The Hardening Market for OT Insurance
Not long ago, buying cyber insurance meant answering a short questionnaire about your IT security posture, MFA on email, endpoint protection deployed, backups in place, and receiving a quote. OT environments barely registered. A manufacturing company with a hundred PLCs and a SCADA system that dated to 2005 could check the same boxes as a professional services firm and get roughly comparable coverage.
That era is over.
Colonial Pipeline, the meat processing attacks, and a wave of manufacturing sector ransomware incidents demonstrated to underwriters that OT exposure was significantly larger than their models had assumed. The response was predictable and swift: premiums rose sharply, coverage limits tightened, exclusions multiplied, and the questionnaires became dramatically more specific about operational technology. Organizations that were able to purchase broad cyber coverage with minimal OT questions in 2019 now face lengthy supplemental applications asking about PLC authentication, SCADA network segmentation, OT monitoring capabilities, and incident response planning for industrial environments.
For OT-heavy organizations, energy companies, oil and gas operators, manufacturers, chemical producers, cyber insurance renewal has become a substantive exercise in demonstrating OT security posture. Beacon Security helps clients prepare for exactly these conversations, and what we see consistently is that organizations are surprised by how much underwriters now know about OT environments and how specifically they ask about it.
How Underwriters Think About OT Risk
The fundamental underwriting concern in OT environments is twofold: frequency (how likely is an incident?) and severity (if one occurs, how much will it cost?).
In OT environments, severity dominates the equation. A ransomware incident at a large petrochemical refinery that forces a production shutdown can generate losses that dwarf anything achievable by encrypting file servers. Lost production revenue, decontamination costs, regulatory response costs, potential environmental liability, and the sheer complexity of restoring certified OT configurations, all of it adds up to loss scenarios that can reach tens or hundreds of millions of dollars. Underwriters know this now in ways they did not five years ago.
There is also the accumulation risk concern: if multiple industrial facilities from different policyholders are targeted by the same attack campaign, as they might be if a widely deployed OT platform has a critical vulnerability exploited at scale, the industry's combined exposure could be enormous. This concentration risk shapes how underwriters approach sector-wide exposures in energy, utilities, and manufacturing, and why they ask the same questions so consistently across carriers.
What the Questionnaire Actually Asks
OT-specific supplemental applications vary by carrier, but several categories of questions are now nearly universal. If you have not seen these questions yet, you will at your next renewal.
Network segmentation. Is there a documented, enforced separation between IT and OT networks? What controls exist at the boundary? Can an attacker who compromises the enterprise IT network reach OT systems directly? Underwriters weight this heavily because the most common pathway for operational disruption in industrial ransomware incidents is lateral movement from IT into OT. A clear, enforced IT/OT boundary reduces both the frequency and potential severity of OT incidents, and underwriters have learned to ask follow-up questions if the first answer sounds too confident.
Remote access controls. How is remote access to OT systems managed? Is multi-factor authentication required? Are vendor connections individually credentialed, time-limited, and monitored? Remote access vulnerabilities are consistently identified as the initial access vector in OT incidents. Underwriters assess whether the organization has moved beyond the shared credentials model that characterized most OT remote access programs five years ago. If the honest answer involves TeamViewer with a shared password, that conversation will not go well.
OT-specific monitoring. Is there security monitoring specifically designed for OT protocols and environments? Generic IT SIEM tools that receive no OT-specific data and have no protocol awareness are increasingly recognized as insufficient. The ability to detect threats in OT environments, not just in IT environments, reduces dwell time and therefore severity. Underwriters are increasingly asking not just whether monitoring exists, but what platforms are deployed and what coverage they provide.
Backup and recovery for OT systems. Are OT configurations, PLC logic, HMI projects, and SCADA databases backed up? Are backups tested? What is the documented recovery time objective for critical OT systems? The recovery complexity of OT environments is a key driver of incident cost. Organizations that can demonstrate they can restore a SCADA server or re-flash PLC logic within a defined timeframe are significantly more attractive risks than those whose OT recovery capabilities are untested or undocumented.
Incident response planning for OT. Does the organization have an OT-specific incident response plan? Has it been tested through exercises? Does it include operations team members, not just cybersecurity staff?
Asset inventory. Is there a documented inventory of OT assets including firmware versions and known vulnerabilities? This question trips up more organizations than any other, having an accurate OT asset inventory is harder than it sounds and less common than it should be.
Third-party OT risk. How are vendor and contractor connections to OT systems managed? Are vendor security requirements contractually specified?
Coverage Exclusions to Watch For
The most dangerous moment in OT cyber insurance is the moment you discover that your largest loss scenario is excluded from the policy you just renewed. This happens more than it should.
War and nation-state exclusions. The Lloyd's of London market began requiring explicit nation-state exclusions following disputes over NotPetya coverage. For OT environments, which face significant nation-state threat actor activity, a broad war exclusion can create coverage gaps for exactly the highest-consequence scenarios. Understand specifically how your policy defines "war" or "hostile nation-state action" and whether that definition could apply to incidents in your sector. The answer may surprise you.
Unpatched system exclusions. Policies increasingly include language requiring that systems be maintained with current patches. In OT environments where patching may be impractical for legitimate operational reasons, a PLC embedded in a continuous process that cannot be taken offline for a patch cycle, a broad unpatched system exclusion could exclude coverage for incidents on systems with known vulnerabilities. In practice, that may mean most of your OT assets.
Industrial control system exclusions. Some general cyber policies contain explicit exclusions for "industrial control systems" or "operational technology." If you are renewing a general cyber policy rather than an OT-specific product, verify that ICS-related losses are explicitly covered, not carved out. This is not a hypothetical, it is a live issue in multiple sectors.
Infrastructure failure exclusions. Some policies exclude losses resulting from failure of physical infrastructure, which could be interpreted to exclude OT incidents that cause equipment damage or process failure.
How Security Investment Improves Insurability
The good news is that underwriters increasingly provide tangible premium benefits for documented security improvements. The investment is not just a security ROI question, it directly affects the cost of risk transfer.
Network segmentation documentation is among the most impactful insurability improvements. Being able to demonstrate an enforced IT/OT boundary with documented firewall rules and a network architecture diagram carries real weight. Several carriers use the presence or absence of IT/OT segmentation as a coverage eligibility criterion, not just a pricing factor.
MFA on all remote access has become a hard requirement for coverage at many carriers, not just a preferred control. Organizations that implemented MFA across OT remote access connections saw meaningful premium reductions in renewals.
OT-specific monitoring tools communicate substantially more to underwriters than claiming "we monitor our OT network." Being able to name the platform, describe coverage, and show sample alert workflows, demonstrating that you can detect threats, not just that you have deployed a product, carries significant weight.
Tested OT recovery procedures present a demonstrably different risk profile. Underwriters have learned to ask whether recovery procedures have actually been tested. Tabletop exercises that include OT recovery scenarios, or actual restoration exercises, provide documented evidence of capability that self-attestation cannot match.
Third-party OT assessment conducted by a recognized external firm within the past 12 to 24 months, with documented findings and a remediation plan, demonstrates program maturity in a way that internal attestation does not. At Beacon Security, we regularly work with clients who are preparing for renewal and need to be able to show underwriters a credible external assessment, not just a checklist, but evidence that an outside expert has reviewed the environment and that findings are being actively addressed.
Practical Recommendations
Review your current policy before renewal. Understand what your current policy covers for OT-related losses and what it excludes. Do not wait until you have an incident to find out.
Engage a broker with OT experience. General cyber insurance brokers may not understand the specific coverage considerations relevant to OT environments. Brokers with industrial sector experience can identify policy terms that matter and carriers with better OT coverage.
Document your security controls. The questionnaire is an opportunity, not a burden. Organizations that can answer questions with specific, detailed evidence, "we deployed OT monitoring in 2024 covering 85 percent of our OT assets, with MFA required on all remote access connections via dedicated OT jump servers", are presenting a fundamentally different risk profile from those who check "yes" without supporting documentation. The difference in premium can be substantial.
Quantify your OT risk before renewal. What would a ransomware-induced production shutdown at your primary facility cost per day? How many days would restoration take? These numbers provide the business context for both insurance purchasing decisions and security investment justification, and they give your renewal conversation a foundation that goes beyond answering questionnaire boxes.
Treat the questionnaire as a gap analysis. Every question you cannot confidently answer "yes" to with documentation identifies a security program gap worth addressing on its own merits. The underwriter is giving you a prioritized list of controls that the insurance market considers material. That is useful information regardless of how the renewal goes.
Beacon Security helps industrial organizations prepare for OT cyber insurance renewals through security assessments, documentation development, and control implementation prioritized against underwriter requirements. Contact us to improve your insurability while strengthening your actual security posture.
