Manufacturing Cyber Insurance: What Five Years Of Claims Data Tells Underwriters

by

Estimated reading time: 7 minutes

The data is clear: ransomware makes up 90% of total losses in Resilience’s manufacturing portfolio over almost five years, but only 12% of claims. This difference between how often attacks happen and how costly they are is the main story for manufacturing cyber insurance in 2026. Today, Resilience released The State of Cybersecurity in Manufacturing, based on claims data from March 2021 to February 2026. The report offers underwriters, brokers, and risk managers a rare look at how control failures directly lead to financial losses in the most targeted industry.

Manufacturing Is The Most Targeted Sector — And Has Been For Five Years

For five years in a row, manufacturing has been the most targeted industry for cyberattacks. According to IBM’s X-Force Threat Intelligence Index, the sector made up more than a quarter of all cyberattacks in 2025. Ransomware attacks on manufacturers rose by 61% in the first three quarters of 2025, the highest increase among all sectors. Bitsight also reported a 71% jump in threat activity against manufacturing. In 2024, three out of four organizations had a breach that affected their operational technology, up from about half the year before.

Resilience cyber insurance company logo

There are structural reasons for this trend. Manufacturers cannot afford downtime, often have underfunded security, and now have more connected IT and OT systems. Ransomware attackers know this. When a manufacturer is running at full capacity, stopping production is not an option, so they are more likely to pay ransoms quickly and in higher amounts.

The MFA Finding That Should Reshape Every Renewal Questionnaire

The most important finding in this report is about MFA, not how often ransomware happens. Misconfigured MFA is responsible for about 26% of all losses in Resilience’s manufacturing portfolio, while not having MFA at all accounts for only 8%. Having a control in place but setting it up incorrectly leads to more financial loss than not having it.

The costliest ransomware event in the dataset, linked to the BlackCat group, happened because of misconfigured MFA—not because MFA was missing. This challenges the simple yes-or-no approach in most renewal questionnaires. Now, the key question is whether MFA is set up correctly, used on all accounts, and does not have any bypass options. Underwriters should see MFA validation as an ongoing audit, not just a one-time task.

See also  Holiday Downtime, Prime Time: How Cyberattack Risk Surges During Ransomware Season

Ransomware Drives Loss. Phishing Drives Volume

The claims data show a clear difference between how often incidents happen and how serious they are. Transfer fraud makes up 15% of claims, and email compromise makes up 14%. Both are usually caused by phishing and are the most common daily claims. However, their payouts are much lower than those for ransomware. On average, transfer fraud claims pay out about ten times more than email compromise claims.

Ransomware is different. It accounts for just 12% of claims but causes 90% of total losses. The financial ups and downs in the manufacturing portfolio mostly depend on whether a major ransomware event happened in a given quarter. Changes from quarter to quarter are not about how many claims there are, but whether a big event took place. For underwriters, simply reducing the number of claims will not lower overall financial risk much. To reduce severity, it is important to focus on controls that stop or limit ransomware.

Software Vulnerabilities Are A Direct Line To The Costliest Outcomes

Software vulnerability exploits make up about 13% of total losses, mostly from severe ransomware events linked to Black Basta and Cactus. The data clearly shows that failing to manage patches leads to more ransomware. This is especially important for manufacturers, since older OT systems often cannot be patched without stopping production. When patching is not possible, the financial impact of that technical debt appears directly in claims.

The IT/OT convergence problem compounds this. Internet-exposed ICS devices rose 40% between 2024 and 2025. Nearly three in four organizations experienced an OT-impacting breach in 2024. The microsegmentation gap documented in recent research is visible in these loss numbers. Underwriters should ask manufacturers specifically about compensating controls for systems that cannot be patched, including network isolation and enhanced monitoring of vulnerable legacy environments.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

The Vendor And Supply Chain Dimension

Ransomware linked to vendors makes up 2.2% of total losses in the Resilience dataset, counted separately from direct attacks. This number does not include the CDK vendor incident from June 2024, which was left out to keep the data clear. Because manufacturing relies on complex global supply chains, there is always some third-party risk. High-profile incidents like the JLR cyberattack show how problems with vendors can quickly lead to production stops and insurance claims.

See also  The Price of Complacency: Only 2% of Companies Fully Implement Cyber Resilience - PWC Survey

Resilience suggests that manufacturers should require critical vendors to follow security rules in their contracts. This includes using MFA, keeping software patched, monitoring vendor risk, and having backup plans for supplier problems. For underwriters, vendor dependency is a unique risk and should be addressed separately during renewals, not just as part of general third-party risk.

What The Claims Data Means For Underwriting

Vishaal “V8” Hariprasad, Co-Founder and CEO of Resilience, frames the larger picture plainly: “Our research is focused on equipping security leaders with the knowledge required to better defend their organizations from devastating business interruption and financial loss.” The claims data operationalizes that goal for underwriters specifically.

The report highlights five controls that have the biggest financial impact. The most important is auditing and validating MFA. Next is managing vulnerabilities in systems that face the internet. Setting up procedures for financial transfers helps with the frequent phishing problem. Investing in ransomware containment tackles the severity issue. Vendor security requirements help manage supply chain risks. Since many phishing claims are caused by human error, technical controls alone are not enough.

For brokers working on manufacturing cyber insurance, this report offers a clear framework for renewal discussions. The data is presented in financial terms that CFOs and boards can easily understand. Ransomware is the main source of loss. A single misconfigured control led to the most expensive event in the data. Unpatched software is a direct cause of the worst losses. These are not just theories—they come from five years of actual claims.

FAQ – Manufacturing Cyber Insurance

Why is manufacturing the most targeted industry for cyberattacks?

Manufacturing has held the top position for five consecutive years. The combination of low downtime tolerance, historically underfunded security programs, and rapid adoption of connected OT and IoT technologies makes manufacturers ideal ransomware targets. Attackers understand that production disruption forces faster and larger ransom payments.

What does Resilience’s claims data show about manufacturing cyber insurance losses?

Ransomware accounts for 90% of total incurred losses in Resilience’s manufacturing portfolio despite representing only 12% of claim volume. MFA misconfiguration is the single most expensive point of failure at approximately 26% of all losses. Transfer fraud and email compromise, driven by phishing, account for roughly 30% of claim volume but at far lower individual severity than ransomware events.

See also  Lloyd Tells Brokers Cyber Insurance Must Support UK Resilience
Why does misconfigured MFA cause more losses than having no MFA?

Misconfigured MFA creates a false sense of security. Organizations believe they have the control in place, while gaps remain, accounts not covered, bypass conditions left open, and conditional access policies improperly set. The most expensive ransomware event in the Resilience manufacturing portfolio was directly enabled by misconfigured MFA rather than its absence.

What should underwriters ask manufacturers about MFA at renewal?

Binary yes/no MFA questions are no longer adequate. Underwriters should ask whether MFA is enforced across all accounts without exception, whether bypass conditions have been audited and eliminated, and whether conditional access policies have been validated. MFA validation should be treated as an ongoing process requirement, not a one-time implementation confirmation.

How does OT exposure affect manufacturing cyber insurance claims?

Legacy OT systems often cannot be patched without production downtime, creating persistent unpatched vulnerability exposure. Software vulnerability exploits account for approximately 13% of Resilience’s manufacturing portfolio losses, concentrated in high-severity ransomware events. Underwriters should ask separately about compensating controls for systems that cannot be patched on standard timelines.

What are the highest-impact controls for reducing manufacturing cyber insurance claims?

Based on Resilience’s claims data, the five highest-impact controls are auditing and validating MFA deployment, strengthening vulnerability management for external-facing systems, implementing procedural controls for financial transfers, investing in ransomware containment and response capabilities, and extending security requirements to vendors and supply chain partners.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×