A new report shows operational technology breaches could cost the world up to USD 330 billion in extreme scenarios
A landmark study conducted by Dragos in collaboration with Marsh McLennan’s Cyber Risk Intelligence Center has crunched the numbers on the financial fallout from operational technology (OT) cyber incidents—and the results are striking. In a low-probability, high-impact “tail event” (occurring once roughly every 250 years), global losses could soar to USD 329.5 billion. Over half of this—USD 172.4 billion—would stem directly from forced halts to operations. Normal-year business interruption costs are estimated at USD 12.7 billion, rising to USD 31.1 billion when all OT incidents are considered. Crucially, indirect costs—such as precautionary shutdowns or supply chain knock-on effects—account for roughly 70% of total losses.
Context & implications
Several industries face elevated exposure. Manufacturing tops the list, with chemical and pharmaceutical sub-sectors particularly vulnerable. Utilities, oil and gas, construction, and building automation systems also carry substantial risk. Higher incident rates appear in North America and Europe, though underreporting in other regions may mask true exposure.
With such figures now quantified, the game has changed. No longer abstract concerns, OT cyber threats now translate into tangible financial exposure. The report identifies three key cybersecurity measures shown to lower risk significantly:
Incident Response Planning – can reduce risk by up to 18.5 per cent
Defensible Architecture – up to 17.1 per cent risk reduction
Network Visibility & Monitoring – up to 16.5 per cent impact mitigation
By framing OT cybersecurity in financial terms, the report equips CISOs, boards, and insurers with the insight needed to justify, prioritise, and fine-tune investment strategies.
Why it matters
For sectors managing critical infrastructures, the findings sound an urgent alarm: OT cyber-risk is not theoretical—it carries real, potentially ruinous financial consequences. Until now, decision-makers have often viewed industrial systems through an IT lens, overlooking their own risk profile. This study shifts that perspective, framing cyber defence not just as a technical priority but as a strategic business imperative. It offers a clear roadmap: risk can be measured, and—crucially—it can be reduced.
