Cyber Insurance for the Manufacturing sector

Manufacturers are innovating at an unprecedented rate, integrating cutting-edge technologies in products, connecting supply chains, automating the shop floor, and increasingly investing in valuable intellectual property.

The dependence on industrial control systems (ICS) combined with the convergence of information technology (IT) and operating technology (OT) systems has left manufacturing firms increasingly exposed to cyber threats. Dated functional systems not intended or designed for exposure to the internet pose a significant security risk.

JLT provides bespoke cyber risk management solutions and cyber liability insurance for the manufacturing sector. Our team of experts will work with you to find the right multi-dimensional cyber security solution against cyber attacks and data breaches.



This expanding digital footprint brings with it a range of cyber exposures organisations should consider:

  • A systems glitch, denial of service attack, or other network intrusion could result in significant business interruption
  • A cyber attack directed at a manufacturer’s industrial control system could result in business interruption, physical damage and bodily injury
  • Many manufacturers hold prized intellectual property which make them an attractive target to cyber criminals
  • Most manufacturers, even if they don’t collect third-party financial information, have some type of critical data that could make them the target of a cyber attack
  • Employee and other personnel records, corporate credit cards, health benefits and third-party corporate business information can all be attractive to cyber criminals who may then sell it to rogue states or competitors over the internet.

Should a company suffer from a breach, they will be liable to regulatory fines and possibly other disciplinary action.

We can provide bespoke cyber risk management solutions and cyber liability insurance across the manufacturing sector. Our team of experts will work with you to find the right cyber security solution against data breach and cyber attacks.

Cyber Q&A

Information Technology (IT) generally refers to all things computing. Less familiar is Operational Technology (OT), the software and hardware used to monitor and control physical devices. OT is typically found in industry and critical infrastructure, where electron systems operate equipment (such as sensors, valves or controls) in pipelines, refineries and nuclear power plants.

These Industrial Control Systems have been used for decades (and can trace their origins to the beginnings of computing and automation in the 1950s) in a wide range of sectors, such as energy, utilities, manufacturing, chemicals, transport and scientific research. They can collect data, control processes and machinery, as well as measure and manage environmental factors, like temperature, pressure etc.

OT is becoming more and more important with the march of Industry 4.0 and increased levels of automation in industry. Smart systems are being developed for power and utilities, transport and manufacturing that will see more and more industrial control systems and equipment connected to networks, including the cloud.

And with the Internet of Things (IoT), OT will increasingly move beyond the industrial environment, as more and more technology is used to monitor and control devices in other sectors, such as logistics, medicine, building management, telecommunications and entertainment.

However, OT and IT are quite different beasts, and are usually treated separately within organisations. But, according to Gartner, developments in IoT, smart systems, machine learning and automation will see IT and OT systems become more integrated.

But OT and IT systems currently have conflicting priorities. While IT services are primarily concerned with data protection and security, OT has so far prioritised accessibility over security. Many industrial control systems were not designed with security front of mind, but awareness of their vulnerabilities and the potential consequences of cyber attacks have been increasing.

One of the most high profile attacks using OT involved a steel mill in Germany, where hackers accessed the plants control systems, taking control of the blast furnace. Iranian hackers were also said to have taken control of flood gates at a US damn in 2013.

OT systems are also harder to protect than IT. Many are known to run on unsupported or unpatched operating systems. Such systems are also vulnerable to human error – hackers used targeted emails and social engineering to infiltrate the German steel mill systems.

Companies are becoming increasingly dependent on IT systems - to manage supply chains, communicate with customers and trade - and are therefore exposed to the risk of significant disruption from IT system failures.

Cyber insurance has evolved over recent years and broad forms of system failure coverage are now available. However it is important to examine wordings as significant differences exist between policies.

Cyber insurance can cover business interruption losses from a wide range of systems failures, but will not generally cover outages caused by power supply or telecommunications failures. Depending on the policy, other exclusions may also apply, such as the failure of new software roll-outs or upgrades.

System failure cover typically falls into one of two camps: all risks or named perils. All risks provides the broadest cover, but the market is more limited in terms of insurer options and capacity, and the pricing is frequently higher. Underwriters are also likely to require more information from insureds.

For companies that require system failure it is critical to be aware of the type and scope of cover under their cyber insurance policies. It is also important to work with a specialist broker to understand the implications of wordings.

Cyber espionage is one of the murkier aspects of cyber risk. Few organisations will admit to having been victim of cyber espionage, but many are concerned for a cyber attack that seeks to steal confidential information, like trade secrets or client data.

Cyber espionage topped the list of major threat concerns for global business, according to a survey by Trend Micro. One in five global organisations surveyed ranked cyber espionage as the most serious threat to their business while 20% of US companies were said to have suffered a cyber espionage related attack in the last year.

Cyber espionage is a broad term to describe the theft of information related to individuals, companies and governments, using hacking techniques. Foreign governments, state-affiliated hackers and even business rivals will all potentially have an interest in stealing valuable data, such as military secrets, technology or research.

In its broader sense, cyber espionage can also refer to attempts to disrupt critical infrastructure or services by foreign governments or state-backed hackers. For example, a cyber attack in Ukraine targeted power stations in December 2015, causing wide-spread outages.

As more and more critical data and intellectual property moves online, cyber espionage is likely to become a more pressing issue. At the same time, nation states and state backed hacking groups tend to be better resourced and use more sophisticated methods than cyber criminals.

A recent report from Lloyd’s identified energy, telecommunications and the public sector as the three sectors most susceptible to cyber espionage, followed by manufacturing and professional services. Foreign governments and their agents target these sectors as they seek to steal sensitive information on politically exposed persons, intellectual property and key infrastructure.

Patches are software updates, usually released to improve the performance or fix bugs and security vulnerabilities in software already installed on computers, IT systems and devices.

Software is far from perfect and glitches and vulnerabilities are readily exploited by hackers who use them to carry out cyber attacks, spread viruses, malware, ransomware and to create armies of botnets.

More sophisticated cyber attacks use unknown vulnerabilities – called zero-day exploits – but the majority rely on known vulnerabilities. Analysis suggests that zero-day vulnerabilities account for as little as 1% of vulnerabilities in Microsoft software.

In fact most exploits involve vulnerabilities that were patched more than a year ago. According to Fortinet’s recent Threat Landscape Report, 90% of organisations recorded exploits for vulnerabilities that were three or more years old. Some 60% of firms were still seeing attacks for vulnerabilities dating back 10 years or more.

The WannaCry and Petya ransomware attacks in 2018 demonstrate the extent to which not-patching can leave companies vulnerable. Both used known vulnerabilities to spread through networks and encrypt data, and despite the availability of a patch, the malware infected hundreds of thousands of computers.

Regular patching is known to be an effective form of defence against cyber attacks, and yet companies take on average 100 days or more to update their systems.

In an ideal world, every organisation would apply the latest security patches and updates to their IT systems as soon as they are released. But in reality there are many good reasons why companies do not keep software up-to-date, not least because of the complexity and interdependencies of software and the reliance on critical IT systems.

Installing patches can create more problems than they solve, and are known to have caused systems to crash catastrophically. In 2015, trading ceased on the New York Stock Exchange for nearly four hours after a technology upgrade went wrong, while a failed upgrade left thousands of banking customers unable to access their accounts at Australia-based St George’s Bank.

Silent cyber refers to potential cyber exposures contained within traditional property and liability insurance policies, which may not implicitly include or exclude cyber risks.

Unlike specialist standalone cyber insurance, which clearly defines the parameters of cyber cover, traditional insurance policies were not designed with cyber exposures in mind. In many cases, traditional policies will not specifically refer to cyber and could theoretically pay claims for cyber losses in certain circumstances.

This is particularly true for all risk property coverages that do not exclude cyber risk - also known as ‘non-affirmative’ cyber - and is particularly relevant for marine, aviation, transport and property lines, although it is also present in some liability covers.

For example, a study by the UK’s Prudential Regulation Authority (PRA) in 2016 found that the aviation insurance sector has to date been comfortable providing implicit cyber cover and the market has not witnessed a move to introduce exclusions.

Similarly, there are currently no widespread cyber exclusions in the property market. However, underwriters have acknowledged the potential for cyber aggregation resulting from cyber attacks on high-profile commercial or industrial targets, or from smart-house technology, the PRA said.

Casualty lines may also have significant exposure to silent cyber losses, reflecting the fact that exclusions are not widely used or because some policies cannot exclude cyber losses, such as mandatory coverages like motor. Directors and officers, professional indemnity, financial institutions and general liability products are likely to be exposed to various degrees to ‘silent’ risks due to a lack of use of effective exclusions, the PRA said.

How the market approaches silent cyber exposures will have a direct impact on coverage and the way in which the market reacts to very large and systemic losses.

Cyber-attacks against digital supply chains are on the rise. Supply chain compromises typically seek to introduce security flaws or exploitable features into hardware, software, or digital services, which are then passed on to customers. 2017 saw some significant examples of supply chain attacks, including the compromise of managed service providers (MSPs) and several software products.

In 2017, suspected Chinese hackers compromised several global MSPs, which deliver outsourced IT, HR and business services. It is thought that the attackers obtained commercially sensitive data from the MSPs and their clients, which included government agencies.

According to the National Cyber Security Centre (NCSC), MSPs represent a particularly attractive target as they have links to thousands of customers worldwide. Even if a client has strong cyber security, it may find itself vulnerable if a trusted network link to an MSP is compromised.

Between 15 August and 12 September 2017, downloads of a free computer clean-up tool known as CCleaner were infected with malware. The incident is thought to have affected over two million downloads by both individuals and businesses, and resulted in further attacks against large technology and telecommunications companies in the UK, Taiwan, Japan, Germany and the US.

NotPetya, the global malware attack that caused major disruption in June 2017, was also a supply chain attack.

Attackers managed to introduce malware into MeDoc, a legitimate software application widely used by businesses in Ukraine for handling tax returns. The compromised MeDoc update infected users of the application, while the malware was then able to spread itself within networks.

Supply chain cyber attacks are seen as an increasing threat by cyber security agencies and cyber security firms. Analysis from Symantec identified a 200% increase in attacks where hackers injected malware into the software supply chain. This equated to one attack every month last year, compared to four attacks in all of 2016.

Cyber war games simulate the experience of a real cyber-attack, enabling organisations to test their cyber response procedures, capabilities and governance in a safe and controlled environment.

Cyber war games differ from traditional penetration testing, which typically looks for vulnerabilities in IT systems, networks and websites. Cyber war games are a much more involved exercise, aimed at testing an organisation’s overall response to a cyber incident, including the decision making of senior managers and the effectiveness of communications.

War games use specially developed scenarios – like a malware or spear phishing attack – to simulate an attack. Simulations can be a simple ‘table top’ exercise or a full-blown simulation. The former would see participants briefed on the attack scenario, whereas participants in a simulation are given very little information and have to work through problems as they arise.

The exercise should, however, be cross functional, involving IT, risk management, business continuity, legal, corporate communications, marketing and customer care. This helps build relationships in advance of a cyber incident and tests the flow of information, including an organisation’s ability to share information effectively and quickly, both internally and externally.

Companies can employ a third party to design and run the war game on their behalf. War games can involve an organisation’s key business partners, suppliers and contractors; while incorporating third party services, including breach response, crisis management and even insurance.



We are aware that you have a choice of who represents you, so why choose JLT?

  • We stay close to the pulse of the vibrant London insurance market and leverage our relationships and knowledge
  • Our deep technical knowledge means that we do not accept any insurer's standard policy form and will work tirelessly to ensure you receive a differentiated result
  • Claims advocacy is a vital part of our offering to clients. We link it to placing and wording to ensure that clients receive a full circle and joined up approach. Our claims advocates will provide you with tailored policy wordings, advising you about notification and coverage, and work with you and your insurers to achieve successful resolution of all claim-related matters
  • We host training workshops and establish regular meetings with clients
  • We create content that highlights the latest risk trends and aims to simplify concepts that may seem confusing to individuals with limited experience in technology. This includes our monthly newsletter, Cyber Decoder, in- depth whitepapers as well as a wide range of educational videos and materials
  • We know we can’t do it all (penetration testing, incident response drilling, technical security advice) and so we seek unique partnerships, to bring you cutting edge solutions.



In June 2017, an American drug giant was hit by the Petya ransomware virus. The malware originated in Ukraine and spread around the globe within 24 hours affecting a multitude of different industries. The virus worked by infiltrating IT systems, encrypting data files that could only be unencrypted once a ransom was paid. The business interruption this caused to the manufacturer was expected to have a significant effect on the company’s bottom line for 2017.

Costs to the company would include the ransomware demand and the associated investigatory costs to determine its source and validity. Harder to quantify but likely of greater financial significance is the business interruption loss incurred by the company due to the unavailability of its systems. Cyber policies can cover for loss incurred by the insured following a security failure (usually after a waiting period and subject to a monetary retention). The insurable costs can include extra expense caused by the interruption and lost revenue.


In 2014, a German steel mill’s office network was attacked via a spear-phishing attack. The attackers gained control of their industrial control systems which resulted in frequent failures of individual control components, rendering the operators unable to adequately regulate the blast furnace.

The blast furnace was shut down and suffered significant damage. The mill suffered both business interruption and physical damage.

Although the cost of the attack is undisclosed, the mill suffered significant physical damage to the blast furnace resulting in months of business interruption due to the inability of the mill to continue to function.

Read our latest insights

Read our latest insights