Global OT cyber risk could top $329 billion, new report warns
A new study from Dragos and Marsh McLennan puts hard numbers on the global financial risk tied to OT cyber incidents. The 2025 OT Security Financial Risk Report estimates that the most extreme scenarios could place more than $329.5 billion at risk worldwide in a single year.
Insurance data shows $329.5B OT cyber risk
The analysis is built on a decade of insurance claims and incident data, modeled by Marsh McLennan’s Cyber Risk Intelligence Center. The dataset draws from one of the largest insurance claims repositories in the world and is independent of Dragos. This gives the findings weight in a space where OT-specific financial data has been scarce.
The report models three main financial scenarios. First, in a typical year where business interruption (BI) claims follow an OT incident, average risk could total $12.7 billion. When looking at all OT-related incidents, regardless of BI claims, the figure rises to $31.1 billion. For rare, high-impact “tail” events with a 0.4% likelihood in any given year, BI-related losses could reach $172.4 billion. When accounting for both direct and indirect costs, the total at risk in such a scenario could climb to $329.5 billion.
Indirect costs are a major driver of these numbers. The report finds that roughly 70% of OT-impacting breaches involve indirect effects, such as production halts triggered out of caution or failures in interconnected systems. These losses often grow over time and can exceed direct remediation costs, especially for larger organizations.
Global exposure across industries
While all sectors face increasing OT cyber risk, manufacturing emerges as one of the most exposed, with a 0.71% general likelihood of an incident in a given year and higher rates in subsectors like chemical manufacturing and pharmaceuticals. Utilities, oil and gas, construction, and building automation also feature prominently.
Geographically, North America and Europe show the highest OT event rates, though the report notes that underreporting remains an issue in regions with less mature regulatory or monitoring frameworks. Larger companies tend to face higher likelihood of incidents, partly due to their visibility and the complexity of their OT environments.
Risk reduction through critical controls
The second half of the study models how specific OT cybersecurity controls can reduce both the likelihood and severity of financial loss. Using the SANS ICS 5 Critical Controls as a baseline, Marsh McLennan’s analysis found measurable correlations between each control and reduced risk.
Incident response planning stands out, with a potential 18.46% reduction in financial risk. Defensible architecture and network visibility and monitoring follow closely at 17.09% and 16.47% respectively. Risk-based vulnerability management and secure remote access round out the list with reductions of 13.87% and 12.18%.
The report stresses that these controls are not purely additive, and their combined effect is difficult to model precisely. Still, the individual percentages give CISOs a data-driven way to prioritize investments, especially when budgets are constrained.
From risk estimates to strategy
The study’s core message is that OT cyber risk is both quantifiable and reducible. Knowing the scale of potential losses and which controls offer the highest return in avoided costs gives security leaders a stronger case for targeted investment.
For CISOs, the takeaway is twofold. First, OT-specific incident response planning should be at the top of the roadmap, integrated with engineering and operations teams and tested against realistic threat scenarios. Second, visibility into OT environments is no longer optional. Without continuous monitoring, it is impossible to detect early indicators, capture needed forensic data, or respond effectively when incidents occur.
The numbers in this report are large enough to make a financial impact on entire industries. Having independent insurance data to back OT security decisions turns those numbers into a lever for getting leadership buy-in.