Cyber & AI

OT/ICS ransomware: when a cyber claim becomes a property loss

Ransomware that hits operational technology — PLCs, SCADA, plant controls — increasingly produces physical damage. The insurance form question is which policy actually pays.

Julius Roderer Co-Founder & CEO May 13, 2026

The classic ransomware claim is simple: attackers encrypt the office network, the firm pays (or restores from backups), there’s some lost productivity, breach response is invoiced, the cyber policy responds. The form is well-understood; underwriters know how to price it.

The newer claim is harder to sort. When ransomware reaches the operational technology side of a manufacturer — the PLCs, SCADA systems, plant-floor controllers, safety systems — what’s been until now a “cyber event” starts producing what looks an awful lot like “property damage.” A press over-runs and damages tooling. A reactor’s safety interlock is bypassed and a vessel is destroyed. A cold-chain breaks and product is spoiled.

This is the cyber-physical loss boundary, and the insurance forms haven’t all caught up.

Why OT/ICS is now in scope for ransomware crews

Three trends pushed ransomware groups into OT/ICS through 2024–2026:

  1. OT became reachable. Modern plants increasingly bridge the IT and OT networks for telemetry, predictive maintenance and remote operations. The air-gap that used to make OT effectively immune to commodity ransomware is mostly gone.
  2. The pressure works. A manufacturer with the office network down has a problem. A manufacturer with the line down has a catastrophe — every hour of downtime is six- or seven-figure lost output. Ransom willingness is much higher.
  3. Capability widened. Frontier-model offensive capability (Claude Mythos and its kind) makes OT/ICS exploitation cheaper and faster to develop. What used to require a nation-state-level team is now within reach of well-resourced criminal groups.

Where the insurance forms get awkward

A standard cyber policy responds to:

  • First-party breach response, system restoration, ransom (where insurable)
  • Business interruption from the cyber event
  • Third-party liability for breached data

A standard property policy responds to:

  • Direct physical loss or damage to the insured property
  • Business interruption following direct physical damage
  • Equipment breakdown (mechanical and electrical failure)

When ransomware causes physical damage — say, the safety interlock bypass that destroys a vessel — the cyber policy may pay for the system restoration and the business interruption from the cyber event, while the property policy may resist paying for the physical loss on the basis of a “cyber exclusion” embedded in the property form.

This is where the loss gets stuck. Cyber says “you have property damage, that’s not us.” Property says “the proximate cause was a cyber event, that’s excluded.”

What the well-structured manufacturer programme looks like

Three structural moves close the gap:

1. Affirmative cyber-perils endorsement on the property policy

The cleanest fix: an affirmative cyber endorsement on the property form that explicitly covers physical loss arising from a cyber event. Several specialty property markets now offer this; pricing is meaningful but the gap-closing value is significant.

2. OT/ICS-specific cyber form

Standard cyber forms were written for IT environments. Specialty OT/ICS cyber forms cover the operational side — including business interruption from production stoppage (not just from office-network outage), and physical damage caused by malicious code reaching controllers.

3. Contingent business interruption that includes upstream OT events

If your loss isn’t your own OT going down but a key supplier’s, contingent BI matters. The form has to specifically include cyber-caused contingent BI — many standard CBI forms exclude it.

What to ask at your next manufacturing renewal

Four specific questions:

  1. Does the property policy have a cyber exclusion? Almost all do. The question is what gets excluded specifically.
  2. Is there an affirmative cyber-perils endorsement? Or is the cyber form expected to cover physical loss? Read both forms together.
  3. Does the cyber form’s BI definition reach production downtime, not just system downtime? A 24-hour BI waiting period that triggers on “computer system being offline” may not trigger when production stops but the office network is running.
  4. Is contingent BI in scope for cyber-caused supplier outages? If the form is silent, assume not.

Manufacturers have always had property insurance and (more recently) cyber insurance. The 2026 question is whether the seam between them is buyable shut — and which carriers will write it.

Related on Nomos

Where this lives on the site.

Cyber liability Commercial property Manufacturing
About the author

Julius Roderer

Co-Founder & CEO

Julius's career spans from insurance to frontier computational neuroscience research. He was an investment banking associate at UBS covering insurance, and an AI researcher at Imperial College London. He holds an MSc in Artificial Intelligence from Imperial (with Distinction) and a BSc in Economics from the London School of Economics (First Class Honours).

LinkedIn →
Get a quote

One programme,
for the whole firm.

Tell us about your firm. We'll come back with cover sized to your real risk — and we respond within an hour, any time.

Whole-firm view across every line
Quotes in days, not weeks
Reply within 1 hour, any time
Specialty and admitted markets, one programme

Request a quote

We'll get back to you with options.

We respond within 1 hour — any time, not 24.

No obligations. No spam.