Dragos Inc., a company specialising in cybersecurity for operational technology (OT) environments, has released its 2025 OT Security Financial Risk Report, produced with Marsh McLennan’s Cyber Risk Intelligence Center.
The report applies statistical modelling to estimate the financial impact of OT cyber incidents and evaluate the effectiveness of selected security controls. It is intended to give executives, insurers, and security teams data to better assess and address financial exposure.
The study indicates that indirect losses—often excluded from standard models—account for as much as 70% of OT-related breaches.
In its most severe modelled scenario, described as a 1-in-250-year event, worldwide OT cyber losses could reach $329.5 billion, with $172.4 billion attributed to business interruption.
Based on an analysis of a decade’s worth of breach and insurance claims data, the report identifies certain controls as having the strongest correlation with reduced losses: incident response planning, defensible architecture, and ICS network visibility and monitoring.
The modelling is tied to the SANS ICS Five Cybersecurity Critical Controls and uses tens of thousands of simulations to link specific measures to potential reductions in financial risk.
The report notes that many organisations continue to struggle with OT cyber risk management due to limited data on financial consequences, uncertainty over the return on investment for security measures, and a lack of independent benchmarks to guide priorities.
It also points to growing pressures, including targeted malware and regulatory requirements such as the SEC’s 8-K cyber incident reporting rule, as factors increasing the need for more defensible and measurable security strategies.
“Executives are increasingly accountable for managing cyber risks, but many still lack a clear line of sight into OT environments,” added Robert M. Lee, CEO and Co-founder, Dragos Inc.
“The ability to quantify OT cyber risk and correlate it to potential financial losses is a game-changer. This report fills a critical gap by translating OT security into measurable financial risk and assessing controls aimed at mitigating that risk.”
“For years, organisations have lacked the context needed to understand OT cyber risk in business and financial terms,” commented Mark Stacey, VP, Risk and Resilience Solutions at Dragos.
“This study fills that gap—linking real-world financial data with OT-specific security controls. It gives executives, risk managers, and insurers the shared language and framework they’ve been missing to prioritise, invest, and insure with confidence.”
“This report offers new visibility into the financial modelling of OT risk and provides insurers and OT operators alike with the confidence to take action,” said Scott Stransky, Head of the Cyber Risk Intelligence Center at Marsh McLennan.
“By statistically linking controls to measurable risk reduction, organisations can better evaluate client readiness and make more accurate, risk-based coverage decisions.”
The post Dragos report estimates up to $330bn in global OT cyber risk appeared first on ReinsuranceNe.ws.