Study, conducted by Marsh McLennan’s Cyber Risk Intelligence Center,  Assesses Potential Financial Impact of OT Cybersecurity Controls, Offering Guidance for Risk Executives, (Re)Insurers, and Security Leaders

Dragos, the global leader in cybersecurity for operational technology (OT) environments, today announced the release of the 2025 OT Security Financial Risk Report, based on a study by global professional services firm Marsh McLennan’s Cyber Risk Intelligence Center. In a first-of-its-kind industry analysis, the report provides statistical modeling that quantifies the potential financial risk of OT cyber incidents and estimates the effectiveness of key security controls, offering risk executives, insurers, and security leaders a practical path to measurable risk reduction.

Despite the growing frequency and sophistication of attacks targeting industrial systems, many business leaders continue to underestimate their OT cyber risk exposure. The report finds that indirect losses, often unaccounted for in traditional models, impact up to 70% of OT-related breaches, with worst-case scenarios estimating as much as $329.5 billion in global financial risk.

“Executives are increasingly accountable for managing cyber risks, but many still lack a clear line of sight into OT environments,” said Robert M. Lee, CEO and Co-founder, Dragos Inc. “The ability to quantify OT cyber risk and correlate it to potential financial losses is a game-changer. This report fills a critical gap by translating OT security into measurable financial risk and assessing controls aimed at mitigating that risk.”

Key Findings from the Report:

• In a severe but plausible scenario, a so-called 1-in-250-year tail event, global OT cyber losses could reach $329.5 billion with $172.4 billion from OT-related business interruption.
• The three OT cybersecurity controls most correlated with risk reduction are:
  1. Incident Response Planning (up to 18.5% average risk reduction)
  2. Defensible Architecture (up to 17.09%)
  3. ICS Network Visibility and Monitoring (up to 16.47%)

These findings are based on a decade of breach and insurance claims data analysed by the Marsh McLennan Cyber Risk Intelligence Center (CRIC), one of the world’s largest repositories of cyber risk data. The statistical modeling, based on over tens of thousands of simulations, is the first to quantify how specific OT cybersecurity controls correlate to financial loss reduction.

Financial Context: The Missing Link Needed to Quantify OT Risk

Despite rising attack frequency and increasing board-level concern, organisations across sectors have struggled to manage and insure OT cyber risk effectively. The report identifies three core barriers that continue to hinder progress:

1. Undefined Financial Impact: Until now, most organisations lacked data to quantify the financial exposure tied specifically to OT cyber incidents.
2. No Clear ROI on OT Security: Without a way to measure the effectiveness of controls, security investments have been difficult to justify.
3. Prioritisation Paralysis: OT teams have lacked independent benchmarks to guide which controls matter most—and why.

“For years, organisations have lacked the context needed to understand OT cyber risk in business and financial terms,” said Mark Stacey, VP, Risk and Resilience Solutions at Dragos. “This study fills that gap, linking real-world financial data with OT-specific security controls. It gives executives, risk managers, and insurers the shared language and framework they’ve been missing to prioritise, invest, and insure with confidence.”

A New Era of OT Risk Modeling

The report marks one of the first large-scale attempts to map the SANS ICS Five ICS Cybersecurity Critical Controls to tangible risk reduction percentages based on real-world insurance claims and industry data.

With the rise in OT-targeting malware and regulatory changes like the SEC’s 8-K cyber incident reporting rules, the need for defensible and insurer-recognised OT security frameworks has never been greater. This study helps correlate the use of SANS Five Critical Controls to enabling security and compliance teams to prioritize investments that demonstrably reduce financial exposure.

“This report offers new visibility into the financial modeling of OT risk and provides insurers and OT operators alike with the confidence to take action,” said Scott Stransky, Head of the Cyber Risk Intelligence Center at Marsh McLennan. “By statistically linking controls to measurable risk reduction, organisations can better evaluate client readiness and make more accurate, risk-based coverage decisions.”

About Dragos, Inc.

Dragos provides the most effective OT cybersecurity technology for industrial and critical infrastructure to deliver on our global mission: to safeguard civilization. After nearly a decade of real-world experience handling landmark attacks on OT networks, Dragos understands the complexity and risks of industrial environments, which operate on massive scale with unique systems and exacting availability requirements and are not protected by IT cybersecurity.

The Dragos Platform provides visibility and monitoring of OT environments for asset identification, vulnerability management, and threat detection with continuous insights generated by the industry’s most experienced OT threat intelligence and services team. It discovers and monitors OT, IT, IoT, and IIoT assets within the OT environment and integrates with IT security infrastructure. Dragos protects customers across a range of industrial sectors including electric, oil & gas, manufacturing, water, transportation, mining, and government. Dragos is privately held and headquartered in the Washington, DC area with presence globally.