”
Gerry Kennedy, CEO of Observatory Strategic Management, detailed to Industrial Cyber that industrial organizations face denials not just from ‘act of war’ or nation-state exclusions, but it’s “the fragmented and siloed nature of insurance policy structures themselves.”
“The insurance industry has long taught us the importance of the Risk Triangle, a framework for understanding exposures, events, and impacts,” Kennedy added. “But with ICS incidents, that triangle has flipped. Those who once measured risk are now the ones being measured by it. By failing to coordinate across lines of business, insurers may find that exclusions they relied on are not just toothless but potentially poisonous, inviting litigation, regulation, and reputational blowback.”
Underwriting models shift as insurers confront OT system risks
The executives address how insurers are adapting underwriting models to reflect the realities of OT environments, including legacy assets, availability requirements, and limited patchability.
DiGiamberardino recognized that as the threat landscape becomes more complex, insurers are updating their underwriting models to better assess OT environments. “Key factors driving these changes include increased digitalization of industrial systems, which increases the attack surface, supply chain vulnerabilities, and evolving regulations.”
He added that Insurers now seek more detailed information about the cybersecurity posture of OT environments, similar to what is typically gathered for IT systems. “They focus on aspects such as network segmentation between IT and OT, the use and protection of end-of-life systems, and measures for system availability and redundancy. This is especially important given the regulatory requirements and the potential financial penalties for non-compliance.”
Additionally, DiGiamberardino noted that insurers leverage threat intelligence, such as common attack vectors, active ransomware groups, and targeted regions, to inform their underwriting models and guidance.
“The market has made great strides over the last 5-10 years in recognising the differing risk profiles with OT and IT infrastructure and the risk posed to customers,” Carr said. “Increasingly specialist technical expertise is sought to evaluate the relative security profile of the OT environment, as well as the shared risk and overlap in threat profile across these environments. This can, in practice, significantly impact exposure as can the underlying business model of the organisation, which the OT-environment supports.”
He added that “More advanced models aim to assess how easily these assets can be reached, how critical they are to business operations, how appealing they are to attackers, and how difficult it would be to exploit them. By analysing real-world OT incident data covering root causes, response times, and loss magnitudes, insurers adjust underwriting parameters to more accurately predict frequency and severity of OT claims.”
“Insurers have had to develop inventories of legacy devices, categorising equipment age and noting idiosyncrasies,” Brown identified. “Since some are antiquated systems lacking modern security features, they face higher risk ratings or must pass rigorous condition checks, a bit like vulnerability scans, before coverage is approved.”
Noting that underwriters recognize that the nature of OT environments frequently prohibits standard patch management cycles, Brown said that they recalibrate patch cadence requirements. “Policies now routinely accept compensating security controls, such as granular ICS network segmentation, virtual patching through inline IPS/IDPS, or advanced anomaly-based monitoring, in lieu of mandating immediate firmware remediation.”
Mawdsley said that underwriters are shifting from purely IT-focused assessments to OT-aware frameworks. “They are engaging directly with plant engineers and OT managers to understand operational dependencies, maintenance schedules, and the constraints of patching equipment mid-production. Traditional cyber tools, such as outside-in scans, often add little value in well-segmented OT networks, where critical control systems aren’t internet-facing.”
Kennedy outlined that despite the explosive growth of digital interconnectivity in industrial systems, most insurers continue to rely on legacy underwriting logic. They lean on outdated business rules, static control checklists, such as whether multi-factor authentication is implemented, generic cyber risk indices, and rating matrices designed for IT rather than OT environments. In industries with heavy OT exposure, including energy, manufacturing, water utilities, and transportation, this ‘cookie-cutter approach’ quickly breaks down.
He also pointed out that most cyber claims are not denied on their merits but because the carrier never developed a subrogation or recovery plan before offering the coverage. In the OT space, this problem is even more pronounced. Most OT systems are built from third-party components, such as network cards, firmware, switches, SCADA devices, and sensors, which are often unpatched or not patchable. Vendors frequently avoid responsibility through end-user license agreements or vague warranty language.
“If an ICS attack happens via a vulnerability in a vendor’s product, subrogation is possible but only if scoped before the binder is issued,” Kennedy observed, adding that ”Underwriters don’t do this. Why? Because actuaries don’t know how.”
Kennedy flagged that actuarial tables for OT risk don’t exist in a meaningful way because most cyber actuaries come from traditional P&C backgrounds; lack domain experience in ICS architecture, firmware dependencies, control loop design, or fieldbus vulnerabilities, and they don’t know how to assess ‘non-patchable risk’ as anything other than a black hole, so it gets thrown into the ‘Exclusion Dumpster.’ “This is the real underwriting failure: a lack of technical and legal foresight in developing subrogation pathways before issuing the policy.”
Do cyber insurers influence OT security decisions?
The executives look into whether cyber insurers shape OT decisions, such as network segmentation or recovery planning, during the underwriting process, and what the implications are for the organizations being insured.
Agreeing that cyber insurers do influence OT decisions to some extent, DiGiamberardino said that during the recent hard insurance market cycle, a few years ago, insurers applied stricter underwriting standards and scrutinized controls more closely. “This led to improvements in cybersecurity practices and incident preparedness among industrial clients.”
He added that even in the current, more competitive market, organizations that lack key cybersecurity controls often find it more difficult to obtain cyber coverage. “As awareness of cyber risks grows, organizations are increasingly recognizing the importance of investing in their OT environments and systems to meet insurer expectations and improve their overall security posture.”
Carr said that the cyber market has seen a marked uplift in its control requirements on insurance buyers over the past few years. “Overall, that has been applied on a more generalised basis with particular focus around identity and access management practices, notably multi-factor authentication and the use of monitoring solutions, such as endpoint detection and response. However, many of these generalised technology solutions are not always appropriate to OT environments or have limited capability. They help shore up secondary entry points but aren’t the primary defences that industrial environments demand.”
“Managing third-party vendor access has become a critical concern for ICS and OT environments,” Carr added. “Since many systems are built and serviced by external engineering firms, suppliers often require ongoing, remote access for maintenance and troubleshooting. Even with strict network segmentation, organizations must rigorously demonstrate how they govern third-party privileges, particularly remote connections, to demonstrate they effectively manage and oversee this risk.”
Brown identified that underwriters expect insureds to maintain robust recovery playbooks tailored to OT environments. “This extends to documenting disaster-recovery and business-continuity plans that address ICS failures, undertaking regular tabletop exercises that simulate cyber-physical disruptions, and defining recovery time objectives for essential controls and safety systems.”
He added that proactive alignment with insurer recommendations can yield lower premiums, higher coverage limits, or broader policy terms. “Conversely, failure to implement recommended segmentation or recovery practices may lead to increased deductibles or coverage exclusions. In the end, decisions hinge on financial considerations and allocation of dedicated staff time and resources.”
“Many insurers now require clear network segmentation, documented recovery plans, and tested incident response procedures before offering cover,” according to Mawdsley. “While this can accelerate important security improvements, it can also put pressure on operational teams to deliver changes within tight renewal timelines.”
Kennedy noted that cyber underwriters are often the least equipped and least influential when it comes to OT systems, with resilience planning instead shaped by property carriers, boiler and machinery insurers, and general liability providers. “Identifying an Illusion of Coverage, he added that “We often think of insurance as a parachute. But in OT-centric businesses? It’s only a parachute if it opens and someone sewed it together correctly across all departments. Most insureds won’t know until they’re falling.”
Assessing insurer scrutiny of OT systems
The executives examine how much visibility insurers are demanding into OT systems, including asset inventories, SBOMs, and risk profiles. They also explore how industrial clients navigate these data-sharing expectations.
DiGiamberardino assessed that insurers are requesting many of the same types of information for OT systems as they do for IT environments. “This includes details on network segmentation, remote access capabilities, and the controls in place to manage and restrict access. They also seek an up-to-date inventory of OT assets, information on end-of-life systems, and any segmentation or safeguards to prevent exploitation of outdated equipment.”
“Given the breadth of information requested, it’s important for organizations to start the insurance renewal process early, allowing sufficient time to gather the necessary data—especially if follow-up questions arise,” he added. “While collecting this information requires effort, organizations recognize that sharing comprehensive details is essential for insurers to accurately assess the attack surface and existing security controls.”
Carr observed that currently, there is not a significant push for intrusive visibility into the systems of OT clients. “The same also largely applies to IT systems. Whilst this may be desirable longer term, it can bring additional risk and regulatory considerations without necessarily the uniform understanding of the relative benefit. Most of the focus remains on the business itself, its dependency on its technologies and assets, and the more generalised risk profile presented by technology use and its operations.”
That said, he noted that more specialist and focused OT/ICS-related cyber insurance products do have increased visibility requirements, but these are still largely focused on demonstrating the maturity of risk management processes and high-level data on controls and architecture.
“Some insurers require formal risk assessments mapped to frameworks such as ISA/IEC 62443 or NIST SP 800-82,” Brown said. “Clients need to provide details about network segmentation architecture, patch-management cadence, or alternatively compensating controls in place, MFA use, logging/monitoring coverage, and incident response plans. Similarly, SBOMs, which list every software module, library, and patch level in use, help insurers identify exploitable dependencies and estimate the speed at which a client can respond to newly disclosed vulnerabilities.”
He added that the need for visibility needs to be carefully balanced with legal safeguards, such that industrial organizations can satisfy insurer requirements without compromising proprietary data or operational stability. “If insurers or their assessors conduct active scans or vulnerability tests, a misconfigured probe could disrupt OT processes. Legal agreements should clearly articulate liability for any operational interruption arising from security audits of this nature.”
In the same vein, Brown mentioned that SBOMs and network maps often contain proprietary system designs and trade secrets, and clients should consider implementing robust confidentiality agreements, limiting use of this data for underwriting and claim evaluation purposes only.
Mawdsley identified that the demand for deeper visibility into OT environments is on the rise. “While tools such as asset inventories, OT-specific risk assessments, and software bills of materials can be highly valuable in underwriting industrial cyber risk, most insurers do not yet request them routinely – and many would find it challenging to interpret and act on the data.”
On the client side, he added that operators are often cautious about releasing sensitive operational information, preferring to share high-level summaries, redact certain details, or channel data through brokers and independent assessors. In today’s softening market, competitive dynamics can work in the insured’s favour, with some carriers relaxing data requirements to secure or retain business, particularly at renewal when relationships are already established.
Kennedy flags that by demanding increasing levels of visibility into the insured’s systems without possessing the technical or legal competency to interpret or act upon that information, insurers are doing more than creating friction. “They’re undermining the very insurable interest they are contracted to protect. If a carrier gains detailed visibility, accepts premium, and then denies coverage based on information it had pre-loss, it opens itself up to bad faith litigation, claims of constructive waiver, subrogation missteps, and regulatory scrutiny for deceptive or unfair practices.”
Noting that bottom line visibility is not equal to Impunity, Kennedy added that insurers want a front-row seat, but not the accountability of being in the play, but they love to take credit for a save…Fails …Not So Much!
He added that the visibility insurers demand into OT environments is not matched by organizational or operational readiness. Without cross-disciplinary underwriters trained in both IT and OT realities, legal frameworks that account for knowledge sharing and complicity, and brokers that can translate risk into regulatory and technical language, Kennedy underscored that the entire insurance relationship becomes an illusion of risk management, not its reality.
Cyber insurance policies reflect resilience and compliance standards
The executives move on to how resilience metrics, like containment ability, recovery time, or compliance with standards such as IEC 62443, impact coverage, pricing, and policy renewals.
DiGiamberardino said that generally, organizations that can demonstrate strong containment capabilities and quick recovery times instill greater confidence in underwriters. This often leads to more favorable coverage terms and pricing. Being well-prepared and able to respond swiftly to incidents reduces both the likelihood and potential severity of losses.
Recently, he added that Dragos and Marsh published the 2025 OT Security Financial Risk Report, which used available historical data from claims to model how various controls reduce the likelihood and severity of financial loss, mapping against the SANS Institute’s 5 Critical Controls for ICS Cybersecurity. It shows that items such as a robust and tested incident response plan, defensible architecture, and network visibility and monitoring can all have a material positive impact.
Carr recognized that the impact of resilience metrics will vary by insurer and by the specificity of the product being purchased. “More specialised OT/ICS products will be increasingly weighted toward such factors, whereas broader policies tend to put less emphasis on them. In terms of the latter, you must balance the lower emphasis on these metrics against the scope of coverage and the expertise of the vendors supporting the product proposition.”
“Insurers love solid resilience metrics because they let them nail down OT risks more accurately. If you’ve got a tried-and-true recovery playbook that cuts downtime, you could receive premium discounts tied to your recovery performance,” Brown said. “Locking down your network with segmented zones and automated isolation of compromised equipment also opens the door to higher coverage limits and broader endorsements for physical damage and business interruption. The bottom line is sticking to strict compliance standards is the best way to make sure your insurance costs actually match the real risk you’ve reduced.”
Mawdsley said that resilience measures are increasingly tied to premium levels and coverage terms. “Strong performance – such as quick containment, short recovery times, and compliance with recognised standards – can secure broader cover and more favourable pricing. Weak metrics, by contrast, may lead to higher deductibles, narrower cover, or additional policy exclusions.”
When insurers say they care about resilience, Kennedy said that they point to metrics like containment ability (Can you isolate the infection?); recovery time (How quickly can you reboot operations?); and compliance with standards like IEC 62443, NIST, or ISA-99. “But here’s the truth: Resilience is as abstract a concept as ‘cyber’ or ‘security.’ It’s marketing-speak until a dollar figure lands on a loss run.”
“True resilience is not measurable by checklists, frameworks, or compliance audits; it’s measurable by how much an organization can absorb and recover in dollar terms, not jargon,” according to Kennedy. “Until insurers demand pre-loss forensic-level clarity, understand OT risk interdependency, and integrate loss modeling into underwriting, not just post-loss litigation,…then ‘resilience metrics’ are just fancy words slapped on spreadsheets with no actuarial value.”
Insurers test incentives for OT security controls
Lastly, the executives focus on whether insurers are using policies to incentivize OT-specific security controls like monitoring, segmentation, patch governance, and how industrial organizations are responding.
“Yes, some insurers offer credits and additional services to organizations that invest in loss control and cybersecurity improvements,” DiGiamberardino said. “These incentives encourage organizations to implement stronger security controls, such as monitoring, patch management, or conducting table-top exercises. This approach benefits both insurers—by reducing risk—and organizations—by enhancing their security posture and potentially lowering costs.”
Carr said that some niche policies are already doing this, but it isn’t yet widespread. “As industrial organizations become more aware of their risks and push for greater capacity, and as they look for ways to stand out from competitors vying for the same limits, it is expected that this to become a much bigger part of the market going forward.”
“Some industrial players are getting ahead of the curve by setting up dedicated OT security teams made up of control engineers, IT security boffins, and risk managers,” Brown said. “They’re giving these units the tools they need to manage patch-governance platforms that schedule firmware updates during planned maintenance windows and provide compensation-control dashboards for insurers. To power it all, they’re rolling out ICS-focused monitoring solutions that speak the language of industrial protocols and can spot anomalies unique to the OT process.”
“Yes – and the practice is becoming increasingly common. Insurers are offering incentives such as premium reductions, higher limits for ICS-related losses, and the inclusion of property damage cover to encourage the adoption of OT-specific security measures,” Mawdsley identified. “Well-resourced organisations often incorporate these requirements into broader modernisation programmes, while smaller operators typically focus on meeting only the minimum standards needed to obtain coverage.”
Identifying that ‘incentives’ in the cyber/OT insurance world are not incentives at all, Kennedy said that “they are tactical illusions wrapped in marketing language, deployed to mask an increasingly adversarial underwriting environment.”
He recognizes that insurers are performing the insurance version of a carnival sideshow by flashing ‘discounts’ that are rarely actuarily significant, offering ‘preferred underwriting’ that is temporary and retractable, and making vague promises of future favorability…with no enforceable guarantees. “The illusion of incentive is a risk-shifting mechanism. It creates the appearance of partnership but masks a structure built to minimize insurer liability post-event, but in these OT scenarios, it is doing the exact opposite…it’s called complicity!”
“The supposed ‘incentives’ offered by insurers for OT-specific controls are nothing more than risk deflection mechanisms disguised as collaboration,” Kennedy added. “If you’re in a bar fight, and everyone’s blindfolded, the ones being told they’re getting ‘rewards’ are really just getting lined up for the next hit. So, ask not what your insurer is incentivizing. Ask – what are they really underwriting? What will they actually pay for?; And, who’s going to get poked in the eye when the lights come on?” he concluded.
Clinton Mora is a reporter for Trending Insurance News. He has previously worked for the Forbes. As a contributor to Trending Insurance News, Clinton covers emerging a wide range of property and casualty insurance related stories.