The Hardening Market for OT Insurance
The cyber insurance market's rapid evolution in recent years has been driven substantially by losses in industrial and OT environments. Colonial Pipeline, the meat processing attacks, and a wave of manufacturing sector ransomware incidents demonstrated to underwriters that OT exposure was significantly larger than their models had assumed.
The response was predictable: premiums rose sharply, coverage limits tightened, exclusions multiplied, and the questionnaires that underwriters use to assess risk became dramatically more detailed about operational technology. Organizations that were able to purchase broad cyber coverage with minimal OT-specific questions in 2019 now face lengthy supplemental questionnaires asking specific questions about PLC authentication, SCADA network segmentation, OT monitoring capabilities, and incident response planning for industrial environments.
For OT-heavy organizations — energy companies, oil and gas operators, manufacturers, chemical producers — cyber insurance renewal has become a substantive exercise in demonstrating OT security posture. Understanding what underwriters are actually looking for is no longer optional.
How Underwriters Think About OT Risk
The fundamental underwriting concern in OT environments is twofold: frequency (how likely is an incident?) and severity (if an incident occurs, how much will it cost?).
In OT environments, the severity concern dominates. A ransomware incident at a large petrochemical refinery that forces a production shutdown can generate losses that dwarf anything achievable by encrypting file servers. Lost production revenue, decontamination costs, regulatory response costs, potential environmental liability, and the complexity of restoring certified OT configurations all contribute to loss scenarios that can reach tens or hundreds of millions of dollars.
Underwriters have also become aware of accumulation risk: if multiple industrial facilities from different policyholders are targeted by the same attack campaign — as they might be if a widely deployed OT platform has a critical vulnerability exploited at scale — the industry's combined exposure could be enormous. This concentration risk shapes how underwriters approach sector-wide exposures in energy, utilities, and manufacturing.
What the Questionnaire Actually Asks
OT-specific supplemental applications vary by carrier, but several categories of questions are now nearly universal:
Network segmentation. Is there a documented, enforced separation between IT and OT networks? What controls exist at the boundary? Can an attacker who compromises the enterprise IT network reach OT systems directly?
Underwriters weight this heavily because the most common pathway for operational disruption in industrial ransomware incidents is lateral movement from IT into OT. A clear, enforced IT/OT boundary reduces both the frequency and potential severity of OT incidents.
Remote access controls. How is remote access to OT systems managed? Is multi-factor authentication required? Are vendor connections individually credentialed, time-limited, and monitored?
Remote access vulnerabilities are consistently identified as the initial access vector in OT incidents. Underwriters assess whether the organization has moved beyond the "shared credentials plus RDP" model that characterized most OT remote access programs five years ago.
OT-specific monitoring. Is there security monitoring specifically designed for OT protocols and environments? Can the organization detect anomalous activity in industrial networks?
Generic IT SIEM tools that receive no OT-specific data and have no protocol awareness are increasingly recognized by underwriters as insufficient for OT risk management. The ability to detect threats in OT environments — not just in IT environments — reduces dwell time and therefore severity.
Backup and recovery for OT systems. Are OT configurations, PLC logic, HMI projects, and SCADA databases backed up? Are backups tested? What is the documented recovery time objective for critical OT systems?
The recovery complexity of OT environments is a key driver of incident cost. Organizations with tested OT recovery capabilities — who can demonstrate that they can restore a SCADA server or re-flash PLC logic within a defined timeframe — are significantly more attractive risks than those whose OT recovery capabilities are untested or undocumented.
Incident response planning for OT. Does the organization have an OT-specific incident response plan? Has it been tested through exercises? Does it include operations team members, not just cybersecurity staff?
OT-specific controls. Are engineering workstations hardened and restricted from internet access? Is removable media controlled in OT areas? Are software updates and patch management processes defined for OT systems?
Asset inventory. Is there a documented inventory of OT assets including firmware versions and known vulnerabilities?
Third-party OT risk. How are vendor and contractor connections to OT systems managed? Are vendor security requirements contractually specified?
Coverage Exclusions to Watch For
As the OT insurance market has matured, exclusions have multiplied. Organizations accepting a policy without carefully reviewing exclusions risk discovering that their most significant OT loss scenarios are not covered:
War and nation-state exclusions. The Lloyd's of London market began requiring explicit nation-state exclusions following disputes over NotPetya coverage. For OT environments, which face significant nation-state threat actor activity, a broad war exclusion can create coverage gaps for exactly the kind of incidents that represent the highest-consequence scenarios. Understand specifically how your policy defines "war" or "hostile nation-state action" and whether that definition could apply to incidents in your sector.
Infrastructure failure exclusions. Some policies exclude losses resulting from failure of physical infrastructure — which could be interpreted to exclude OT incidents that cause equipment damage or process failure.
Unpatched system exclusions. Policies increasingly include language requiring that systems be maintained with current patches. In OT environments where patching may be impractical for legitimate operational reasons, a broad unpatched system exclusion could exclude coverage for incidents on systems with known vulnerabilities — which in practice may include most OT assets.
Industrial control system exclusions. Some general cyber policies contain explicit exclusions for "industrial control systems" or "operational technology." If you are renewing a general cyber policy rather than an OT-specific product, verify that ICS-related losses are explicitly covered, not excluded.
How Security Investment Improves Insurability
The good news for organizations building OT security programs is that underwriters increasingly provide tangible premium benefits for documented security improvements. The investment is not just a security ROI question — it directly affects the cost of risk transfer.
Network segmentation documentation: Being able to demonstrate an enforced IT/OT boundary with documented firewall rules and a network architecture diagram is among the most impactful insurability improvements. Several carriers use the presence or absence of IT/OT segmentation as a coverage eligibility criterion, not just a pricing factor.
MFA on all remote access: Multi-factor authentication on OT remote access is increasingly a hard requirement for coverage, not just a preferred control. Organizations that implemented MFA across OT remote access connections saw meaningful premium reductions in renewals.
OT-specific monitoring tools: Demonstrating that you have deployed passive OT monitoring (not just IT SIEM extended to OT) with protocol-aware analysis and alert tuning communicates substantially more to underwriters than claiming "we monitor our OT network." Being able to name the platform (Claroty, Dragos, Nozomi Networks), describe coverage, and show sample alert workflows carries significant weight.
Tested OT recovery procedures: Organizations that can document that they have tested OT recovery procedures — through tabletop exercises or actual restoration exercises — present demonstrably different risk profiles from those who acknowledge they have never tested their OT recovery capabilities.
Third-party OT assessment: An OT-specific security assessment conducted by a recognized external firm within the past 12-24 months, with documented findings and a remediation plan, demonstrates program maturity in a way that self-attestation does not.
Practical Recommendations
Review your current policy before renewal. Understand what your current policy covers for OT-related losses and what it excludes. Do not wait until you have an incident to discover that your largest exposure is excluded.
Engage a broker with OT experience. General cyber insurance brokers may not understand the specific coverage considerations relevant to OT environments. Brokers with industrial sector and OT experience can identify policy terms that matter and carriers with better OT coverage.
Document your security controls. The questionnaire is an opportunity, not a burden. Organizations that can answer questions with specific, detailed evidence — "we deployed Claroty in 2024 covering 85 percent of our OT assets, with MFA required on all remote access connections via dedicated OT jump servers" — are presenting a fundamentally different risk profile from those who check "yes" without supporting documentation.
Quantify your OT risk before renewal. A basic operational risk quantification — what would a ransomware-induced production shutdown at your primary facility cost per day, and how many days would restoration take? — provides the business context for both insurance purchasing decisions and security investment justification.
Treat the questionnaire as a gap analysis. Review the underwriter's questions as a list of security controls they consider material. Any question you cannot confidently answer "yes" to with documentation identifies a security program gap worth addressing on its own merits.
Beacon Security helps industrial organizations prepare for OT cyber insurance renewals through security assessments, documentation development, and control implementation prioritized against underwriter requirements. Contact us to improve your insurability while strengthening your actual security posture.
