Industrial IoT insurance

Category: Cyber-physical risk · Reviewed by Tim Roche, Director · PI & Commercial · Last reviewed 2026-06-10

Industrial IoT insurance covers manufacturing, oil and gas, utilities and infrastructure operators whose plant is instrumented with industrial control sensors and connected for predictive maintenance, condition monitoring and operational efficiency, with associated cyber-physical risk.

Industrial IoT (IIoT) deployments combine information technology and operational technology, multiplying both the value of telemetry-led insurance services and the cyber-physical exposure to be underwritten. The principal UK regulatory inputs are the NIS Regulations 2018, IEC 62443 industrial cybersecurity standards and the Lloyd’s-led market response to cyber-physical risk.

Definition

Industrial IoT insurance addresses risks specific to industrial operators that have integrated:

• Programmable Logic Controllers (PLCs) — Siemens S7, Allen-Bradley, Schneider Modicon, Mitsubishi MELSEC;
• Distributed Control Systems (DCS) — Honeywell Experion, Yokogawa CENTUM, Emerson DeltaV, ABB Ability;
• SCADA platforms — Wonderware, Ignition, GE iFIX, Siemens WinCC;
• Industrial Ethernet and fieldbus protocols — PROFINET, EtherCAT, Modbus TCP, OPC UA, MQTT;
• Edge gateways and historians — collecting sensor data for cloud analytics;
• Predictive maintenance and digital twin platforms.

Insurance product types include property damage and business interruption with telemetry-led pricing, machinery breakdown, cyber and cyber-physical hybrid covers.

Legal / Regulatory basis

The principal UK frameworks are:

• Network and Information Systems Regulations 2018, SI 2018/506 — apply to operators of essential services in energy, transport, drinking water and certain digital infrastructure, and to relevant digital service providers.
• Cyber Security and Resilience Bill 2024–25 (King’s Speech 2024) — proposes expansion of NIS and increased regulator powers.
• EU NIS2 Directive (EU 2022/2555) — applicable to EEA-based operations; not directly applicable in the UK but relevant for UK groups with EEA subsidiaries.
• PRA SS1/21 and PS6/21, Operational Resilience; SS2/21, Outsourcing and Third Party Risk Management.
• IEC 62443 series — international standard for industrial automation and control systems security; reference framework for risk-engineering surveys.
• Computer Misuse Act 1990 — for unauthorised access offences.
• Product Security and Telecommunications Infrastructure Act 2022 and SI 2023/1007 — limited application to consumer connectable products; complementary to industrial frameworks.
• HSE expectations under the Health and Safety at Work etc. Act 1974 — interaction with safety-critical control systems.
• IAIS Application Paper on Cyber Risk Underwriting (2020); Issues Paper on Cyber Risk to the Insurance Sector (2016).
• NCSC Cyber Assessment Framework (CAF) — referenced under the NIS Regs.

How it works in practice

A typical IIoT underwriting workflow includes:

1. Risk-engineering survey — based on IEC 62443 and NIS CAF, examining segmentation of OT from IT, control over remote access, patch management on PLCs and the resilience of safety instrumented systems.
2. Telemetry-led pricing — predictive maintenance data and operational telemetry are factored into machinery breakdown and BI pricing.
3. Risk improvement plans — conditional warranties on segmentation, vulnerability management and patching cadence.
4. Cyber-physical wrap — separate or combined cover for cyber events causing physical damage.
5. Reinsurance — typically a London-market and Bermuda treaty structure with industry loss warranties and named perils.

The Lloyd’s market has been active in IIoT cover, with syndicates writing manufacturing and energy risks and partnerships with risk-engineering specialists such as FM Global (a comparable mutual insurer focused on engineering-led property risk).

Common variations / Subsequent developments

• Manufacturing-focused covers — automotive, pharmaceutical, food and beverage; predictive maintenance integration.
• Energy and utilities — oil and gas (Triton/Trisis-type exposure); power generation; water utilities.
• NIS-regulated operators — additional warranty and disclosure conditions to reflect regulatory obligations.
• Cyber-physical hybrid covers — see cyber-physical convergence and OT/IT convergence insurance.
• Digital twin underwriting — using digital twin simulations to estimate PML.
• Cyber war exclusions — see LMA cyber exclusion clauses LMA5400/5401/5402/5403/5448/5451 (August 2022).

The post-NotPetya (2017) and Colonial Pipeline (2021) experience has reshaped IIoT cyber-physical underwriting; named perils and silent-cyber clarifications dominate current market practice.

Example

A UK-based pharmaceutical manufacturer operates a fully instrumented production line with PROFINET-connected PLCs, OPC UA telemetry to a digital twin platform and predictive maintenance services. Annual property and business interruption cover is placed in the London market with a £75 million PML and £40 million BI sub-limit. The risk-engineering survey, conducted against IEC 62443, identifies a flat OT/IT network and outdated PLC firmware; the insurer requires segmentation and patching as a condition precedent. A separate cyber policy with LMA5400 cyber war exclusion is placed for the cyber-physical exposure. Annual telemetry data feeds support pricing at renewal.

See also

• IoT insurance
• Internet of Things insurance
• Connected building insurance
• Cyber-physical convergence
• OT/IT convergence insurance
• Cyber insurance
• Cyber liability
• LMA cyber exclusion
• Lloyd’s
• Prudential Regulation Authority

References

• Network and Information Systems Regulations 2018, SI 2018/506.
• Directive (EU) 2022/2555 (NIS2).
• PRA, SS1/21 and PS6/21 on Operational Resilience; SS2/21 on Outsourcing.
• IEC 62443 series, Industrial automation and control systems security.
• Computer Misuse Act 1990.
• NCSC, Cyber Assessment Framework, ncsc.gov.uk.
• IAIS, Issues Paper on Cyber Risk to the Insurance Sector (2016); Application Paper on Cyber Risk Underwriting (2020).
• LMA cyber war exclusion clauses LMA5400, LMA5401, LMA5402, LMA5403, LMA5448, LMA5451 (August 2022).
• Health and Safety at Work etc. Act 1974.

This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.

Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.