Manufacturing is the UK commercial sector where cyber risk is most likely to become physical risk. A retailer that loses its ERP for 48 hours loses sales. A manufacturer that loses its MES, ICS or SCADA for 48 hours risks injured employees, destroyed machinery, batched product spoilage, environmental release and regulatory action. The convergence of IT (information technology) and OT (operational technology) has accelerated since 2018; the cyber threat actors have followed; and the insurance question — which policy responds, with what carve-back for bodily injury and property damage — is the most consequential boundary in the modern commercial programme.
This spoke walks through the manufacturing cyber landscape with a worked example, the IT/OT segmentation framework, the cyber-physical insurability question, and the specific underwriting expectations for manufacturers in 2026.
Manufacturers face three distinct cyber exposures.
IT — information technology. The standard commercial network: ERP, CRM, email, file servers, finance, HR, customer relationship management. The IT exposure is conventional and well-understood. Ransomware, BEC, phishing, data breach. The cyber policy’s standard heads respond.
OT — operational technology. The industrial control systems and SCADA platforms that run production lines: programmable logic controllers (PLCs), distributed control systems (DCS), human-machine interfaces (HMIs), manufacturing execution systems (MES). The OT exposure includes process disruption, machinery damage, safety interlock disablement, batch contamination, environmental release. The cyber policy’s response depends on the specific OT coverage.
IIoT — industrial Internet of Things. Sensors, edge devices, predictive maintenance systems, connected machine tools — the modern bridge between IT and OT. The IIoT exposure includes data integrity (false sensor readings causing wrong manufacturing decisions), unauthorised access (compromised IIoT device as a beachhead to OT), and supply chain (IIoT vendor compromise propagating to the manufacturer’s plant).
The convergence: most modern manufacturers have a flattened IT/OT network where the historical air-gap between business systems and plant control systems has been replaced by remote access, vendor connectivity, and convergent monitoring. The Purdue model (a five-level segmentation of industrial networks) is the conceptual reference; the practical reality is far less segmented than the model assumes.
A pharmaceutical contract manufacturer in the South East operates a single 12,000 m² facility producing sterile injectable products under MHRA licence. The site runs 24/7 with three production lines: a vialing line, a syringe-filling line and a lyophilisation (freeze-drying) line. The production environment is GMP-controlled with extensive environmental monitoring, batch records, and Computerised System Validation under EU GMP Annex 11 / 21 CFR Part 11.
The site’s IT/OT architecture: - IT zone: ERP (SAP), document management, email — segregated from OT by firewall. - DMZ: data historian, quality systems, MES (Manufacturing Execution System). - OT zone: SCADA, PLCs controlling fill lines, environmental monitoring sensors (temperature, humidity, particle counts in cleanrooms), utilities monitoring (water-for-injection, compressed air). - IIoT layer: connected sensors and machine telemetry feeding to the MES.
A spear-phishing email reaches a process engineer who has VPN access to the OT zone for remote support. The attacker establishes a foothold in the IT zone, escalates privileges, and traverses into the DMZ. From the DMZ, the attacker accesses the historian database and the MES. Lateral movement into the OT zone takes a further seven days.
The attacker then performs three actions: 1. Disables the environmental monitoring sensor alarms for the syringe-filling cleanroom (so any temperature excursion goes unreported). 2. Modifies the lyophilisation line’s cycle parameters slightly — extending the primary drying phase by twelve minutes per batch. 3. Initiates ransomware on the IT and DMZ zones, encrypting the ERP, document management, MES and historian.
The disruption is detected on Tuesday morning when finance staff cannot access the ERP. Investigation reveals the cleanroom temperature excursion (now seven hours old, with cleanroom temperature having risen by 4°C — well outside the validated range) and the modified lyophilisation cycle (now affecting the previous two batches).
Production stops. The MHRA is notified. Three batches of product (worth £3.2m at COGS, £8.4m at selling price) are quarantined pending investigation. The cleanroom requires re-qualification before resumption (estimated 21 days). The lyophilisation cycle requires re-validation before resumption (estimated 14 days).
The manufacturer’s losses: - Direct revenue impact during the disruption (estimated 35-day partial outage): £14m. - Quarantined batches investigation: £600k. - Quarantined batches likely write-off: £8.4m at selling price (or £3.2m at COGS depending on policy basis). - Cleanroom re-qualification: £450k. - Lyophilisation re-validation: £280k. - Customer compensation claims (delayed delivery to pharmaceutical companies under supply agreements with stiff penalty clauses): estimated £4.2m. - Ransom and incident response: pending. - MHRA inspection findings: pending; potentially affecting future regulatory standing.
MHRA notification. As a licensed pharmaceutical manufacturer, the operator must notify the MHRA of incidents affecting product quality or patient safety. Under the EU GMP guide and the UK GMP framework, GMP-deviation notification is required for incidents that may have affected product quality.
Patient safety. The cleanroom temperature excursion may have affected product sterility. If contaminated product was released to market before quarantine, patient harm is possible. Recall, MHRA notification, and potentially Product Liability claims follow.
Supply contract compliance. The manufacturer’s customer agreements with pharmaceutical companies include service level commitments, quality guarantees, and penalty clauses for late delivery or defective product. Liability caps vary but pharmaceutical supply contracts frequently exclude product liability and quality from any cap.
Cyber security for manufacturers. The NIS Regulations 2018 apply to designated operators of essential services and digital service providers. Pharmaceutical contract manufacturers are not typically designated; pharmaceutical supply chain participants may be under future regulation.
Product Liability (Consumer Protection Act 1987). Defective product placed on the market exposes the manufacturer to strict liability under section 2 of the CPA 1987. The Defective Premises Act and the Producer’s Liability framework engage where product reaches consumers.
The manufacturer’s cyber policy is a £20m limit specialist manufacturing form with explicit OT cover.
Incident response and forensics. Cyber pays. Forensic investigation across IT, DMZ and OT zones. Substantial cost (£800k–£1.5m for a complex multi-zone incident).
Ransomware. Decision pending the criticality analysis; ransom would be paid by cyber subject to sanctions clearance.
Cyber business interruption. Cyber’s BI head responds to the lost gross profit during the disruption window. The £14m revenue impact translates to perhaps £6m–£8m of lost gross profit (depending on the contract margin). Cyber BI pays subject to the limit and the period of indemnity.
Property damage caused by the cyber event. The cleanroom excursion arguably caused damage to the quarantined batches. The cyber policy’s cyber-physical head responds where the wording includes physical damage caused by a cyber event. This is the critical drafting question for manufacturers.
Bodily injury — none in our scenario. No employee was injured. If the cleanroom excursion had occurred while operators were present and (e.g.) anhydrous reagents were released, the bodily injury question would engage.
MHRA defence costs. The cyber policy’s regulatory defence head responds to defence of the MHRA investigation.
Customer claims. The £4.2m of customer compensation claims fall under the cyber policy’s third-party liability head, including the contingent BI / failure to deliver carve-back if present.
Recall costs. Most cyber policies do not include product recall cover. Recall is a specialist product recall policy. Coordination between cyber and product recall is required.
Direct physical damage to the property. No buildings or machinery were physically damaged. Property does not respond directly.
Damage to stock. The quarantined batches may be considered “stock” for property purposes. The conventional property policy’s stock cover responds to physical damage by an insured peril. The cyber exclusion mounted on the property policy is the critical question: - LMA5403 with carve-back for physical damage following a cyber event: property may respond to the stock loss. - LMA5400 plain: property does not respond.
For a manufacturer this exclusion analysis must be performed at every renewal.
BI extension. The property BI requires a physical damage trigger. If the stock damage trigger engages, BI flows. If only the cyber exclusion applies, BI does not.
The manufacturer’s products liability policy responds to bodily injury and property damage to third parties caused by the manufacturer’s products. If contaminated product reaches patients and causes harm, the products liability policy is the home for patient claims.
Cyber exclusion. Modern products liability wordings increasingly include cyber exclusions. Where this is mounted, claims caused by cyber-related product defects fall outside the products liability policy. The cyber policy must respond.
Strict liability under CPA 1987. Defective product placed on the market exposes the manufacturer regardless of fault. The cyber attack caused the defect; the defect caused the harm. The chain of causation is established; the legal question is whether the contractual exclusions in the products liability policy bite.
The cyber underwriter’s standard questionnaire for manufacturers now runs to 60+ questions. Among the most consequential:
Network segmentation. Is the OT network logically and physically separated from the IT network? Is the segmentation enforced by firewall? Is the firewall monitored?
Remote access control. How is remote access to the OT network managed? Multi-factor authentication on all remote access? Just-in-time access? Privileged Access Management? Are vendor remote access connections monitored?
Endpoint detection on OT. Are OT endpoints (HMIs, engineering workstations, historians) running endpoint detection and response (EDR)? Or are they on legacy operating systems that cannot run modern EDR?
Patching cadence on OT. How are OT system patches managed? Is there a documented validated-state patching process? What is the average patch lag?
Backups of OT. Are PLC configurations, SCADA configurations and MES databases backed up? Are backups tested? Are they air-gapped?
Incident response plan with OT. Does the IR plan include OT-specific procedures? Are OT engineers integrated into the IR team?
Insurance market consequences. Manufacturers who cannot demonstrate adequate IT/OT segmentation increasingly face: declined risks, cyber-physical sub-limits at low levels, exclusions for OT-induced loss, very high premium loadings.
Cyber-induced bodily injury is the frontier exposure for manufacturers.
The 2021 Düsseldorf hospital case (where a ransomware attack on Düsseldorf University Hospital was alleged to have contributed to the death of a patient redirected to another hospital, with the German prosecutor ultimately concluding the patient’s condition meant the redirection did not cause death) was the early test case. The legal causation question is novel; the regulatory and insurance treatment is unsettled.
The 2023 ClearMedi attack (alleged ransomware effect on diagnostic services) and various US healthcare incidents have continued to develop the precedent.
For UK manufacturers, the question is whether the cyber policy’s bodily injury / property damage carve-back is broad enough to respond to cyber-physical harm to employees or third parties. Many wordings still exclude bodily injury entirely; better wordings carve back BI/PD where caused by a cyber event.
The interaction with EL and PL. If an employee is injured by a cyber-induced machinery malfunction, employers’ liability responds (statutory cover, generally without cyber exclusion). For third parties, public liability may engage subject to its cyber exclusion. Cyber’s BI/PD head may stand behind. The interaction needs careful programme design.
The pharmaceutical manufacturer’s outcome:
| Head | Quantum | Policy | Notes |
|---|---|---|---|
| Forensic + IR + legal + PR | £1,200,000 | Cyber | first-party multi-zone |
| Ransom (if paid) | £900,000 | Cyber | subject to sanctions |
| Cyber BI — lost gross profit | £6,400,000 | Cyber BI | within 180-day PoI |
| Cleanroom re-qualification | £450,000 | Cyber data restoration / extra expense | within wording |
| Lyophilisation re-validation | £280,000 | Cyber extra expense | within wording |
| Quarantined batches write-off | £3,200,000 | Cyber cyber-physical / property cyber | drafting decisive |
| MHRA defence | £350,000 | Cyber regulatory | within sub-limit |
| Customer claims | £4,200,000 | Cyber third-party / contingent BI | wording-dependent |
| Patient harm claims (hypothetical) | n/a | Cyber BI/PD carve-back + Products Liability + EL | scenario-dependent |
| Reputational tail / customer attrition | £2,500,000 | Uninsured | structural gap |
| Total recoverable from cyber | ~£16,980,000 | within £20m limit |
The quarantined batches write-off and the customer claims are the two heads most sensitive to wording. A poorly-drafted cyber-physical exclusion in the cyber policy or a mounted LMA5400 plain on the property policy can shift £3m+ of loss into uninsured territory.
For UK manufacturers:
Map the IT/OT architecture and the cyber wording against it. Confirm explicit OT cover and a clear cyber-physical (bodily injury / property damage caused by a cyber event) carve-back.
Audit the cyber exclusion mounted on each of: property, BI, products liability, public liability. Match the carve-backs across the programme.
Negotiate the cyber BI period of indemnity to 180 days minimum, 360 days where the production restart involves regulatory re-qualification.
Engage your cyber underwriter on the IT/OT segmentation question early in the renewal cycle. Demonstrating segmentation, monitoring and segmented backups materially changes the premium and the wording.
Pre-engage OT-specialist incident responders. Most cyber insurer panels include IT-focused IR firms; specialist OT incident response is a different capability and a different supplier.
Maintain segmented offline backups of PLC and SCADA configurations. Restoration time after an OT-affecting incident is dominated by configuration restoration.
For pharmaceutical, food, automotive and other safety-critical manufacturers, add product recall cover separately and coordinate it with cyber.
For larger manufacturers with material safety-critical OT exposure, consider standalone cyber-physical cover from specialist markets in addition to the standard cyber policy.
Q1. Is OT cover standard in cyber policies? For specialist manufacturing forms, yes. For generic commercial cyber forms, sometimes only by extension. Confirm explicitly.
Q2. Does cyber pay for product recall caused by a cyber attack? Most cyber policies do not include recall. A separate product recall policy is required. Coordinate the two.
Q3. What about Building Safety Act / Producer Compliance Scheme implications? For manufacturers of building products (cladding, insulation, etc.), the BSA 2022 regime applies separately to product compliance. Cyber-induced defects could trigger BSA exposure; the cyber policy and the BSA-aligned products liability cover need coordination.
Q4. How does cyber respond to an attack on safety-critical control systems? Where the wording’s cyber-physical carve-back is broad, cyber responds to consequent BI/PD. Where it is narrow, the loss falls between cyber (excluded) and conventional liability (excluded by cyber exclusion). The drafting analysis is essential.
Q5. Are connected machine tools and IIoT devices covered? Generally yes under the OT cover. Specific IIoT cover is occasionally a separate head.
Q6. What about ESG and supply chain compliance? Customers (large pharmaceutical, automotive, aerospace) increasingly demand cyber security evidence as a supply chain prerequisite. Failing the evidence requirement loses the contract; insurance does not cover lost contracts.
Q7. Does cyber respond to an attack causing environmental release? Where the wording includes environmental damage following a cyber event, yes. Most do not. A separate environmental impairment liability policy is required.
Q8. How are IIoT vendor breaches treated? Through the supply-chain head — contingent BI / system failure — discussed in Spoke 4.
Q9. What about state-sponsored attacks on critical UK manufacturers? The war exclusion question. The post-NotPetya market position is that state-sponsored attribution does not automatically engage the war exclusion; the exclusion requires a war-like character. UK manufacturers should ensure the cyber policy’s war exclusion carve-back preserves cover for non-attributable cyber events even where state-actor involvement is suspected.
Q10. What’s the typical cyber premium for a mid-market UK manufacturer? For a £50m turnover manufacturer with reasonable controls and no claims history, £30k–£80k for £10m limit is the 2026 range; OT-rich operations and complex sites toward the higher end.
NIS Regulations 2018. UK GMP guide and MHRA inspectorate guidance. EU GMP Annex 11 (Computerised Systems) and 21 CFR Part 11 (Electronic Records / Signatures). Consumer Protection Act 1987. Düsseldorf hospital ransomware case (2020) — public reports. NCSC OT security guidance. NIST SP 800-82 Industrial Control Systems Security Guide. IEC 62443 series — Industrial Communications Networks security standards. Purdue Enterprise Reference Architecture. LMA cyber exclusion clauses (5400 series). Notpetya 2017 — Mondelez, Merck, Maersk reported impacts and subsequent insurance litigation.
Hub: Cyber Insurance for UK Commercial Businesses Spoke 1: Ransomware claim handling Spoke 4: Supply chain cyber Commercial run-off — Manufacturer product liability
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote