A new report by Dragos and Marsh McLennan highlights a potential $330 billion loss from OT cyber risks.
Indirect costs, such as business interruptions, make up the majority of the financial impact.
The report emphasizes the need for executives to better understand and manage OT cyber risks.
The study aids in aligning security investments with financial outcomes, especially under new regulatory pressures.
A new report from Dragos and Marsh McLennan quantifies the massive financial risk lurking in operational technology, warning that a severe cyber event could spark nearly $330 billion in global losses. The analysis gives executives a clear financial metric for a danger that has long been a C-suite blind spot.
The cost of chaos: The real damage, the report finds, isn’t from fixing hacked machines—it’s the catastrophic fallout. Up to 70% of the financial impact comes from indirect hits like supply chain chaos, with business interruption alone accounting for a staggering over $172 billion of the potential total.
A C-suite blind spot: “Executives are increasingly accountable for managing cyber risks, but many still lack a clear line of sight into OT environments,” said Robert M. Lee, CEO and Co-founder of Dragos. “The ability to quantify OT cyber risk and correlate it to potential financial losses is a game-changer.”
The report shows companies aren’t helpless, finding that three basic security measures from the SANS ICS framework deliver the biggest bang-for-the-buck in risk reduction: incident response planning (nearly 19%), defensible architecture (over 17%), and network visibility (over 16%).
The bottom line: By connecting security controls to clear financial outcomes, the study gives executives, risk managers, and insurers a shared framework to prioritize spending and confidently invest in OT security, especially as regulators force the issue with new disclosure rules.
Also on our radar: While the Dragos report tackles a specific risk, CISOs are grappling with broader strategic challenges in tying security investments to business goals. Meanwhile, on the consumer front, a different kind of financial cybercrime—authorized push payment fraud—is now being treated as a national security risk in the UK.
Reading Recap:
