Rising financial losses from operational technology (OT) cyber incidents are accelerating boardroom investment in industrial cybersecurity, as breach costs, regulatory mandates, and tightening insurance requirements converge to reframe OT security as a governance issue rather than a technical one. OT-impacting breaches now average $4.56 million per incident, accounting for production losses, safety consequences, and regulatory costs, according to data cited by Industrial Cyber drawing on IBM's Cost of a Data Breach analysis. Sixty percent of organizations experienced OT security incidents in 2025, and 96% of those incidents originated from IT-level compromises, according to TXOne Networks' 2026 annual OT/ICS cybersecurity report.
Escalating Financial Exposure
The financial calculus around OT cybersecurity has shifted. A joint report from Dragos and Marsh McLennan estimates worst-case global OT cyber risk at $329.5 billion annually, with $172.4 billion tied specifically to business interruption claims. Even in more typical years, average annual OT-related cyber risk is projected at $31.1 billion. Indirect losses, often overlooked in traditional models, account for up to 70% of OT-related breach costs, driven by cascading supply chain disruptions and precautionary shutdowns rather than direct system damage.
The manufacturing, building automation and warehousing, and oil and gas industries face the highest likelihood of OT-related breaches, with North America experiencing the most frequent events, according to the Dragos-Marsh McLennan analysis. Real-world incidents reinforce these figures: the Jaguar Land Rover cyber event halted production across global operations for weeks and disrupted thousands of suppliers, while a December 2025 attack on Poland's energy sector-involving wiper malware deployed through vulnerable edge devices-prompted a CISA advisory in February 2026.
Governance and Insurance Dynamics
Boards are responding with structural changes. More than half (52%) of organizations now place OT security under the CISO, up from 16% in 2022, with 80% planning to consolidate OT responsibility within the C-suite within 12 months, according to Industrial Cyber. Eighty-eight percent of organizations increased OT security spending by more than 10%, per TXOne's 2026 report.
Victor Atkins, director for critical infrastructure security consulting at 1898 & Co., told Industrial Cyber that "security teams are accountable for cyber risk, but operations and engineering typically carry the cost and burden of sustaining OT controls." Industry executives report that boards now evaluate CISOs on metrics including mean time to repair (MTTR) for OT environments, impact on overall equipment effectiveness (OEE), and safety-related near misses tied to cyber events.
Cyber insurers are simultaneously tightening requirements. Global cyber insurance premiums reached $16 billion in 2025 and are projected to hit $23 billion by the end of the decade, according to S&P Global Ratings and Munich Re. Insurers increasingly consider the presence and maturity of OT security controls when assessing insurability, setting policy terms, and determining premiums, according to a Reed Smith analysis of the Dragos-Marsh McLennan report. Businesses meeting baseline security controls typically pay 50-60% less in premiums compared to those with documented deficiencies, according to data from Marsh and Gallagher.
Regulatory Pressure Ahead
CISA is finalizing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rules, which will require covered entities to report cyber incidents within 72 hours and ransom payments within 24 hours. The final rule was targeted for May 2026, though federal appropriations disruptions have delayed planned stakeholder town halls and may push the timeline further. CISA estimates the rule would apply to more than 300,000 entities across 16 critical infrastructure sectors. For industrial operators, faster reporting timelines heighten the urgency of detection, scoping, and defensible impact assessment-capabilities that insurers and regulators alike are beginning to treat as baseline expectations.
