Why OT Cyber Is a Distinct Underwriting Problem
Most cyber underwriting in India still treats the insured as an office: servers, endpoints, email, a customer database, and a balance sheet exposed to ransomware, data breach and business interruption from an IT outage. For a manufacturer that picture is incomplete, because the manufacturer also runs an operational-technology (OT) environment, the programmable logic controllers (PLCs), distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, human-machine interfaces, safety instrumented systems and industrial sensors that physically run the plant. A cyber event in the OT environment does not just expose data; it can stop a production line, drive equipment outside safe operating limits, damage machinery, spoil a process batch, and in the worst case cause a fire, an explosion or a release. That is a different category of loss from the data-and-downtime exposure a standard cyber policy is built for.
The distinction matters because it crosses the historic boundary between two separate insurance markets. Damage to plant and machinery and the business interruption that follows from physical damage have always been the territory of the fire and engineering policies (the Standard Fire and Special Perils framework, machinery breakdown, and the associated business-interruption and machinery-loss-of-profits covers). Data loss, network interruption and cyber extortion are the territory of the standalone cyber policy. An OT cyber loss can fall across that line: the proximate cause is a cyber peril, but the consequence is physical damage and a property-style business interruption. Whether such a loss is covered, and by which policy, is the central underwriting question, and it is frequently answered badly because neither policy was designed with the other in mind.
This post treats OT cyber as its own underwriting discipline for Indian manufacturers in 2026: the convergence exposure that created it, the physical-damage gap in standard cyber wordings, the silent-cyber and property overlap, what underwriters actually assess on the plant floor, and how cover can be structured so the digital trigger and the physical loss are insured by design rather than by accident.
OT/IT Convergence and How the Exposure Grew
For decades the OT environment was isolated. The plant network was physically separated (air-gapped) from the corporate IT network, the control systems ran proprietary protocols on dedicated hardware, and the only way to reach a PLC was to stand in front of it. That isolation was the security model, and it meant a cyber event in IT could not reach the plant floor. The convergence of OT and IT has dismantled that model, and the exposure has grown directly out of the dismantling.
Several forces drove the convergence. Manufacturers wanted production data in their enterprise systems, so they connected the plant network to the corporate network and to the cloud for analytics, predictive maintenance and remote monitoring. Industry 4.0 and the Industrial Internet of Things put network-connected sensors and controllers throughout the plant. Remote support by equipment vendors, who maintain and update control systems over the network, opened a permanent external path into the OT environment. The result is that the air gap is largely gone, and the OT environment now sits on a connected network, often reachable, directly or through a chain of trust, from the IT environment and from the outside.
Why the converged environment is hard to defend
The converged OT environment carries weaknesses that the IT environment has largely engineered out. Control-system hardware has long service lives, so a plant commonly runs PLCs, DCS and HMIs that are ten or twenty years old, on unsupported operating systems, with firmware that cannot be patched without revalidating the process and halting production. Patching is operationally costly because the line has to stop, so legacy controllers run unpatched for years. The control protocols were designed for a trusted, isolated network and often carry no authentication or encryption, so a foothold on the OT network can issue commands to a controller. Availability and safety, not confidentiality, are the priorities, so security controls that might interrupt the process are resisted. The people who run the plant are process engineers, not security engineers, and the security tooling that protects IT often does not run on OT hardware.
The consequence is an environment that is now connected like IT but defended like the isolated system it used to be, and that gap between connectivity and defensibility is the exposure an OT cyber underwriter is pricing. A ransomware actor that lands on the IT network and moves into a poorly segmented OT network can encrypt engineering workstations, lock HMIs and halt production even without touching the controllers, and a more capable actor can manipulate the process itself. The convergence created the path; the legacy and the operational constraints make the path hard to close.
The Physical-Damage Gap in Standard Cyber Wordings
The standalone cyber policy as sold in India is built around data and downtime, and its coverage grants reflect that. The first-party grants typically cover incident response and forensics, data restoration, business interruption from a network outage, cyber extortion and ransom, and sometimes reputational harm. The third-party grants cover privacy and data-breach liability and the associated regulatory costs. None of that is designed to indemnify physical damage to plant and machinery, and most wordings make the point explicit with an exclusion.
The physical damage and bodily injury exclusion is standard in cyber wordings. It removes from the policy any claim for physical loss or damage to tangible property and any claim for bodily injury, on the basis that those are property and liability exposures belonging to other policies. For an office-based insured the exclusion is unremarkable, because the insured has no plant to damage. For a manufacturer it is the heart of the problem: the OT cyber loss the manufacturer most fears, a cyber event that damages a machine or stops a line through physical means, is exactly what the exclusion removes. The cyber policy will respond to the data and the network interruption, but not to the bent shaft, the burnt motor or the property-style business interruption that follows physical damage.
The business-interruption grant in a cyber policy compounds the gap. Cyber business interruption is usually triggered by a failure of the insured's network or computer systems, and it indemnifies the income loss from that systems outage. A production stoppage caused by physical damage to equipment, even if a cyber peril caused the damage, may not fit the cyber BI trigger, because the loss flows from the damaged equipment rather than from a systems failure as the wording defines it. So even the interruption cover, which the insured might assume bridges the gap, can fall short when the interruption is property-driven.
The mirror gap on the property side
The property and engineering policies have the mirror-image problem. The fire and machinery-breakdown wordings cover physical damage to plant and the resulting business interruption, but many now carry a cyber exclusion that removes loss caused by, contributed to by, or arising from a cyber act or cyber incident. The exclusion was introduced across global property markets to take cyber out of policies that never priced for it, and it has flowed into Indian wordings. Where it applies, a physical loss to machinery is excluded from the property policy precisely because a cyber peril caused it. The insured then faces the trap in full: the cyber policy excludes the physical damage, and the property policy excludes the cyber cause, and the OT cyber loss is uninsured on both sides. Closing that trap is the work of the structuring section below, but the first step is recognising that buying both a cyber policy and a property policy does not, by itself, insure the OT cyber loss.
Silent Cyber and the Property Overlap
The term silent cyber (also called non-affirmative cyber) describes cyber exposure that sits inside a policy that was not written to address cyber at all, neither granting it affirmatively nor excluding it clearly. A property or engineering policy written before the cyber-exclusion era, with no mention of cyber either way, is silent on cyber: if a cyber event causes physical damage, whether the policy responds is left to the general wording and to argument over proximate cause. Silent cyber is the ambiguous middle between affirmative cover and clear exclusion, and it has been the focus of regulators and reinsurers worldwide because it leaves both insurer and insured uncertain about what is actually covered.
The global market response, led by Lloyd's and major reinsurers from 2019 onward, was to require insurers to make cyber exposure affirmative or excluded rather than silent, which is why cyber exclusions spread through property and engineering wordings. The intent was clarity, not necessarily coverage: making the exposure affirmative often meant excluding it from the property policy and pushing it to a cyber policy that, as the previous section showed, may itself exclude the physical damage. The clean-up of silent cyber, pursued for sound prudential reasons, can therefore widen the gap for the OT-exposed manufacturer unless the affirmative solution actually grants the physical-damage-from-cyber cover somewhere.
Reading the property and cyber boundary on a real account
For an Indian manufacturer in 2026 the practical task is to read the boundary across the whole programme rather than policy by policy. The questions that decide where an OT cyber loss lands are specific:
- Does the cyber policy exclude physical damage and bodily injury, and if so, is there any carve-back for property damage arising from a cyber peril?
- Does the property and machinery-breakdown policy carry a cyber exclusion, and how is the excluded cyber peril defined (broad enough to catch any cyber-caused loss, or narrow)?
- Where the property policy is silent rather than excluded, how would proximate cause be argued for a cyber-triggered physical loss, and is the insurer's position known?
- Is there any affirmative grant, in either policy or by endorsement, for physical damage and business interruption caused by a cyber event?
- How do the two policies' business-interruption triggers, indemnity periods and waiting periods compare, so a single event is not split awkwardly between them?
Answering these turns an abstract gap into a mapped one, and the map is what tells the buyer and the underwriter whether the OT cyber loss is covered, partly covered or uninsured. The aim of structuring, addressed later, is to make the answer to question four yes, in a defined place, with triggers and limits that line up with the property and cyber wordings around it.
What Underwriters Assess on the Plant Floor
Underwriting OT cyber risk is not the same as underwriting IT cyber risk, because the controls that matter are different and the information the underwriter needs comes from the plant rather than the IT department. A credible OT cyber submission goes beyond the standard cyber-security questionnaire to describe the control environment, the segmentation, the legacy estate and the safety systems, and underwriters are increasingly explicit that without this detail the OT exposure will be excluded or heavily sub-limited rather than priced.
Segmentation between IT and OT
The first and most important control is the separation between the corporate IT network and the OT network. An underwriter wants to know whether the two are segmented, how (firewalls, a demilitarised zone between them, a data diode for one-way flows), whether the segmentation is enforced and monitored or merely diagrammed, and how an attacker on the IT network would be prevented from reaching the controllers. Flat networks where IT and OT share the same address space and an IT compromise lands directly on the plant floor are the highest-concern profile. Strong, monitored segmentation that contains an IT compromise before it reaches OT is the control that most reduces the modelled loss, because it limits a common ransomware path to a production-halting event.
Legacy controllers and patching
The underwriter assesses the age and patch state of the control estate: how old the PLCs, DCS and HMIs are, which run unsupported operating systems, whether firmware can be updated, and how patching is handled given that it requires production downtime and revalidation. A plant cannot realistically patch the way an IT estate does, so the underwriter looks for compensating controls around the unpatchable assets: tight segmentation, strict control of removable media and remote-access paths, application allow-listing on engineering workstations, and monitoring of the OT network for anomalous commands. The question is not whether legacy exists, it always does, but whether the legacy is ring-fenced and watched.
Remote access, vendors and safety systems
Remote access into the OT environment, especially the standing access that equipment vendors hold for support, is a primary attack path, and the underwriter examines how it is controlled: whether it is brokered through a jump host, multi-factor-authenticated, time-limited, logged and monitored, or whether it is a permanent open tunnel. Vendor and supply-chain access to the control systems is assessed as part of this. The underwriter also asks about the safety instrumented systems that exist to bring the process to a safe state, whether they are independent of the compromised control layer and cannot themselves be manipulated over the network, because the difference between a production stoppage and a catastrophic physical loss often lies in whether the safety systems remain trustworthy. Detection and response capability for the OT environment, plus tested recovery for control-system configurations, complete the picture. The plant that can show segmentation, ring-fenced legacy, controlled remote access and independent safety systems presents a fundamentally different risk from the flat, openly-accessible, unmonitored plant, and the underwriting reflects that difference.
Structuring Cover for OT Cyber Exposure
Once the gap is mapped and the controls are assessed, the structuring task is to make sure the OT cyber loss, the physical damage and the property-style business interruption caused by a cyber peril, is affirmatively insured somewhere in the programme, with triggers and limits that line up with the surrounding property and cyber wordings. There is no single market-standard answer in India yet, so the structure is built deliberately rather than assumed.
The core decision is where to place the physical-damage-from-cyber cover. Two routes are common.
- Affirmative cyber-physical-damage cover within or alongside the cyber policy. The cyber wording is extended, or a specialist cyber-physical or difference-in-conditions section is added, to carve back the physical-damage and bodily-injury exclusion for loss caused by a covered cyber peril, with its own sub-limit and a business-interruption grant that responds to a production stoppage from cyber-caused physical damage. This keeps the cyber peril and its consequences in one place and avoids the proximate-cause argument between two insurers.
- A cyber write-back on the property and engineering policies. The cyber exclusion on the fire and machinery-breakdown covers is amended so that physical damage caused by a cyber peril is written back into the property policy up to a sub-limit, keeping the physical loss with the insurer that understands plant and machinery, while the data and network exposure stays on the cyber policy.
Either route can work; what matters is that one of them is actually chosen and documented, that the chosen grant's definition of the covered cyber peril matches the exclusions it is meant to bridge, and that the two policies do not both exclude and neither include. The structuring should also align the moving parts: the business-interruption indemnity periods and waiting periods on the cyber and property sides so a single event is not split awkwardly; the sub-limits so the physical-damage-from-cyber limit is adequate for a real machinery loss and the associated downtime, not a token amount; and the deductibles so they sit sensibly against the expected loss.
Bringing It Together for the Indian Manufacturer
OT cyber risk is the point where the cyber market and the property market meet on an Indian factory floor, and getting it right requires reading both sides of that boundary at once rather than treating cyber and property as separate purchases. The exposure is real and growing: convergence has connected the plant to the network, the legacy and operational constraints of the OT environment make it hard to defend, and a cyber event can now produce physical damage and a property-style business interruption rather than only data loss and downtime. The standard cyber policy excludes the physical damage, the property and engineering policies increasingly exclude the cyber cause, and the manufacturer can sit in the gap between them.
For the buyer and the broker, the work is a sequence. Map the OT exposure (the converged environment, the legacy controllers, the segmentation, the remote-access and vendor paths, the safety systems). Read the property and cyber boundary across the existing programme to find where an OT cyber loss would land. Present the plant-floor controls (segmentation, ring-fenced legacy, controlled remote access, independent safety systems) so the underwriter can price the OT exposure rather than exclude it. Then structure affirmative physical-damage-from-cyber cover in a named place, with a defined cyber-peril trigger consistent with the surrounding exclusions, an adequate sub-limit, and business-interruption terms aligned across the cyber and property sides. Done in that order, the digital trigger and the physical loss are insured by design.
The structuring depends on knowing exactly how each insurer's cyber wording handles physical damage and bodily injury, how each property and machinery-breakdown wording defines and applies its cyber exclusion, and where carve-backs and write-backs exist or can be negotiated. Those details sit in the wordings themselves and differ across the market. Sarvada gives commercial insurance brokers structured, searchable access to insurer policy wordings, so the exclusions, carve-backs and business-interruption triggers that decide where an OT cyber loss falls can be compared across insurers and mapped against a manufacturer's real plant-floor exposure. Request Access to ground OT cyber structuring in the precise wording detail the property and cyber boundary turns on.