“90% of total manufacturing losses were attributed to ransomware.” That stark ratio — high financial impact from a relatively small share of claims — frames the new data on cyber risk in manufacturing and the security choices the sector now faces.
Ransomware’s outsized financial impact
New claims data reviewed by cyber experts shows ransomware accounted for 90% of total manufacturing losses while representing only 12% of claim volume. The implication in the data is clear: when ransomware hits a manufacturing operation, the financial consequences are severe and disproportionate to how often it appears as a claim.
Several security leaders in the reporting underscore how ransom-centric strategies and evolving extortion techniques amplify that damage. Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace, observes that ransomware groups are moving beyond simple encryption to double and triple extortion, and that Ransomware-as-a-Service (RaaS) marketplaces lower the bar for attackers. He warns of “interactions with IT teams to elicit information to improve access, SaaS-based attacks, and even studying file-transfer technology for rapid exploitation and double extortion methods.”
Phishing, transfer fraud and the human factor
Human error remains a prominent vector. The data show 30% of manufacturing claims are related to phishing and transfer fraud, signaling that social engineering and mistakes around financial transfers continue to fuel losses.
Matthieu Chan Tsin, Senior Vice President, Head of Cybersecurity Services at Cowbell, stresses the combination of technical and human controls: “Organizations should have proper system access controls in place, keep software and systems updated, and ensure employees know what to do in the event of a cyber incident.” Chan Tsin also highlights cyber insurance as more than a payout vehicle, noting carriers often provide “security partnerships, threat intelligence sharing, and access to expert advisory support.”
MFA misconfiguration and wrongful data collection as loss drivers
The research attributes 26% of all losses to multi-factor authentication (MFA) misconfiguration failures, and 12% of claims to wrongful data collection. Those figures point to configuration and governance failures as concrete, measurable contributors to financial harm.
Jud Dressler, Head of the Risk Operations Center (ROC) at Resilience, summarizes an operational pathway: “Our claims data, coupled with threat intelligence from the ROC, found that by auditing and validating MFA deployment, implementing procedural controls for financial transfers, investing in ransomware containment and response, and instituting other easy-to-implement practices can materially combat risk.” The data therefore links specific misconfigurations and collection practices to losses that cumulative ransomware events magnify.
Insurers shifting to evidence-based underwriting and AI concerns
Insurers are changing how they assess these risks. Diana Kelley, Chief Information Security Officer at Noma Security, says carriers have “moved from self-attestation toward evidence-based underwriting.” Required controls now routinely include enforced MFA for cloud and privileged access, tested backups, endpoint detection and response with 24/7 monitoring, vulnerability management with documented SLAs, and exercised incident response plans.
Kelley also highlights a parallel focus on AI risk: “Insurers are increasingly concerned about AI as a source of systemic, aggregated loss,” and cites real financial and regulatory harms already associated with AI failures, including deepfake-enabled fraud and IP exposure via public large language models. The underwriting consequences, she warns, may include “higher premiums, higher retentions, ransomware or business interruption sublimits, or exclusions tied to AI-driven incidents,” and she notes that post-incident claims can be “reduced or denied if an organization represented that controls existed but cannot produce evidence that they were enforced and operating as described.”
How manufacturers, insurers, and security teams are responding
- Manufacturers: The report and experts emphasize auditing MFA deployment, strengthening procedural controls around financial transfers, and investing in ransomware containment and response — concrete actions Jud Dressler highlights as effective and implementable.
- Insurers and underwriters: Driven by Diana Kelley’s observations, carriers are moving to evidence-based assessments, tightening expectations for demonstrable controls, and beginning to treat AI risk as a discrete underwriting dimension that can trigger exclusions or explicit underwriting reviews.
- Security teams and vendors: Nathaniel Jones and Morey Haber point to evolving attacker tradecraft — including RaaS, double/triple extortion, and insider-enabled dynamics — and urge sustained vulnerability management, identity-focused defenses, and anticipation of how digital and physical systems intersect. As Morey Haber puts it, “The organizations that will thrive are those that treat identity as the new perimeter and innovation as their strongest defense.”
Two additional practical notes thread through the report: small and mid-sized enterprises remain at elevated risk — “2.5x more likely to face cyber incidents,” per Matthieu Chan Tsin — and cyber insurance can serve a dual role as financial backstop and a source of advisory and recovery support.
The data’s central lesson is both blunt and actionable: a minority of attacks — ransomware incidents that often exploit human or configuration weaknesses — are driving the lion’s share of dollars lost in manufacturing. Auditing MFA, tightening transfer procedures, and investing in containment and response are not theoretical steps but the very practices named by claims analysis and industry practitioners as ways to materially reduce exposure.




