Modern manufacturing plant control room with blue-lit monitoring screens

What Cyber Insurance Requires from Manufacturers in 2026

July 03, 2026

I sat with a plant manager in South Florida last month who had just gotten a call from his broker. His cyber policy was up for renewal, and the carrier had sent over 47 new questions before they'd issue a quote. He'd answered 12 of them two years ago. Now they wanted documentation on OT network segmentation, multi-factor authentication on every remote access point, and a signed incident response plan. He had none of that on paper. His premium went up 38 percent. He signed anyway because he needed the coverage.

That's the new normal for manufacturers. Cyber insurers spent 2023 and 2024 paying out large claims from ransomware attacks on production environments. They've done the math, adjusted their actuarial models, and rewritten their questionnaires. In 2026, getting affordable cyber insurance as a manufacturer isn't about checking boxes. It's about proving your operation can survive an attack and recover without taking the insurer down with you.

This guide breaks down exactly what underwriters are looking for, where manufacturers typically fall short, and how to get your shop floor and your office network ready before your next renewal date.

Key Takeaways

  • Cyber insurers now require documented OT/IT segmentation, not just IT controls, for manufacturing policy renewals in 2026.
  • MFA on all remote access points, including VPNs and remote desktop tools, is a non-negotiable baseline across every major carrier.
  • An unsigned incident response plan sitting in a folder won't satisfy an underwriter. It needs to be tested and attested.
  • Legacy equipment patching policies must be documented even when patches don't exist, and compensating controls must be in place.
  • Manufacturers who prepare 90 days before renewal typically save 15 to 25 percent compared to those who scramble at the deadline.

Why Cyber Insurance Requirements Changed for Manufacturers

The Manufacturing Ransomware Wave Reshaped Actuarial Models

Between 2023 and 2025, manufacturing surpassed healthcare as the most-targeted industry sector by ransomware groups. The reason isn't complicated: downtime on a production line costs far more per hour than downtime in an office. Attackers know this, and they set ransom demands accordingly. Insurers paid out. Then they rewrote the rules.

A 2025 analysis from the Cyber Readiness Institute found that 68 percent of manufacturers who filed a ransomware claim had no network segmentation between their office IT and plant floor OT systems. The attacker got in through a phishing email, moved laterally to an HMI, and shut down the line. The insurer paid the claim, and then declined to renew the policy. That pattern, repeated across hundreds of claims, is what drove the current round of questionnaire overhauls.

What Underwriters Learned About Manufacturing Environments

Most manufacturers don't run a typical IT environment. You've got PLCs, HMIs, SCADA systems, and industrial sensors running 24/7 on operating systems that haven't seen a patch in years. Some of them can't be patched because the vendor went out of business, or because a patch would require a production shutdown that costs more than the upgrade itself.

Underwriters understand this now. They're not asking you to replace your aging CNC controller. They're asking you to prove you've contained it. That's a meaningful shift, and it's one manufacturers can work with if they understand what the proof needs to look like.

The Minimum Controls Every Underwriter Now Requires

Multi-Factor Authentication on Every Remote Access Point

Every major carrier, including Hartford, Chubb, Coalition, and Travelers, lists MFA as a hard requirement. No MFA on remote access means no quote, or a significantly higher premium that makes the policy barely worth having.

For manufacturers, this means MFA on your VPN, on Remote Desktop Protocol connections, on your ERP system, and on any cloud applications your team uses. If you've got technicians remoting into the plant floor from home, every one of those sessions needs MFA. This isn't a negotiating point with underwriters in 2026. It's a gate.

Our managed cybersecurity services include MFA deployment across both IT and OT environments, including the tricky cases where OT devices don't natively support modern authentication protocols.

Actionable tip: Run a 15-minute audit of every remote access tool your team uses. List them, confirm which ones have MFA active, and close the gaps before your renewal questionnaire arrives.

Network Segmentation Between IT and OT

This is the control that catches the most manufacturers off guard. The underwriting questionnaire typically reads something like: "Are your operational technology systems logically or physically separated from your corporate IT network?" If you answer no, your options narrow considerably.

Proper segmentation doesn't require ripping out your entire network. A properly configured firewall between your office network and your plant floor network, with documented rules about what traffic is allowed to cross, satisfies most carriers. Some will ask for a network diagram. You should have one either way.

Our work on OT/IT segmentation for manufacturers shows how even firms running legacy equipment can implement segmentation that satisfies their insurer without disrupting production schedules.

A Signed and Tested Incident Response Plan

Every manufacturer we talk to says they have a plan. When we ask to see it, we often get a Word document dated 2021 that nobody has opened since. Underwriters have started asking for evidence that the plan has been tested: a tabletop exercise summary, a sign-off from leadership, or a third-party attestation.

Your incident response plan needs to answer who's in the room when an attack happens, who calls the insurer's breach hotline, who decides whether to pay a ransom, how you communicate with customers during a production outage, and how you bring systems back online. A plan that doesn't address all of those isn't going to satisfy a 2026 underwriter.

Actionable tip: Schedule a two-hour tabletop exercise with your leadership team before your next renewal. Walk through a ransomware scenario, document the date and attendees, and keep a one-page summary on file. That record can be the difference between a policy approval and a coverage dispute.

OT-Specific Requirements That Catch Manufacturers Off Guard

Legacy Equipment Patching Policies

You can't always patch your OT systems. Underwriters know this. What they want to see is a documented compensating control policy: a written record that identifies each unpatched system, the network segment it sits in, the firewall rules restricting its traffic, the monitoring solution watching it, and the plan to replace it.

The worst answer on a questionnaire is "our equipment can't be patched." The best answer is "our equipment can't be patched, and here is the compensating control framework we've built around it." That second answer gets you a quote. The first one often doesn't.

Actionable tip: Create a one-page asset inventory listing every OT device, its operating system, its patch status, and its compensating controls. This single document can move you from a declined quote to an approved policy.

Remote Access Controls for ICS and SCADA Systems

If a vendor needs remote access to your SCADA system for maintenance, how does that session work? If your answer is "they VPN in and we give them credentials," you're going to run into problems at renewal. Underwriters now want vendor remote access governed by a formal process: credentials that expire after each session, multi-factor authentication on the connection, and session logging.

This doesn't require expensive software. A jump server with MFA and session recording satisfies most carriers. What doesn't work is leaving a persistent remote access connection open for a vendor who accesses your systems twice a year.

Actionable tip: Pull a list of every active VPN credential tied to a vendor or third party. Disable any that haven't been used in the past 90 days and document a formal reissue process for when they're needed again.

If your operation isn't sure where it stands on these controls, a free security assessment is the fastest way to find out before your broker does.

What Documentation Your Underwriter Wants to See

The Security Questionnaire Trap

Cyber insurance applications have grown from 12 to 45-plus questions over the past three years. The trap isn't the volume of questions. It's the assumption that answering "yes" without documentation to back it up is safe. Carriers now routinely request evidence after binding. If you said you have MFA and you can't prove it on the day of a claim, you may face a coverage dispute at exactly the moment you need your policy to work.

Read each question as if a claims adjuster will read your answer after a breach. If you'd need to clarify or qualify the answer at that point, clarify and qualify it now in your initial submission.

Evidence Your Insurer Will Accept

Here's what the documentation package for a manufacturing cyber insurance renewal typically needs to include:

  • A network diagram showing IT/OT segmentation
  • Screenshot or export of MFA enrollment for all admin and remote-access accounts
  • A signed incident response plan with the most recent tabletop exercise date
  • An OT asset inventory including patch status and compensating controls for unpatched systems
  • A vendor remote access policy with session logging confirmation
  • Backup configuration showing offsite or air-gapped copies tested within the past 90 days

Our compliance management services help manufacturers build this documentation set ahead of renewal, so you're not assembling it under deadline pressure when your broker is waiting on the application.

How to Prepare for Renewal Without Overpaying

The 90-Day Pre-Renewal Window

The manufacturers who get the best outcomes at renewal start 90 days out. That's enough time to implement the missing controls, test them, document them, and have the package ready when the broker sends the application. Starting two weeks before renewal means you're answering questions about controls you haven't finished implementing yet.

If you've got a CMMC requirement layered on top of your cyber insurance renewal, many of the controls overlap significantly. Our CMMC compliance guide for defense manufacturers maps directly onto the cyber insurance control framework. Addressing both in one project is significantly more efficient than treating them as separate workstreams.

Work With a Broker Who Understands Manufacturing

A general commercial insurance broker may not know which carriers write favorable policies for manufacturers with OT environments. A specialist broker knows which carriers are asking for OT segmentation documentation and which are still using a shorter questionnaire form. That knowledge matters when you're weighing a meaningful premium difference between carriers quoting the same coverage limits.

Before your renewal, ask your broker to show you the security questionnaire from at least three carriers. If the forms look identical, they may be using a clearinghouse and aren't shopping your risk as competitively as they could be.

Our managed IT services for manufacturers include pre-renewal preparation that produces the documentation package your broker needs to get competitive quotes, without requiring you to pull your team off the production floor to gather it.

Frequently Asked Questions

What happens if I'm already past my renewal date and don't have MFA in place?

Most carriers will write a short-term policy with an endorsement requiring MFA to be implemented within 30 to 60 days of binding. You'll pay a higher rate until the control is in place. The key is to be upfront with your broker rather than answering "yes" on the questionnaire and hoping nobody checks.

Does a general commercial policy cover a cyberattack on my plant floor?

Standard commercial policies typically exclude cyber-related losses or cap them at a low sublimit. A standalone cyber policy covers business interruption from a ransomware attack, data breach notification costs, and ransom payments where legal. Without one, a production shutdown from a cyberattack comes directly out of operating cash flow.

How do underwriters assess legacy OT equipment that can't be patched?

Underwriters evaluate compensating controls: network segmentation, traffic monitoring, access restrictions, and a documented replacement timeline. A manufacturer with unpatched equipment and strong compensating controls will typically get a better rate than one with newer equipment and no documentation of how it's protected.

What's the difference between a first-party and third-party cyber policy for manufacturers?

First-party coverage pays for your own losses: business interruption, ransom, data recovery, and notification costs. Third-party coverage pays for claims from customers or partners whose data you hold or whose operations were disrupted by an incident in your environment. Most manufacturers need both, especially if you're a supplier to larger firms with contractual cybersecurity requirements.

Can a manufacturer with 30 employees get cyber insurance at a reasonable cost?

Yes, and in most cases the premium is lower than people expect before they've shopped it. A 30-person manufacturer with proper MFA, documented segmentation, and a tested IR plan can get solid coverage for a fraction of what a ransomware recovery costs without insurance. The issue isn't eligibility. It's having the controls in place to get a competitive quote.

Ready to Get Your Manufacturing Operation Insurance-Ready?

Cyber insurance only works if it pays when you need it to. The work you put in before renewal, documenting your controls, segmenting your network, and testing your incident response plan, is also the work that protects your operation whether you ever file a claim or not. Start with a free security and compliance assessment from Gradient Data Solutions. We'll show you exactly where you stand before your next renewal date.

manufacturingcyber insurancecybersecurityot security2026
Back to Blog

Get Your Questions Answered

We're happy to help. Call us at (786) 386-1092 or send us a message.