With a critical role in today’s interconnected economy and a low threshold for sustained downtime, the manufacturing sector is an attractive target for cybercriminals due to the potential for widespread impact and increased urgency to pay financial ransoms to restore operations. 

New research delves into real claims data to identify the predominant drivers of financial losses in the sector, revealing that 90% of total manufacturing losses were attributed to ransomware. This is despite the fact that ransomware accounts for only 12% claim volume. This findings suggests that when ransomware attacks affect the sector, the losses are significant.

Additional findings include: 

• 30% of manufacturing claims are related to phishing and transfer fraud, showing how human error is still a notable cause of cyber issues 
• 26% of all losses originate from multi-factor authentication (MFA) misconfiguration failures 
• 12% of claims were caused by wrongful data collection

“Manufacturers don’t need to reinvent the wheel in the face of a growing threat,” assures Jud Dressler, Head of the Risk Operations Center (ROC) at Resilience. “Our claims data, coupled with threat intelligence from the ROC, found that by auditing and validating MFA deployment, implementing procedural controls for financial transfers, investing in ransomware containment and response, and instituting other easy-to-implement practices can materially combat risk.”

Below, security leaders share their insights on what this data means for security leaders in manufacturing. 

Security Leaders Weigh In 

Matthieu Chan Tsin, Senior Vice President, Head of Cybersecurity Services at Cowbell:

In order to better mitigate cyber risk, organizations must ensure that their supply chain partners follow basic cybersecurity best practices, such as multi-factor authentication (MFA), password management systems, and incident response strategies. However, internal defenses matter just as much. Organizations should have proper system access controls in place, keep software and systems updated, and ensure employees know what to do in the event of a cyber incident. Cyber insurance also plays a key role in this strategy, and it’s not simply about financial protection. Many insurance providers offer value-added services such as security partnerships, threat intelligence sharing, and access to expert advisory support. These resources can help businesses strengthen their cyber posture before an incident even occurs, making insurance an important part of an overall cyber resilience plan.

Ransomware is a multi-million dollar operation, and as defenders improve their capabilities, malicious actors are finding new ways to improve their capabilities as well. We’re seeing tradecraft typically associated with sophisticated intelligence operations, including the compromise of trusted individuals, now being applied in the ransomware context. This represents a natural, though concerning, evolution of these threats. Security must be practiced as a multi-disciplinary and company-wide effort, and companies must adopt the same rigorous guardrails when hiring outside vendors as they do for internal personnel.

Finally, small and mid-sized enterprises are often underserved when it comes to the implementation of cybersecurity best practices, even though we find that these organizations are 2.5x more likely to face cyber incidents. This means that many of them are both unable to adequately defend themselves against cyberattacks, as well as recover as quickly as they need to after an incident occurs. Unfortunately, it is not just the obvious consequences, such as ransom payments, business interruption, and corrupted data, that victims of a cyber event must worry about, but also the risk of a legal lawsuit after client, vendor, or partner data is exposed. For that reason, businesses may want to consider working with a cyber insurance provider, not just to be able to fall back on the financial coverage, but also to build a partnership with the provider to help strengthen cyber defenses. This may help avoid an incident in the first place and demonstrates responsibility and foresight in the case of a data breach and resulting lawsuit.

Diana Kelley, Chief Information Security Officer at Noma Security:

Insurers have moved from self-attestation toward evidence-based underwriting. For traditional cyber risk, that still means strong baseline cyber hygiene, including enforced Multi-Factor Authentication (MFA) for cloud and privileged access, comprehensive and tested backups, endpoint detection and response with 24/7 monitoring, vulnerability management with documented Service-Level Agreements (SLAs), and regularly exercised incident response plans. What has changed over the past year is how rigorously insurers expect those controls to be proven, not just described.

What is emerging alongside that is a parallel shift around AI risk. Insurers are increasingly concerned about AI as a source of systemic, aggregated loss. The concern is not just individual failures, but correlated loss driven by shared models, platforms, and agent frameworks. There has already been real financial and regulatory harm from AI failures, including deepfake-enabled fraud, IP exposure through public LLMs, and automated systems making unsafe or noncompliant decisions. As a result, some carriers are exploring AI-related exclusions, while others are beginning to underwrite AI risk explicitly by evaluating the strength of an organization’s AI security and governance controls.

If organizations cannot demonstrate these requirements, the consequences can show up in several ways. At underwriting time, it can mean higher premiums, higher retentions, ransomware or business interruption sublimits, or exclusions tied to AI-driven incidents. Post-incident, claims can be reduced or denied if an organization represented that controls existed but cannot produce evidence that they were enforced and operating as described. Cyber and AI insurance are increasingly conditional products, and without proof, the policy may not respond or pay out as expected when it matters most.

Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace:

Ransomware groups are evolving their tactics beyond phishing to include interactions with IT teams to elicit information to improve access, SaaS-based attacks, and even studying file-transfer technology for rapid exploitation and double extortion methods. For IT administrators and practitioners, it is vital to prioritize your vulnerability management program and establish possible attack paths across your estate to prevent unauthorize access. This includes applying best practices across the business and wider IT teams.

The growth of Ransomware-as-a-Service (RaaS) marketplaces places greater opportunity on the side of threat actors who no longer needs to extract ransom payments to see profit, as they are able to use subscription models to return revenue for their ransomware development and deployment. We have also seen ransomware tactics move away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods. Rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.

These trends make it clear that attackers now have a more widely accessible toolbox that reduces their barriers, leaving more organizations vulnerable to attack.

Morey Haber, Chief Security Advisor at BeyondTrust:

Cybersecurity has always been a forward-looking discipline. By anticipating where technology, threat actors, and regulation are heading, we can better protect our customers and help the industry prepare for what’s next. Looking ahead allows us to adapt faster and turn insight into proactive security action. The future of cybersecurity isn’t just about defending data, it’s about anticipating how digital and physical worlds will continue to collide. The organizations that will thrive are those that treat identity as the new perimeter and innovation as their strongest defense.

Ransomware has matured into a multi-billion-dollar ecosystem run by cybercrime syndicates. These nefarious groups operate with negotiation experience and understand the economics, pressure points, and victim psychology for a rapid resolution. That knowledge becomes monetizable and the industry should treat this as an emerging class of insider-enabled cybercrime potentially with more and more case studies to follow.