Cyber Insurance for Manufacturing 2026: The OT/ICS Coverage Gaps

Cyber insurance for manufacturing operations in 2026 is broken — and most manufacturers don't discover the gaps until a claim is denied. Standard cyber liability policies were designed for data breaches in IT environments, not for the destruction of industrial control systems; in Q3 2025 alone, OT (Operational Technology — the hardware and software that directly controls physical industrial processes) cyber incidents caused an estimated $329.5 billion in losses globally, yet the vast majority of that exposure sits in coverage gaps that most brokers don't flag at renewal. This guide maps exactly which exclusions trap manufacturers, how to build a four-layer policy stack that actually responds when a PLC gets hit, and which insurers have built genuine OT/ICS products for 2026.

// 01 Cyber Insurance for Manufacturing: Why Standard Policies Were Never Built for OT

Standard cyber liability insurance was designed around a narrow threat model: a hacker steals data, breach notification laws trigger, the insured pays for legal defense and credit monitoring. That model maps to IT — servers, endpoints, cloud workloads, email systems. It does not map to OT/ICS environments, which include:

• SCADA (Supervisory Control and Data Acquisition) — software that monitors and controls physical industrial processes across a facility or plant floor
• DCS (Distributed Control Systems) — real-time control platforms for complex continuous manufacturing processes such as chemical production or food processing
• PLCs (Programmable Logic Controllers) — ruggedized hardware controllers that directly operate motors, valves, pumps, conveyor belts, and production machinery
• HMIs (Human-Machine Interfaces) — operator workstations that allow engineers and technicians to interact with SCADA, DCS, and PLCs
• SIS (Safety Instrumented Systems) — dedicated safety controllers that trigger automated shutdowns to prevent catastrophic accidents when process limits are breached

When ransomware encrypts a file server, you restore from backup and resume operations within hours. When ransomware corrupts a PLC's firmware or overwrites a SCADA historian's process database, recovery is a weeks-to-months undertaking requiring scheduled production downtime, vendor engineers on-site, and in some cases, hardware replacement. Standard policy language — short waiting periods, "restore from backup" restoration clauses, IT-centric business interruption definitions — was not written for this operational reality.

The mismatch is measurable: 252 manufacturing ransomware incidents occurred in Q3 2025 alone, a 26% surge year-over-year, yet the manufacturing cyber liability insurance policies most of these facilities hold systematically fail to cover where the losses actually land. Manufacturing now accounts for 51% of all business interruption costs in ransomware claims, per Munich Re's 2025 analysis.

For context on the scale of OT threats that manufacturing facilities face, see our coverage of exposed VNC servers in ICS/OT environments — a common initial access vector that standard cyber policies often don't address.

// 02 Silent Cyber: How Manufacturers Lost Coverage Without Knowing It

Before 2020, many manufacturers had an accidental safety net. Property insurance policies were written for physical damage events and did not explicitly address cyberattacks — they neither included nor excluded them. This ambiguity, known as "silent cyber" or "non-affirmative cyber," meant that a cyberattack causing a production line fire or destroying equipment through PLC manipulation might trigger a property claim even though the property insurer never intended (or priced for) that outcome.

Lloyd's of London mandated an end to silent cyber beginning January 1, 2020: all syndicate policies must explicitly state whether cyber events are covered or excluded — no ambiguity permitted. The practical effect for manufacturers was severe. Property insurers who had not priced cyber exposure responded by adding blanket cyber exclusions. The accidental coverage disappeared.

By January 1, 2025, Lloyd's tightened requirements further via Market Bulletin Y5433: updated LMA (Lloyd's Market Association) model clauses became mandatory, with Type 7 and non-compliant clause types prohibited. Manufacturers who assumed their property policies "caught" cyber-physical losses now face explicit exclusions on both their cyber policy (never built for OT) and their property policy (now actively excludes cyber causes).

DeNexus estimates the resulting OT protection gap at over $1 trillion in uninsured OT cyber exposure globally — a figure that grows each quarter as OT attack frequency increases.

// 03 The Six Exclusions That Catch Manufacturers Off Guard

1. Property Damage and Bodily Injury Exclusions

The most consequential gap: standard cyber policies exclude liability for physical property damage and bodily injury caused by a cyber event. A cyberattack that burns out a $2 million motor through PLC manipulation, causes a safety system failure that injures a worker, or releases a contaminated product batch does not trigger the standard cyber policy. The cyber policy says "not a covered loss type"; the property or GL policy says "excluded — cyber cause." The claim falls between policies entirely.

Gallagher's research confirms that a bespoke market has emerged to fill this gap affirmatively — but accessing it requires deliberate policy stacking, not standard renewal.

2. OT System Definition Gap

Many cyber policies define "computer systems" to cover servers, endpoints, and cloud workloads — and stop there. If the policy definition does not explicitly list SCADA, DCS, PLCs, HMIs, and embedded industrial controllers as covered systems, then business interruption caused by their compromise is not a covered BI event. A manufacturing facility's biggest cyber risk sits in assets the policy doesn't acknowledge.

Beazley is a notable exception: their manufacturing cyber policy explicitly lists ICS, PLCs, and SCADA within the computer system definition. Most other carriers require a specific endorsement to achieve the same scope.

3. War and Nation-State Exclusions

Following the Lloyd's 2025 mandate, all syndicate cyber policies must exclude losses from state-backed cyberattacks causing "widespread impairment of a state's critical functions or infrastructure." Manufacturing is increasingly treated as quasi-critical infrastructure — and industrial attacks are disproportionately attributed to nation-state or state-affiliated actors (VOLT TYPHOON targeting US manufacturing OT; SANDWORM operating INDUSTROYER malware; TRITON/TRISIS targeting safety instrumented systems).

The stakes of attribution disputes became concrete when Merck pursued a $1.4 billion insurance claim after NotPetya — ransomware attributed to Russian military intelligence (GRU) — destroyed 40,000+ computers and disrupted global pharmaceutical production in 2017. Insurers initially denied the claim using war exclusion language. New Jersey courts ruled in Merck's favor on the specific clause wording then in use. Merck and its insurers settled confidentially in January 2024, days before New Jersey Supreme Court oral arguments — but the industry response was to draft tighter, explicitly broader exclusion language that would likely produce a different outcome today.

4. Contingent Business Interruption Restrictions

CBI (Contingent Business Interruption) coverage pays when a manufacturer's operations halt because a third-party supplier — not the manufacturer itself — suffers a cyber incident that disrupts component delivery or shared digital services. With manufacturing supply chains increasingly digitized and Tier-1 supplier OT systems often directly integrated into production scheduling, CBI exposure is substantial.

The market is moving in the wrong direction for buyers. Munich Re's 2025 cyber trends data shows CBI events from supplier compromises jumped from 6% to 15% of large claim values between 2024 and H1 2025 — precisely as insurers are eliminating or sublimiting this coverage from standard policy forms.

5. Ordinary Payroll Elimination

Standard policy language is increasingly stripping "ordinary payroll" — the cost of keeping your production workforce paid during a shutdown — as a default inclusion. Manufacturers with hundreds or thousands of hourly production workers face significant payroll exposure during OT outages that can last weeks. This coverage is now commonly treated as a sublimited add-on requiring specific endorsement, not a baseline inclusion.

6. Minimum Security Baseline Exclusions

Insurers are applying minimum-security baseline exclusions more aggressively in 2025–2026, denying claims where the insured lacked documented controls at the time of loss: missing MFA (Multi-Factor Authentication) on remote access, unpatched internet-facing systems, or absent OT-specific incident response plans. Manufacturing environments with legacy PLCs that cannot accept firmware patches face particular exposure. Industrial Cyber reports that underwriters now accept compensating controls — virtual patching via inline IPS/IDPS, OT anomaly detection monitoring — in lieu of mandatory firmware updates, but those controls must be formally documented in the underwriting file.

// 04 When Policies Failed: Three OT Incidents That Define the Gap

Merck / NotPetya (2017 attack, settled January 2024): $1.4 billion claim. War exclusion invoked. Courts sided with Merck on the specific clause wording in use at the time. Modern clauses — revised after this case — are broader and would likely produce a different outcome.

Norsk Hydro / LockerGoga (March 2019): LockerGoga ransomware forced Norsk Hydro, one of the world's largest aluminum producers, to halt production at multiple plants globally. Disclosed financial impact: $60–70 million. The incident became an industry reference case for OT insurance complexity: coverage was partial, recovery timelines were incompatible with standard policy waiting periods, and forensic proof requirements for OT evidence delayed reimbursement.

Jaguar Land Rover (Q3 2025): A cyber incident caused production stoppages at JLR facilities in Solihull, Halewood, and Wolverhampton for approximately six weeks. DeNexus's Q3 2025 analysis documents the reported UK financial impact at £1.9 billion and notes that over 5,000 organizations in the JLR supply chain were affected. Policy response details were not publicly disclosed — which is itself instructive. Coverage disputes for OT incidents of this scale are settled privately, without the precedent-setting litigation that defined the Merck case.

// 05 How to Build a Four-Layer Manufacturing Cyber Insurance Stack

Gallagher's cyber-physical risk research, Woodruff Sawyer's cyber vs. property analysis, and ABA guidance on five issues to watch in cyber insurance for 2025 all converge on the same structural requirement: eliminating OT/ICS coverage gaps requires coordinated purchasing across four policy lines. No single policy — not even the most OT-forward standalone cyber product — covers the full exposure.

Layer 1 — Standalone Cyber Policy with Affirmative OT Coverage

The baseline layer. Ensure the policy's "computer systems" definition explicitly includes SCADA, DCS, PLCs, HMIs, and SIS. Confirm affirmative grants for:

• OT business interruption, with extended waiting periods that accommodate industrial system recovery timelines
• Ransomware/extortion response costs including OT-specific ransom negotiation
• Forensic investigation of ICS/SCADA incidents
• OT data and system restoration (verify recovery timelines are realistic for your production environment)

Reject any policy that defines computer systems solely in terms of servers, endpoints, and cloud workloads. The OT system definition gap is where most manufacturing cyber liability insurance policies fail on first review.

Layer 2 — Property Policy with Cyber Endorsement (CZ Coverage)

A property insurance policy with an affirmative cyber extension — sometimes called "CZ Coverage" — specifically covers cyber-triggered physical equipment damage and the resulting business interruption. This layer responds when a cyberattack destroys physical hardware, forces a facility shutdown due to safety system failure, or causes product contamination requiring a recall. This is the layer that fills the silent cyber gap that Lloyd's elimination created.

Layer 3 — General Liability with Cyber BI/PD Grant

Your GL (General Liability) policy must explicitly grant — not exclude — bodily injury and property damage caused by cyber events. This layer is critical for third-party product liability: a compromised safety instrumented system causes a worker injury; a manipulated batching process releases a contaminated product to customers; a cyber event at your facility causes downstream damage to a customer's production line. Verify the GL policy form has no cyber exclusion or carve-out.

Layer 4 — Contingent Business Interruption / Supply Chain Endorsement

A dedicated CBI endorsement or standalone supply chain cyber policy covers revenue loss when a named Tier-1 supplier's OT or IT systems are compromised, halting component delivery. Given that CBI events now represent 15% of large claim values and are being actively eliminated from standard forms, this layer requires explicit procurement — it will not appear by default in your renewal.

Understanding the full financial exposure that comes before you build this stack is essential — our analysis of the true cost of a ransomware attack in 2026 covers the complete financial anatomy of a manufacturing ransomware incident, including costs that fall in coverage gaps.

// 06 Named Insurers: Who Has Real OT/ICS Manufacturing Coverage in 2026

Not all cyber insurers are equal on OT/ICS. These are the carriers with documented manufacturing-sector products or explicit OT coverage frameworks:

Beazley is the most OT-specific carrier in the market. Their manufacturing cyber policy explicitly lists ICS, PLCs, and SCADA in the computer system definition. Beazley offers a dedicated Manufacturing Endorsement and an OT Supplemental Application for accounts under $250M revenue. Marsh and Beazley jointly offer "Manufacturers First Response" — a product built specifically for industrial facilities. Their Full Spectrum Cyber policy (BBR) was updated July 1, 2025 with both admitted and surplus lines paper. Note: In March 2026, Zurich Insurance Group made an agreed £8.1 billion offer to acquire Beazley — if approved, the combined entity would be the dominant force in global manufacturing cyber coverage.

Munich Re explicitly underwrites physical damage from cyberattacks and has published the most thorough insurer-level research on OT/ICS cyber-physical risk. Their 2026 cyber risk outlook directly addresses manufacturing sector exposure. Munich Re works with specialist brokers to structure bespoke programs for large industrial accounts where off-the-shelf policy forms are inadequate.

Zurich Insurance differentiates on pre-loss risk engineering: gap analysis, strategic OT security roadmaps, ransomware threat assessments conducted before policy binding. Their philosophy is reducing OT cyber risk at source rather than pricing for it reactively. For manufacturers willing to invest in security improvements, Zurich's engineering-led approach can produce both better coverage terms and better security outcomes.

AIG introduced AI-enhanced cyber underwriting in 2025 that evaluates 700+ cybersecurity variables to price OT/ICS exposure with more granularity than manual underwriting. For manufacturers with demonstrable OT security controls — documented segmentation, OT monitoring tools, tested IR plans — AIG's model translates those controls into competitive pricing more precisely than carriers using blunter methodologies.

Chubb offers a cyber resilience platform targeting smaller manufacturers (sub-$50M revenue) and launched healthcare-specific cyber products in September 2025. Their OT-specific manufacturing endorsement language is less publicly documented than Beazley's, but their admitted paper reach and distribution breadth make them relevant for mid-market accounts.

For a benchmark comparison of how cyber insurance products are structured across industries, see our guide to best cyber insurance for SaaS startups in 2026 — the contrast between IT-centric and OT-centric product requirements is instructive.

// 07 Premium Benchmarks for Manufacturers in 2026

The industrial cyber insurance market is repricing upward after two years of softening rates. S&P Global forecasts a 15–20% premium increase in 2026, driven by rising claims severity, manufacturing ransomware frequency, and AI-enhanced attack capabilities. Global cyber premiums are projected to reach $23 billion in 2026.

Approximate premium ranges for standalone cyber policies only (Layer 1 — OT-affirmative):

These figures increase significantly for facilities with high OT exposure, prior incidents, or inadequate IT/OT segmentation. The inverse is also true: Industrial Cyber's 2025 broker survey documents 15–25% premium reductions for manufacturers with documented, verifiable IT/OT network segmentation — verified by an insurer's risk engineering team at application stage.

A complete four-layer stack (Layers 1–4 above) will cost materially more than the standalone cyber premium alone — but it is the only structure that eliminates the gaps described in this guide. Treat the savings from not buying Layers 2–4 as uninsured self-retention, not as cost avoidance.

// 08 12 Underwriting Questions to Prepare For

OT/ICS cyber underwriting requires input from plant engineers and OT managers, not just IT security teams. Prepare documentation for all twelve before submitting an application:

• IT/OT network segmentation — Is documented, verifiable segmentation between IT and OT networks in place? Aon's 2025 industrial assessment found 36.65% of clients were flagged for insufficient segmentation. Proven microsegmentation is the single largest premium discount trigger.
• OT asset inventory — Complete, current inventory of all PLCs, HMIs, SCADA systems, DCS, and embedded industrial controllers, with firmware versions and vendor support status.
• OT patch management policy — Patching cadence for OT systems; list of unpatchable legacy systems with documented compensating controls for each.
• Remote access controls — How remote access to OT environments is controlled (VPN architecture, jump servers, MFA enforcement for OT remote sessions).
• OT-specific incident response plan — A tested IR plan separate from the IT IR plan; must have been exercised (tabletop or live) within the past 12 months.
• Third-party/vendor OT access — How system integrators, OEM vendors, and maintenance contractors access OT systems, and how those sessions are logged and controlled.
• OT security monitoring — Whether OT-specific anomaly detection is deployed — Claroty, Dragos, Nozomi Networks, or equivalent — providing asset visibility and behavioral baselining.
• Recovery time objectives for OT — Documented RTOs for each critical production line; whether manual fallback operation is feasible during a SCADA outage.
• Historical OT incidents — Full disclosure of prior OT/ICS cyber incidents or confirmed near-misses within the past three to five years.
• Financial impact modeling — Quantified revenue loss per hour and per day for each critical production line. Insurers increasingly require this financial modeling rather than compliance checklists.
• Safety system independence — Whether Safety Instrumented Systems (SIS) are physically and logically isolated from process control networks and business IT.
• Supply chain cyber risk — What cyber risk assessments have been conducted on Tier-1 OT component suppliers and system integrators with direct digital connections to your environment.

Underwriters at Beazley, Munich Re, and AIG now engage directly with plant engineers during large account underwriting — not just CISO-level presentations. Industrial facilities that can produce this documentation quickly and completely receive materially better terms.

// 09 2026 Regulatory Pressures That Affect Your Coverage Position

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act): CISA pushed its finalization deadline from October 2025 to May 2026 due to the volume of public comments received. When final rules take effect, covered entities in the "critical manufacturing" sector must report substantial cyber incidents to CISA within 72 hours and ransom payments within 24 hours. Mandatory reporting creates a documented, government-held incident record that insurers will reference at underwriting renewal and can request during claims assessment.

SEC Cybersecurity Disclosure Rules: Publicly traded manufacturers must disclose material cyber incidents within four business days under Rule S-K 106 (effective December 2023). The SEC's 2026 examination priorities have elevated cybersecurity and AI above cryptocurrency as the dominant risk supervision topics.

NIS2 Directive (EU): Effective October 2024, European manufacturing operations designated as "essential" or "important" entities face mandatory OT cybersecurity control implementation and incident reporting obligations. NIS2 compliance is now treated as a baseline underwriting requirement for European manufacturing cyber policies.

Each of these frameworks creates a compliance obligation and an insurance implication in parallel: mandatory incident reporting becomes potential claims evidence, and documented control deficiencies revealed in a regulatory filing become underwriting red flags at the next renewal cycle. The regulatory and insurance landscapes for OT cybersecurity are converging — what you report to CISA will eventually reach your underwriter.

For broader context on the industrial cybercrime environment driving both the regulatory and insurance response, see our analysis of AI-accelerated industrial cybercrime in 2026.

// 10 Conclusion

Cyber insurance for manufacturing in 2026 cannot be treated as a standard IT budget renewal. The combination of silent cyber elimination from property policies, explicit bodily injury and property damage exclusions in cyber policies, tightening CBI language, and nation-state attribution clauses means that a typical manufacturer's cyber policy responds to a fraction of actual OT/ICS incident costs. The $329.5 billion in OT-related losses in Q3 2025 — and the Merck, Norsk Hydro, and Jaguar Land Rover cases — demonstrate what's at stake and how coverage disputes unfold.

The correct approach is a coordinated four-layer policy stack — standalone cyber with affirmative OT definitions, property with cyber endorsement, GL with explicit cyber BI/PD grants, and CBI/supply chain coverage — structured with a broker who specializes in industrial accounts. Request OT supplemental applications from Beazley and Munich Re as starting points; their published frameworks define the benchmark for what comprehensive manufacturing cyber liability insurance actually requires.

Subscribe to our weekly threat digest for ongoing coverage of OT/ICS incidents, insurance market developments, and industrial security advisories →