OT/IT convergence insurance

Category: Cyber-physical risk · Reviewed by Al Jabbar, Broker · Specialist Risks · Last reviewed 2026-06-10

OT/IT convergence insurance is a class of cover responding to the integration of operational technology (industrial control systems, SCADA, PLCs) with corporate information technology, with cyber-physical exposures often written under a hybrid cyber-property policy form.

Convergence of OT and IT has been driven by predictive maintenance, remote monitoring and digital twin adoption, but has also created lateral attack paths from corporate networks into safety-critical control systems. The London market’s hybrid cyber-property products are the principal commercial response.

Definition

The distinction between IT and OT historically rested on:

• IT — corporate networks, business applications and the cyber risk profile typical of cyber insurance underwriting;
• OT — Programmable Logic Controllers (PLCs), Distributed Control Systems (DCS), SCADA, safety instrumented systems and the physical processes they govern.

Convergence — sometimes called “Industry 4.0” — integrates the two at the level of historians, edge gateways, predictive maintenance platforms and the corporate network. OT/IT convergence insurance addresses the resulting hybrid exposure:

• Cyber events propagating from IT into OT;
• OT events propagating into IT (telemetry corruption affecting business systems);
• Physical loss arising from compromised OT; and
• Business interruption arising from the combination.

Legal / Regulatory basis

The principal frameworks are:

• Network and Information Systems Regulations 2018, SI 2018/506 — operators of essential services in energy, transport, water and digital infrastructure; relevant digital service providers.
• Cyber Security and Resilience Bill 2024–25 — proposes expansion of the NIS regime.
• EU NIS2 Directive (EU 2022/2555) and EU DORA (Regulation (EU) 2022/2554) — for EEA operations.
• PRA Supervisory Statement SS4/17, Cyber insurance underwriting risk (July 2017).
• PRA SS1/21 and PS6/21, Operational Resilience — for PRA-authorised insurers’ own operations.
• PRA SS2/21, Outsourcing and Third Party Risk Management.
• Lloyd’s Market Bulletins Y5258 (2019), Y5277 (2019) and Y5381 (August 2022) — affirmative cyber, silent cyber and cyber war exclusion direction.
• LMA cyber war exclusion clauses LMA5400, LMA5401, LMA5402, LMA5403, LMA5448, LMA5451 (August 2022); CL380 for marine.
• Computer Misuse Act 1990.
• Health and Safety at Work etc. Act 1974 — for safety-critical control systems.
• IEC 62443 series and NCSC Cyber Assessment Framework — risk-engineering standards.
• IAIS Application Paper on Cyber Risk Underwriting (2020); Issues Paper on Cyber Risk to the Insurance Sector (2016).

How it works in practice

A typical hybrid cyber-property OT/IT convergence policy contains:

1. Affirmative cyber-physical grant — coverage for physical damage and business interruption arising from a cyber event, subject to defined cyber-physical perils.
2. Affirmative cyber response cover — incident response, forensic, ransomware (where permitted by sanctions and policy), data restoration and PR.
3. Cyber war exclusion — typically LMA5400 family for the relevant 2023+ wording.
4. Risk-engineering conditions precedent — segmentation of OT from IT (DMZ, unidirectional gateways), vulnerability management on PLCs, MFA on remote access, backup integrity and restoration testing.
5. Co-insurance and retention — typically a Lloyd’s-led primary and Bermuda excess; high retentions reflecting catastrophic potential.

The PRA’s operational resilience framework requires PRA-authorised insurers to identify important business services and impact tolerances; for insurers writing OT/IT convergence risks, internal OT/IT convergence within the insurer is also subject to SS1/21.

Common variations / Subsequent developments

• Manufacturing and energy focus — automotive, pharmaceutical, food and beverage, oil and gas, power, water.
• Utility-specific products — water utility, electricity DNO/TSO and gas distribution wrap.
• Maritime cyber-property — with CL380 and marine cyber attack exclusion wording.
• Aviation — airline IT/OT (avionics) and ground operations.
• Healthcare — medical device OT exposure (HL7, DICOM, OT in MRI/CT scanners).
• Lloyd’s market hybrid products — typically follow the LMA5402 / LMA5403 form for the more permissive war exclusion variants.
• Cyber catastrophe bonds — 2023–2026 issuance to manage tail risk.

The post-NotPetya, Colonial Pipeline and Triton/Trisis loss experience drives current underwriting; insurers increasingly require IEC 62443 alignment and NCSC CAF self-assessment as conditions precedent.

Example

A UK water utility — designated as an operator of essential services under the NIS Regulations 2018 — places a £150 million OT/IT convergence programme through a London-market broker. The cover includes a £50 million cyber-physical sublimit for physical damage and BI arising from cyber events affecting the SCADA network; a £100 million cyber response and BI sublimit; LMA5402 cyber war exclusion; and warranties on OT segmentation, PLC vulnerability management and backup integrity. Annual risk-engineering surveys are required. When a phishing-led intrusion is detected within the corporate network but contained by the unidirectional gateway to the OT environment, the cyber response costs are paid; no property or BI loss occurs.

See also

• Cyber-physical convergence
• Industrial IoT insurance
• Connected building insurance
• IoT insurance
• Cyber insurance
• Cyber liability
• LMA cyber exclusion
• CL380
• Lloyd’s
• Prudential Regulation Authority

References

• Network and Information Systems Regulations 2018, SI 2018/506.
• Cyber Security and Resilience Bill 2024–25 (introduced under King’s Speech 2024).
• Directive (EU) 2022/2555 (NIS2); Regulation (EU) 2022/2554 (DORA).
• PRA, SS4/17 on cyber insurance underwriting risk (July 2017); SS1/21 and PS6/21 on operational resilience; SS2/21 on outsourcing.
• Lloyd’s, Market Bulletins Y5258 (2019), Y5277 (2019), Y5381 (2022).
• LMA cyber war exclusion clauses LMA5400, LMA5401, LMA5402, LMA5403, LMA5448, LMA5451 (August 2022).
• Institute Cyber Attack Exclusion Clause CL380 (10 November 2003).
• Computer Misuse Act 1990; Health and Safety at Work etc. Act 1974.
• IEC 62443 series; NCSC Cyber Assessment Framework, ncsc.gov.uk.
• IAIS, Issues Paper on Cyber Risk to the Insurance Sector (2016); Application Paper on Cyber Risk Underwriting (2020).

This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.

Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.