Total global loss attributable to cybercrime in 2024 has climbed to an estimated $9.5 trillion – an increase of over 300% since 2015. If this trend continues, 2025 is expected to be a year of many challenges for manufacturers whose industry is frequently cited as a top target for cybercriminals. Therefore, it’s increasingly important for manufacturers to better understand their unique exposures, protect against industry-class-specific risks, and, ultimately, ensure their insurance policies provide adequate coverage.
There are a multitude of manufacturing-specific headlines that speak to the publicly known financial impacts of a cyber breach event. What follows are some of the top considerations manufacturers should be aware of going into 2025.
Ransomware is a commonly used attack vector in which malware and encryption technologies are used together to render data or entire systems unusable until either systems are restored from backups or a ransom is paid. Unsurprisingly, the total amount paid to ransomware groups globally has skyrocketed from $567 million in 2022 to $1.1 billion in 2023. Cybercriminals who perpetrate ransomware attacks have gained the attention of customers, shareholders, law enforcement agencies and C-suite executives.
$1.1b is the total amount paid to ransomware groups globally in 2023
Despite best efforts to shut down and/or hinder their operations, these cybercriminals, who often get funding through a variety of illicit means, continue to prosper as old groups cease operations and new ones appear. Surprisingly, 2024 has shown a reduction in the dominance of key ransomware groups who execute such attacks, but this perceivably positive news is being overshadowed by the latest trends. For example, LockBit, a group that historically engaged in the most ransomware campaigns in any given year, has been largely replaced by a group called RansomHub that specializes in Ransomware-as-a-Service. What’s more surprising is that RansomHub only began operations in early 2024 and their rapid growth in the space is largely attributed to their recruitment of experienced hackers. This Ransomware-as-a-Service model opens the field to allow those without the technical experience to launch attacks via proxies.
Manufacturers play a vital role in the global supply chain, and cybercriminals will continue to exploit that relationship with the global economy for the foreseeable future.
Generally speaking, manufacturers heavily rely on operational technology (OT) for key processes compared to other industries, and if information technology (IT) were the brain, then OT would surely be the muscle. OT systems monitor, manage, and secure industrial equipment, and, in today’s era, they almost always include some element of “internet of things” (IoT) whose sensors, processors and software require ironclad security protocols. Given that OT is purpose-built, and much more is demanded of it (compared to IT systems that live relatively cozy lives in server rooms or on desks in climate-controlled office buildings), manufactures often don’t deploy OT software updates (patches) as often, which increases their vulnerability. According to one survey conducted by Palo Alto and ABI Research, 76% of respondents confirmed that OT was impacted during a recent cyberattack they experienced.
76% reported that operational technology was impacted during a recent cyberattack
Regulators have turned their attention to the importance of OT with the EU’s introduction of the NIS2 Directive, which specifically identifies manufacturers as “important entities” (a category with slightly different rules and obligations to “essential entities”). NIS2 aims to set, among other things, more stringent cybersecurity standards and imposes GDPR-style fines and penalties on manufacturers who fail to comply with the new requirements. In the United States, the Transportation Security Administration has responded to critical infrastructure breach events with an updated security pipeline directive in the wake of the 2021 Colonial Pipeline ransomware event.
Simply put, the teams that manage OT systems focus on real-world, physical production. In order for manufacturers to produce their products, it is imperative that OT systems be treated to a similar degree of care as is expected of IT systems.
As AI drives a Fourth Industrial Revolution, cybercriminals are leveraging the use of generative AI to bolster their operations and increase the effectiveness of their tactics. Generative AI is being used to automate and scale the development of infectious computer codes and identify potential vulnerabilities in both IT and OT systems. For example, what once took days to create a convincing phishing campaign may now take only a matter of minutes through the use of generative AI.
AI being used for legitimate business purposes also has serious implications for manufacturers. Its use in the collecting, processing and storing of data, media campaigns and management of workforce, business and production processes poses additional security and regulatory risks. The rapid evolution of AI in some cases has outpaced the data security tools that should protect it.
Across the globe, lawmakers are looking to mobilize quickly to enact legislation that addresses newer AI exposures that will hold manufacturers more accountable for their vital role in the global supply chain. While the United States continues to rely primarily on local state-level AI laws, the EU’s 2024 AI Act has sweeping implications for manufacturers. Under the EU AI Act, manufacturers that use AI enabled systems must abide by strict guidelines or else be subject to material fines. Such use cases include, but aren’t limited to, the collection of biometric information, employee management and training.
A cyber incident may also cause a product-related E&O loss, which poses serious ramifications to profitability and reputation. Manufacturers often rely on their General Liability (GL) and property policies to cover all their third-party financial loss exposures, but they often aren’t aware of those policies’ coverage trigger limitations. Where GL and property policies fall short is that they are designed to primarily only respond to property damage or bodily injury triggers.
Neither of these policies are intended to defend or indemnify the Insured for third-party financial loss as a result of damages caused by the product’s defect. Manufacturing E&O coverage extensions resolve this issue and are oftentimes blended with Cyber policies to avoid potential coverage gaps at the time of a claim. In order for E&O coverage to apply, it’s imperative that policy wording include as many product-specific considerations as possible.
Cybercriminals often target manufacturers both directly and indirectly and exploit the correlation between production and revenue generation. Oftentimes, during cyber-incident triggered business disruption, manufacturers begin to sell their excess product stock to keep up with customer demand. While this may limit some of the damage, it rarely covers the full amount of the loss and puts the business in a state of stress even after the disruption is resolved. Additionally, just-in-time inventory management business practices may make this stop gap measure impossible.
Broad scope cyber policies are designed to cover both malicious and non-malicious event triggers at both the Insured and the third-party vendor levels, thus attempting to fully address the supply chain risk manufacturers face. The value that insurance policies offer is quickly eroded if the manufacturer isn’t aware of key claim reporting and coverage conditions.
With the global supply chain becoming a more common target for cybercriminals, manufacturers face an increasingly high level of demand from their customers. During periods of disruption, manufacturers are often left with sizable holes in their balance sheets, which may impact company stock value and lead to customer attrition.
WTW highly recommends that manufacturers consider the following:
WTW is well positioned to help manufacturers address their key loss exposures through a bespoke package of analytics, coverage design and proprietary insurance facilities. We welcome the opportunity to discuss cyber and E&O risk with your organization’s stakeholders.
WTW hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, WTW offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
In the product recall insurance marketplace, rates have begun to flatten this quarter, largely driven by the upcoming emergence of a new market player.
