Industrial companies are increasingly approaching insurance carriers for cyber risk coverage. Carriers are increasingly declining to cover OT-related incidents—or imposing strict conditions—because they don't understand OT security and view it as high-risk. The gap between what industrial companies can demonstrate about their OT security and what carriers require for coverage is widening. Understanding what carriers ask for and preparing now can improve your ability to secure coverage and negotiate reasonable terms.
Cyber insurance for OT is a maturing market, but it's not mature yet. Carriers have limited experience with industrial incidents. They're still figuring out how to underwrite OT risk. This creates opportunity for organizations that can demonstrate mature security practices. It also creates significant friction for organizations that haven't invested in security—many can't get coverage at any price.
What Underwriters Require
Most carriers now require a cybersecurity questionnaire covering your network architecture, security controls, incident response capability, and regulatory compliance. They ask for details: how many PLC assets do you operate, are they networked, do they have remote access capability, what monitoring do you have, what training do your staff receive, how would you respond to a ransomware incident on your control systems? Many organizations struggle to answer these questions in detail because they've never documented their OT security practices.
Carriers increasingly require third-party security assessment—a vulnerability assessment or penetration test conducted by an approved firm. This is expensive, but it's often non-negotiable for coverage. The assessment gives the carrier confidence that you understand your vulnerabilities and have a remediation plan. It also protects you if an incident occurs—evidence that you conducted due diligence is a defense against claims of negligence.
Common Underwriting Requirements
- Network segmentation: Control systems must be on separate network segments from corporate IT. Access from IT to OT must be controlled and monitored. Remote access to OT systems must require multi-factor authentication and happen through a bastion host or VPN with logging.
- Patching policy: You must have a formal patch management process. Patches should be applied within 90 days of release unless vendor-specific constraints prevent it. Critical patches should be applied faster. You must document your patching activity.
- Access control: Default passwords must be changed on all systems. Privileged access must be restricted and logged. Multi-factor authentication should be required for remote access. You must maintain records of who has access to which systems.
- Incident response plan: You must have a documented incident response plan specific to OT incidents. You must have tested it at least once in the past year. You must have assigned roles and contact information. You must have a process for notifying the insurance carrier in case of an incident.
Preparing for Underwriting
Before approaching an insurance carrier, conduct an internal assessment. Document your OT assets, your network architecture, your security controls, and your incident response capabilities. Identify gaps. Fix critical gaps before you submit to underwriting. Obtain a third-party vulnerability assessment. Use these results to show carriers that you understand your risk and have a remediation plan. This preparation makes underwriting faster, improves your chances of being approved, and usually results in better rates and terms.
Cyber insurance for OT is becoming essential risk management for industrial organizations. We help clients prepare for insurance underwriting, conduct assessments, and build the documentation needed to satisfy carrier requirements. Let's discuss insurance readiness for your operation.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.