Dragos 2025 OT Security Financial Risk Report: Incident Response Planning Critical for Risk Reduction

Summary

Aug. 13, 2025 – In a typical year, $31.1 billion in financial risk is associated with OT cybersecurity events, the Dragos 2025 OT Security Financial Risk Report reveals. Dragos and Marsh McLennan have collaborated on a report that quantifies for the first time the financial risk of cyberattacks on operational technology (OT) systems—critical infrastructure, manufacturing, energy and more.

The first part of the report focuses on estimating the financial risks associated with worldwide cybersecurity breaches involving OT assets. The report identifies the following as the top three challenges of managing and insuring OT cyber risk: financial impact of OT risks were previously unidentified, OT security ROI is hard to calculate and OT operators struggle to prioritize controls improvements. 

The second part of the report statistically models how various controls can potentially reduce the likelihood and severity of financial loss. Dragos recommends these among other steps to reduce risk: define an ICS incident response plan, build a defensible architecture and establish OT network visibility.

About the 2025 OT Security Financial Risk Report

The 2025 OT Security Financial Risk Report, developed in collaboration with global professional services firm Marsh McLennan, is a first-of-its-kind industry analysis that provides statistical modeling that quantifies the financial risk of OT cyber incidents and validates the effectiveness of key security controls, offering risk executives, insurers, and security leaders a practical path to measurable risk reduction.

About Dragos, Inc.

Dragos provides the most effective OT cybersecurity technology for industrial and critical infrastructure to deliver on our global mission: to safeguard civilization. After nearly a decade of real-world experience handling landmark attacks on OT networks, Dragos understands the complexity and risks of industrial environments, which operate on massive scale with unique systems and exacting availability requirements and are not protected by IT cybersecurity.