Corporate risk managers are investing millions in cybersecurity—but many are unknowingly leaving their most critical operations vulnerable.
At the Risk Leadership Roundtable in New York City, a clear pattern emerged among senior risk managers from Fortune 500 companies: while IT cybersecurity receives substantial budget and attention, Operational Technology (OT) security is a potential blind spot.
The Critical Distinction
The difference between IT and OT cybersecurity isn't just technical, it's existential for many organizations. IT systems protect data and business processes. OT systems control physical operations: manufacturing lines, building management systems, utility infrastructure, and transportation networks.
When IT systems fail, you lose productivity. When OT systems fail, you can lose lives.
Consider the contrast: IT systems typically refresh every 3-5 years with regular security patches. OT systems often run for 10-20+ years on legacy, proprietary platforms that can't easily be updated. That old computer in the corner of your manufacturing plant? It might be controlling millions of dollars in daily production and it's most likely a significant risk.
Real Consequences
Examples shared during the roundtable discussion:
These aren't theoretical risks. They're happening now, and most organizations aren't prepared.
The Revenue Risk
Here's the challenge many risk managers face: leadership asks about cyber preparedness, sees a comprehensive IT security assessment, and considers the box checked. But when you examine revenue sources, the picture changes.
For manufacturers, two-thirds of revenue often comes from operational output. For REITs, it's building systems and tenant services. For utilities, it's continuous service delivery. All of these depend on OT, not IT.
Bridging the Gap
OT cybersecurity requires a different approach:
1. Cross-functional ownership:
OT security doesn't belong solely to IT. Effective programs involve Environmental Health & Safety, corporate security, facilities management, and operations teams. In some organizations, this falls under "corporate resilience" or similar functions.
2. Budget reallocation:
Organizations spending 90% of cyber budgets on IT while generating 70%+ of revenue from OT-dependent operations need to realign. This doesn't happen overnight but should be a multi-year strategic shift.
3. Leverage existing relationships:
Many insurance carriers and brokers provide risk control allowances that can fund OT assessments. These services often go unused. Smart risk managers redirect these resources toward their biggest gaps.
4. Focus on life safety:
C-suite attention increases dramatically when the conversation shifts from data breaches to potential loss of human life. OT risk presentations should lead with safety implications.
The Five Critical OT Controls
Based on industry frameworks, five controls emerged as most critical:
1. ICS Incident Response Plan – The fastest path to recovery
2. Defensible Architecture – Network segmentation to limit attack spread
3. ICS Network Visibility & Monitoring – You can't protect what you can't see
4. Secure Remote Access – The primary attack vector for many OT breaches
5. Risk-Based Vulnerability Management – Prioritizing patches for systems that can be updated
What This Means for Risk Managers
The insurance market is already responding. The Insurance Services Office (ISO) recently introduced general liability exclusions for digital threats. Cyber policies often exclude business interruption and property damage, while property policies exclude cyber-caused losses. This creates coverage gaps exactly where OT risks sit.
Risk management tools should help you identify these exposures. The question isn't whether your organization has OT risk—it's whether you know where it is and what you're doing about it.
Taking Action
Start with three questions:
-
What percentage of our revenue depends on operational technology?
-
Who in our organization owns OT security responsibility?
-
When did we last assess OT-specific cyber risks?
If you can't answer these questions clearly, you've identified your starting point. The good news: you're not alone, and resources exist to help.
The risk managers who came together for the roundtable event left with a clear mandate: IT cybersecurity is necessary but insufficient. In a world where operations drive value and cyber threats target physical systems, ignoring OT security isn't just a technology gap—it's a strategic vulnerability that could define your organization's future.
Want to easily assess your coverage and access ALL your policy in one place? LineSlip Risk Intelligence does just that – aggregates all your policy data across brokers and carriers so you know what’s covered by whom and for how much. Check it out here.
%20(8).png)
%20(7).png)
%20(4).png)
Frequently Asked Questions
1. What is the difference between IT and OT cybersecurity?
IT (Information Technology) cybersecurity protects data and business processes, while OT (Operational Technology) cybersecurity protects physical operations like manufacturing lines, building management systems, and utility infrastructure. The key distinction is existential: when IT systems fail, you lose productivity; when OT systems fail, you can lose lives. IT systems typically refresh every 3-5 years with regular security patches, while OT systems often run for 10-20+ years on legacy platforms that can't easily be updated. This creates significant vulnerabilities, especially since many organizations focus 90% of cyber budgets on IT while generating 70%+ of revenue from OT-dependent operations.
2. Why are OT systems more vulnerable to cyber attacks than IT systems?
OT systems present unique vulnerabilities because they operate on legacy, proprietary platforms that can't easily receive security patches or updates. These systems may run for decades without refresh cycles while controlling critical physical infrastructure. Examples of real-world consequences include pharmaceutical plants halted by malware, processing facilities experiencing equipment failures that are actually cyber attacks, and plant explosions caused by OT cyber attacks that cause systems to overheat. Additionally, the security gap widens because most organizations spend heavily on IT security while leaving OT systems, which often drive the majority of revenue, inadequately protected.
3. What are the five critical OT security controls every organization should implement?
The five most critical OT controls based on industry frameworks are: (1) ICS Incident Response Plan - providing the fastest path to recovery; (2) Defensible Architecture - network segmentation to limit attack spread; (3) ICS Network Visibility & Monitoring - you can't protect what you can't see; (4) Secure Remote Access - preventing the primary attack vector for OT breaches; and (5) Risk-Based Vulnerability Management - prioritizing patches for systems that can be updated. These controls address the most common vulnerabilities while recognizing that OT environments require different approaches than traditional IT security measures.
4. How can risk managers fund OT cybersecurity assessments?
Many insurance carriers and brokers provide risk control allowances that can fund OT assessments, but these services often go unused. Strategic risk managers redirect these existing resources toward their biggest gaps without requiring new budget allocation. Additionally, organizations should reallocate cyber budgets to align with revenue sources—if 70% of revenue depends on OT operations, cyber spending should reflect that proportion rather than the typical 90/10 split favoring IT. This doesn't happen overnight but should be a multi-year strategic shift, especially when presented to leadership with emphasis on life safety implications.
5. What insurance coverage gaps exist for OT cyber risks?
The Insurance Services Office (ISO) recently introduced general liability exclusions for digital threats, creating significant coverage gaps. Cyber policies often exclude business interruption and property damage, while property policies exclude cyber-caused losses. This creates gaps exactly where OT risks sit: at the intersection of cyber threats and physical operational impact. Risk managers need to identify these exposures clearly because when OT systems fail due to cyber attacks, the resulting property damage, business interruption, and safety incidents may not be covered by either cyber or traditional property policies, leaving organizations significantly exposed.