Asia-Pacific manufacturers face cyber physical damage gap

Tokio Marine Kiln has warned that manufacturers in Asia-Pacific face uninsured exposure from cyber-attacks on industrial systems because of the way cyber and property policies are typically structured.

Its analysis highlights a mismatch between the concentration of manufacturing risk in Asia-Pacific and the development of insurance protection for cyber-related physical damage. The region accounts for more than half of global manufacturing output and about a third of global cyber incidents, making it the most affected region in 2024, according to Tokio Marine Kiln.

Manufacturing was the region's most targeted industry, while system intrusion attacks rose from 38 per cent to about 80 per cent of breaches. Attacks are increasingly targeting industrial systems that run physical operations rather than only corporate IT networks.

The issue centres on policy design. Cyber insurance often excludes physical damage, while property insurance often excludes cyber-related perils. As a result, companies can be left exposed when a cyber incident damages machinery, disrupts facilities or halts production.

That leaves large industrial groups with extensive property cover for factories and equipment, but no insurance for losses if a cyber-attack causes physical damage or business interruption. The disconnect is evident in underwriting data across the region, where companies are buying multi-million-dollar property programmes to protect multi-billion-dollar assets without equivalent protection for cyber-triggered losses.

Exposure gap

The concern is not limited to manufacturing. Logistics, healthcare, utilities and power generation are among the sectors most exposed because they rely on interconnected systems and operational technology.

In those sectors, disruption at one site can spread beyond a single plant or facility. Integrated production and supply networks mean an incident affecting industrial control systems in one location can disrupt wider regional and global operations.

Asia-Pacific's role in global production adds to that risk. As a manufacturing hub for electronics, industrial goods and other export sectors, interruptions can quickly move through supply chains, affecting output, deliveries and revenue well beyond the original point of attack.

One reason the risk remains underinsured is the lack of visible losses on a scale that has forced broader change in buying behaviour. Without frequent headline losses involving cyber-triggered physical damage, many companies still assess exposure through a conventional cyber lens focused on data, privacy and IT outages.

Georgie Furness-Smith, Cyber Underwriter, TMK Asia, outlined the shift in threat patterns affecting industrial businesses.

"As operational technology becomes more integrated with IT systems, cyber-attacks are increasingly targeting systems that control industrial activity, raising the potential for disruption to physical operations impacting machinery, facilities and production processes. One of the reasons this risk remains underinsured is that it has not yet translated into a large number of visible losses, so it is not always prioritised by buyers. However, the underlying risk is building. We are seeing more attacks targeting the systems that control industrial operations, while the way these risks are assessed and insured is still largely based on traditional IT exposures. Insuring cyber physical damage risk requires a different level of understanding - not just of cyber security, but how industrial systems behave under stress. That is where the gap between exposure and protection becomes most pronounced," said Furness-Smith.

Insurance response

The problem has emerged as industrial businesses increase automation and connect more operational assets to digital systems. The spread of connected machinery, remote monitoring and AI-driven systems has widened the points at which a cyber incident can affect physical processes.

This creates a challenge for brokers, insurers and risk managers because industrial cyber incidents do not fit neatly into traditional lines of cover. A business may understand its exposure to fire, flood or equipment breakdown, and it may separately buy cyber insurance for data incidents. But damage caused when malicious code or a system intrusion alters the operation of physical assets can fall between the two.

Some specialist cover is now emerging to address the issue, with a limited number of insurers offering affirmative protection for cyber-triggered physical damage and related business interruption. Tokio Marine Kiln said it has been providing insurance for such losses for more than a decade.

The comments add to a broader debate in the insurance market over so-called silent cyber and the treatment of losses that cross the boundaries between digital and physical risk. For manufacturers and other asset-heavy sectors in Asia-Pacific, that debate is becoming more immediate as cyber incidents rise and dependence on connected industrial systems deepens.

The way these risks are assessed and insured is still largely based on traditional IT exposures.