{"id":202338,"date":"2026-04-05T03:04:00","date_gmt":"2026-04-05T07:04:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/05\/rising-breach-costs-and-operational-downtime-redefine-economics-of-ot-cybersecurity-making-it-boardroom-priority\/"},"modified":"2026-04-05T04:05:13","modified_gmt":"2026-04-05T08:05:13","slug":"rising-breach-costs-and-operational-downtime-redefine-economics-of-ot-cybersecurity-making-it-boardroom-priority","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/05\/rising-breach-costs-and-operational-downtime-redefine-economics-of-ot-cybersecurity-making-it-boardroom-priority\/","title":{"rendered":"Rising breach costs and operational downtime redefine economics of OT cybersecurity making it boardroom priority"},"content":{"rendered":"

Rising breach costs and operational downtime redefine economics of OT cybersecurity making it boardroom priority<\/a><\/p>\n

https:\/\/industrialcyber.co\/features\/rising-breach-costs-and-operational-downtime-redefine-economics-of-ot-cybersecurity-making-it-boardroom-priority\/<\/a><\/p>\n

Publish Date: 2026-04-05 03:04:00<\/a><\/p>\n

Source Domain: industrialcyber.co<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

The economics of industrial cybersecurity is no longer a straightforward matter of considering preventive expenses but a broader analysis of intangible losses that reframe the dynamics of cyber risks. Cyber events can generate a domino effect on costs through production halts, disrupted supply chains, failure to meet contractual agreements, and regulatory inquiries that come into play following a cybersecurity incident.\u00a0<\/p>\n

Numbers speak for themselves. According to IBM\u2019s Cost of a Data Breach Report 2024, the average breach cost reached US$4.88 million globally. Healthcare leads at over $7 million per incident, with ransomware-specific costs averaging $10 million. This comes as OT-impacting breaches average $4.56 million, accounting for production expenses, safety, and regulation. Meanwhile, ransom amount makes up a small proportion of the potential liabilities.\u00a0<\/p>\n

A Forbes article states that the average manufacturer faces 800 hours of equipment downtime each year, or more than 15 hours per week. In total, unplanned downtime costs industrial manufacturers up to $50 billion annually. In addition, reputation management and downstream effects on supply chain partners drive up the losses far beyond the immediate incident period. One-quarter of industrial companies that encountered security incidents causing financial losses incurred damage greater than $5 million.<\/p>\n

Such dynamic scenarios are creating a fundamental shift in how industrial leadership approaches OT (operational technology) cybersecurity. An obligatory regulatory task has morphed into an issue of concern at the board level as attacks become more frequent, breach costs rise, and insurers begin differentiating themselves among companies based on whether they have invested in security maturity versus those who haven\u2019t. Industrial firms are shifting from being defensive in their approaches to OT cybersecurity towards being proactive and focused on access control, allowing for securing assets and applications without causing any disruptions to operational continuity.<\/p>\n

Insurance firms are playing a role in this paradigm shift, too. The estimated $16.3 billion market in 2025 is still underpenetrated, but insurers are getting stricter about underwriting practices. Thus, effectively makes robust OT investment more of a financial imperative than just an operational one.<\/p>\n

This trend is reflected in the spending trajectory. According to global estimates, cybersecurity spending will grow to $240 billion by 2026, with OT cybersecurity among the fastest-growing areas within the cybersecurity market, indicating a growing tendency towards risk-based and structured budgeting. Industrial organizations can no longer ask themselves whether they should invest in OT cybersecurity; the question is whether their investment strategy takes into account the real economic value that comes from the lack of investment. Financially, it is now possible to quantify downtime, accidents, fines, and even reputation risks.<\/p>\n

Hidden costs of industrial cybersecurity rewriting risk equation<\/p>\n

Industrial Cyber spoke with industrial cybersecurity experts to examine how the economic calculus of OT security is shifting, and why the traditional \u2018cost of security versus cost of breach\u2019 model no longer captures real risks facing industrial environments.<\/p>\n

Jacob\u202fMarzloff, president and co-founder at Armexa<\/p>\n

In OT, a breach doesn\u2019t just expose records, Jacob\u202fMarzloff, president and co-founder at Armexa, assessed, adding that it can halt production, trigger safety system failures, damage physical equipment, or endanger lives.<\/p>\n

\u201cThe variables are fundamentally different,\u201d Marzloff told Industrial Cyber. \u201cTo address these, industrial organizations need to stop asking \u2018how much does security cost?\u2019 and start asking \u2018what is the financial exposure of not having adequate controls?\u2019 This shift reframes cybersecurity as a risk management problem rather than a discretionary expense, setting the stage for understanding the true scope of potential impacts.\u201d<\/p>\n

Maarten Oosterink, co-founder and COO at Indurex<\/p>\n

Maarten Oosterink, co-founder and COO at Indurex, identified that when dealing with OT or cyber-physical systems, the old IT cost-benefit math breaks down. \u201cWe aren\u2019t just protecting data; we are protecting human lives and the environment. You simply cannot put a price tag on safety of people or environmental disaster to calculate an \u2018acceptable ROI\u2019 for your cybersecurity investments.\u201d\u00a0<\/p>\n

Agreeing that the economic calculus has shifted, David Mussington, professor of the Practice at the University of Maryland\u2019s School of Public Policy, told Industrial Cyber that the active threat environment makes the old framing not just insufficient but dangerous. \u201cThe adversary picture has clarified considerably. U.S. agencies assess with high confidence that PRC-sponsored Volt Typhoon actors are pre-positioning on IT networks specifically to enable disruption of OT functions across energy, communications, transportation, and water sectors \u2014 not espionage, but crisis-contingent sabotage.\u201d<\/p>\n

David Mussington, professor of the Practice at the University of Maryland\u2019s School of Public Policy<\/p>\n

\u201cThroughout 2025, Volt Typhoon\u2018s operations shifted toward directly interacting with OT-connected devices and stealing sensor and operational data, and Dragos now assesses that some compromised U.S. utilities will never be fully remediated,\u201d Mussington told Industrial Cyber. \u201cSalt Typhoon separately demonstrated persistent penetration of the telecommunications sector at scale. BRICKSTORM \u2014 attributed to PRC-nexus actors \u2014 achieved an average dwell time of 393 days across dozens of confirmed U.S. victims before detection.\u201d\u00a0<\/p>\n

On the Iranian side, Mussington highlighted how Pyroxene and Bauxite demonstrated destructive OT capability during the June 2025 Iran-Israel escalation cycle, with Bauxite already having compromised OT devices at U.S. water utilities. \u201cThese are not theoretical scenarios. The economic framing must reflect the actual threat environment: pre-positioned adversaries with demonstrated willingness to cause physical effects. Security investment must be evaluated against operational resilience across the full consequence chain, not breach probability at any single node.\u201d<\/p>\n

Tony Turner, vice president of product at Frenos<\/p>\n

Identifying that this framing was never valid for OT in the first place, Tony Turner, vice president of product at Frenos, told Industrial Cyber that it breaks down for three reasons. \u201cYou can\u2019t solve an equation when half the inputs are missing. Industrial breaches are increasing, but they don\u2019t occur often enough to yield reliable data. We simply don\u2019t have the volume needed to model cost the way IT does.\u201d<\/p>\n

He added that when incidents do happen, the outcomes aren\u2019t comparable. \u201cThe impact varies wildly depending on the environment. A production disruption at Jaguar Land Rover is not the same class of problem as Colonial Pipeline triggering fuel shortages across the East Coast. Those aren\u2019t different points on a spectrum; they\u2019re fundamentally different risk categories.\u201d<\/p>\n

Most importantly, Turner said that most asset owners still can\u2019t quantify their own downside. \u201cThey don\u2019t have a credible view of what a cyber-physical event would actually cost, across safety, operations, regulatory impact, and recovery. If you can\u2019t define the probability with confidence, and you can\u2019t bound the impact with confidence, there is no equation. At that point, \u201ccost of security vs. cost of breach\u201d isn\u2019t a model, it\u2019s a guess.\u201d<\/p>\n

Quantifying downtime, safety, reputational damage from cyberattacks<\/p>\n

The executives address what a cyberattack truly costs an industrial organization. Beyond ransomware payments, they examine how to quantify operational downtime, safety incidents, regulatory penalties, and the long-term impact of reputational damage.<\/p>\n

Marzloff said that even a single day of downtime at a facility can far exceed the ransom itself. \u201cLost production revenue is only the starting point. The true cost of a cyber incident includes safety and environmental exposure, contractual penalties, regulatory fines, remediation and recovery costs, increased insurance premiums, and long\u2011term reputational damage. The difference between hours and days of recovery often separates minor losses from multimillion\u2011dollar impacts.\u201d<\/p>\n

He noted that cybersecurity in OT environments is fundamentally a business risk decision, not an IT exercise. \u201cConsequence\u2011based risk assessments aligned with ISA\/IEC 62443\u20113\u20112 translate credible cyber scenarios into quantifiable business impact by evaluating how cyber events affect operations, safety systems, compliance obligations, and time to recovery. This enables leadership to prioritize investments based on risk to operate and financial exposure, not theoretical vulnerabilities.\u201d<\/p>\n

\u201cThere is no single, universal price tag for an OT cyberattack because context is everything. The cost depends entirely on the physical process you are running,\u201d Oosterink told Industrial Cyber. \u201cIn oil and gas, the cost could be measured in explosions, environmental leaks, and direct harm to human life. In pharmaceuticals, it\u2019s about ruined batches, severe regulatory penalties, and loss of compliance. But across the board, the true cost is almost never the \u2018simple IT repair bill\u2019 or the ransom payment.\u201d\u00a0<\/p>\n

He added that the real financial impact comes from the cascading operational downtime, the lasting damage to reputation, and the severe consequences to Health, Safety, and the Environment (HSE).<\/p>\n

\u201cRansomware payments remain the smallest line item. The real costs are operational: production downtime exceeding $500K per hour in manufacturing, emergency forensics, regulatory penalties under NERC CIP and the EU NIS2 Directive, supply chain disruption, and insurance escalation,\u201d Mussington evaluated. \u201cSafety incidents add litigation exposure. Reputational damage compounds over time in ESG-sensitive capital markets. Proliferating federal incident reporting obligations \u2014 across CIRCIA, SEC, and TSA sector-specific directives \u2014 add compliance overhead that resource-constrained OT teams struggle to absorb in parallel. Organizations treating these as separate cost buckets invariably undercount total exposure.\u201d<\/p>\n

In most industrial environments, Turner assessed that \u201cthe \u2018true cost\u2019 of a cyberattack isn\u2019t something you can calculate cleanly. It\u2019s something you approximate, usually with a lot of assumptions and not a lot of confidence. The data is fragmented across many disciplines. The operational impact sits with engineering and operations. Safety implications live somewhere else. Regulatory and legal exposure are separate again.\u201d\u00a0<\/p>\n

Noting that the financial impact is modeled in a completely different system, he added that stitching that together into a single, defensible number is a heavy lift, and most organizations simply aren\u2019t staffed or structured to do it well. And even when they try, the correlation between a cyber event and physical consequences is still poorly understood. That\u2019s been an open problem in this industry for over a decade.<\/p>\n

\u201cThe organizations that handle this well have stopped chasing precision they\u2019ll never fully trust. Instead, they focus on high-consequence events (HCE),\u201d Turner pointed out. \u201cThe question morphs into \u2018If this system fails, what actually happens? What does it do to operations? How long are we down? What does recovery look like?\u201d<\/p>\n

Turner said that shifts the conversation from abstract modeling to scenario-based reality. \u201cFrameworks like CIE\/CCE and ISA\/IEC 62443 help structure it, but the value isn\u2019t in the framework itself. It\u2019s in a defensible understanding of where risk actually matters, where it intersects with relevant threats, and where reducing it will have the most impact.\u201d<\/p>\n

Framing OT cybersecurity as strategic investment<\/p>\n

The executives address how OT security leaders should build a business case for investment, and what financial frameworks, metrics, and language resonate most with CFOs and boards who still see cybersecurity as a cost center rather than a strategic imperative.<\/p>\n

Recognizing that this reframing is crucial because security leaders lose influence when they speak in purely technical controls and threat taxonomies, Marzloff called upon CFOs to shift from seeing cybersecurity as a cost center to recognizing cyber incidents as operational risk events that hit the P&L directly.\u00a0<\/p>\n

He explained that the \u2018most effective\u2019 OT security programs translate cyber risk into financial terms that map directly to the P&L by quantifying operational downtime, regulatory exposure, and recovery costs as financial liabilities rather than operational incidents. Using metrics such as expected annual loss, value-at-risk scenarios, and return on mitigation investment, we reframe cybersecurity from a necessary cost center into a strategic risk management function, which is key to securing buy-in from business leadership.<\/p>\n

Oosterink said that to build a real business case, \u201cyou have to get the CFO out of their comfort zone. You need to get them out of their office and onto the shipyard or the plant floor\u2014anywhere where the business actually moves, smells, and makes noise. Once they are standing next to a multimillion-dollar asset that is the heartbeat of the company\u2019s revenue, the realization hits: this isn\u2019t an IT problem; it\u2019s a \u2018license to operate\u2019 problem.\u201d\u00a0<\/p>\n

He added that \u201cWhen they see the physical \u2018stuff\u2019 that can be touched, they understand that a cyber investment is actually an investment in operational uptime and asset integrity. After this, you can talk about operational terms like production loss per hour, asset availability, and safety exposure.\u201d<\/p>\n

Mussington urged them to lead with operational risk language \u2014 margin impact, regulatory liability, insurance cost trajectory. \u201cCFOs respond to production availability rates, mean-time-to-recovery figures, and avoided penalty calculations, not CVE counts.\u00a0<\/p>\n

\u201cThe institutional context has shifted: CISA\u2019s Stakeholder Engagement Division, which convened government-industry collaboration on critical infrastructure risk, has been substantially reduced,\u201d Mussington added. \u201cThe public-private advisory infrastructure OT leaders previously relied on is thinner. That strengthens the internal business case \u2014 the risk intelligence function must now be resourced internally rather than assumed from government. Frame security as operational continuity, not IT overhead.\u201d\u00a0<\/p>\n

Most OT security programs still sit under the CISO or CIO, which means they\u2019re embedded inside IT, Turner said. \u201cAnd IT, fairly or not, is still treated like a cost center. That reporting line shapes everything, budget, priorities, and how the program is perceived. The teams that break out of that don\u2019t do it with better dashboards. They do it by aligning directly with operations. They build relationships with the business units that actually own the risk, and they frame security in terms that those teams already use. Not CVE counts. Not patch SLAs.\u201d<\/p>\n

He listed the mean time to recovery, unplanned downtime and production availability. \u201cIf a refinery goes down, nobody cares how many vulnerabilities were patched. They care how fast you recover and how much production you lost.\u201d\u00a0<\/p>\n

Turner added, \u201cWhen you anchor the conversation in those outcomes, tied to specific assets and real scenarios, you\u2019re no longer asking for an IT-style budget. You\u2019re making a case for protecting revenue and continuity. That\u2019s a very different conversation, and it\u2019s one the board understands immediately.\u201d<\/p>\n

Rethinking industrial cybersecurity investment priorities<\/p>\n

As industrial organizations face pressure to do more with less, the executives examine where security spending should be prioritized. They also assess how to balance investment in legacy system protection against modernization and new technology adoption.<\/p>\n

\u201cOperating under resource constraints is a permanent condition for industrial security programs. Disciplined prioritization often matters more than budget size,\u201d Marzloff said. \u201cOrganizations that get this right don\u2019t start with a technology wish list; they begin with a clear assessment of which assets, if disrupted, would create the greatest operational or financial impact.\u201d\u00a0<\/p>\n

He added that legacy system protection and modernization aren\u2019t opposing choices; they\u2019re sequenced decisions driven by risk concentration. \u201cUpgrading legacy systems isn\u2019t always the most effective risk response; in many cases, compensating controls deliver greater risk reduction than wholesale replacement. Spending should follow exposure and risk\u2011based cost\/benefit analysis, not vendor roadmaps.\u201d<\/p>\n

\u201cInvestment in security should be on par with the spending in other aspects of keeping your cyber-physical systems running safely, reliably, and profitably,\u201d Oosterink weighed in. \u201cNo value in a secure asset that fails because maintenance fell short. Once the budget is clear, focus on visibility and integrity of critical assets, protection of safety systems.\u201d<\/p>\n

Mussington pushed for prioritizing by consequence severity, not asset age.\u00a0<\/p>\n

\u201cLegacy OT systems with direct safety or production impact warrant disproportionate investment \u2014 segmentation, monitoring, and access hardening,\u201d he added. \u201cNew technology integration introduces attack surface faster than most programs absorb; security-by-design requirements at the point of procurement are essential. The SRMA coordination structure is being executed with significantly reduced staffing, meaning sector-level threat advisories and vulnerability coordination may arrive more slowly or not at all for lower-profile sectors. Treat that as a planning assumption.\u201d<\/p>\n

\u201cStart with people. It\u2019s the highest-return investment in OT security, and it\u2019s usually where programs get it wrong. Not just security talent, industrial talent,\u201d Turner said. \u201cYou need people who have actually been in a plant, who understand how these systems operate, who know what a safety instrumented system is, and who can sit across from a control engineer and be taken seriously. Without that, everything else becomes theoretical. They\u2019ll shape the roadmap in a way that actually reflects the environment, not a generic security playbook.\u201d<\/p>\n

He pointed out that new technology is coming \u201cwhether you\u2019re ready or not. The real question is whether security is part of that process from the beginning, or something you try to bolt on after the fact, and that likely means getting it in the contract. We certainly can\u2019t ignore the legacy environment, but in many cases, containment and isolation are our best hope. Certainly, resources like the CIE engineered controls catalog can help.\u201d\u00a0<\/p>\n

\u201cOnce you have the right people and you\u2019re plugged into how the environment is evolving, focus on consequence,\u201d according to Turner. \u201cIdentify the assets where failure actually matters, where you\u2019re talking about safety impact or sustained production loss, not just an IT outage. Those are your priorities. Then look for simple, visible mitigations that disrupt threats, reduce real risk, and are easy to explain. You need early wins that operators understand, and leadership can see.\u201d<\/p>\n

Cyber insurance forces rethink in industrial security<\/p>\n

The executives look into how cyber insurance is evolving in the industrial sector, and whether coverage gaps, rising premiums, and insurer requirements are accelerating progress or exposing maturity gaps in OT security programs.<\/p>\n

Marzloff said insurance should be one input in a broader risk transfer strategy, not a substitute for the controls that determine whether a claim is even covered. \u201cIn the early days, cyber insurance was a simple add-on. Today, the market has matured into a de facto regulatory force. Insurers are effectively doing what frameworks haven\u2019t fully accomplished, forcing a real conversation about OT program maturity.\u201d<\/p>\n

\u201cUnderwriters are asking harder questions, requiring evidence of segmentation, asset visibility, and incident response capability, and pricing accordingly when they don\u2019t find it,\u201d Marzloff added. \u201cFor many industrial organizations, the gap between what they represent to insurers and what their programs can actually demonstrate is widening. Insurers now want to see alignment with ISA\/IEC 62443 or evidence of a NIST CSF-based program. On top of that, coverage exclusions around war or systemic events are quietly creating significant uninsured exposure.\u201d<\/p>\n

Oosterink identified that the insurance market for OT is still in an early phase and insurers are quickly learning that they don\u2019t want to foot the bill for poor industrial hygiene. \u201cBecause they are highly risk-averse, they are setting a ruthless bar for maturity. If your security isn\u2019t up to par, you either won\u2019t get coverage, or worse: you think you\u2019re covered until an incident happens, and you end up bogged down in litigation over the fine print.\u201d\u00a0<\/p>\n

Using Merck as an example, he said that they suffered massive losses after the NotPetya attack in 2017. \u201cOnly in 2024 did they settle a court case with their insurance company.\u00a0 It\u2019s highly debatable if the classic model of \u2018transferring risk\u2019 works. Insurance cannot compensate for poor engineering or weak security practices.\u201d\u00a0<\/p>\n

On insurance, Mussington said that underwriters now demand documented OT asset inventories, segmentation evidence, and tested IR plans \u2014 conditions many programs can\u2019t yet meet. \u201cFor most organizations, the renewal process has become an unintentional security audit, exposing maturity gaps that internal reviews missed.\u201d<\/p>\n

Turner said that cyber insurance is becoming both a forcing function for better security and a spotlight on how broken risk modeling still is in OT. \u201cOn one hand, insurers are tightening requirements. Underwriting is more rigorous, premiums are rising, and in some cases, OT environments are being excluded altogether. Controls that used to be \u2018best practice\u2019 are now the minimum just to get coverage. That pressure is forcing some level of maturity. Asset owners are documenting environments, validating controls, and proving basic segmentation and access management.\u201d\u00a0<\/p>\n

But he noted that it is also exposing the same fundamental problem on both sides, as neither insurers nor asset owners can reliably model cyber-physical risk. \u201cThere isn\u2019t enough consistent data. The consequences vary wildly by environment. And the downside, especially in critical infrastructure, is difficult to bound in any meaningful way.\u201d<\/p>\n

As a result, Turner highlighted that coverage gaps are widening. \u201cPolicies routinely exclude the exact scenarios that matter most in OT, safety impacts, prolonged operational disruption, and nation-state activity. In practice, cyber insurance is shifting from a risk transfer mechanism to a market signal. It tells you how your exposure is perceived, but it doesn\u2019t reduce that risk, and it definitely doesn\u2019t replace understanding it,\u201d he concluded.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Rising breach costs and operational downtime redefine economics of OT cybersecurity making it boardroom priority…<\/p>\n","protected":false},"author":1,"featured_media":202339,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/industrialcyber.co\/wp-content\/uploads\/2026\/04\/2026.04.05-Rising-breach-costs-and-operational-downtime-redefine-economics-of-OT-cybersecurity-making-it-boardroom-priority.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,27],"class_list":["post-202338","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202338"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=202338"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202338\/revisions"}],"predecessor-version":[{"id":202340,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202338\/revisions\/202340"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/202339"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=202338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=202338"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=202338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}