2023 Cyber Resilience Report

This is article 9 of 18 in this Report.

August 01, 2023 / 6 min Read

How Smart Manufacturing is Intensifying Business Risk

Emerging risks such as incorporating blockchain and “smart facilities," global supply chain disruptions, industrial Internet of things (IIoT), and intellectual property theft pose a significant challenge to manufacturers.

Key Takeaways

  1. Manufacturers enjoyed steady improvement in their overall cyber risk profile between 2020 and 2022.
  2. Ransomware claims for the manufacturing industry decreased by 32 percent between 2020 and 2022.
  3. Resilience is still a work in progress, with U.S. manufacturers and in 65 percent of the companies reported lack of tabletop exercises as part of a business resilience plan.

Emerging risks such as incorporating blockchain and “smart facilities,” global supply chain disruptions, industrial Internet of things (IIoT, and intellectual property theft can pose a significant challenge to manufacturers. A recent MIT project demonstrated the power of supply chain disruption on semiconductor supply chains, finding that a 10-day disruption in a company’s production, on average, leads to at least 300 days before its inventory is back to normal.1

The manufacturing sector is a leading driver of the global economy. China is a manufacturing superpower and the U.S., Japan, and Germany are the top countries in terms of value added by the industry to gross domestic product (GDP).2 Manufacturing in the U.S. contributed $2.3 trillion to the country’s GDP in the fourth quarter of 2022.3 The sheer size and interconnectedness of the manufacturing industry mean that there is a great potential for a significant cyber incident —evidenced by its recognition as the top industry plagued by ransomware attacks in 2022.4

Large manufacturers rely on a vast network of smaller businesses in the supply chain. These small companies typically fail to match the sophistication of their larger counterparts  when it comes to cyber maturity. In the U.S., 98.6 percent of all manufacturing companies are small businesses, and most have fewer than 20 employees.5 From our experience, merger and acquisition (M&A) business transactions also introduce risk, with some of the biggest cyber events in the manufacturing industry resulting from limited or poor integration of acquired companies into the whole.

Adding to this landscape is a harsh economic and operating environment. Our experience showed us that the global manufacturing industry experienced a rough two years during the COVID-19 pandemic, plagued by high costs for shipping, employee shortages and supply chain issues. With a limited budget, leaders tackled challenges from all angles and were forced to make decisions based on the return on investment for each expenditure.

Aon Clients Report: Manufacturing Industry and Risk

Ransomware claims for the manufacturing industry decreased by 32 percent between 2020 and 2022 as organizations reported steady improvement in overall cyber maturity. The median percent of the IT budget reportedly spent on security also rose globally, with companies reporting 8.5 percent of the IT budget dedicated to security. According to Aon’s E&O Cyber Insurance Broking 2023 H1 Snapshot, from a loss trends perspective in APAC, manufacturing was particularly in focus owing to the significant manufacturing centers across the region, with operational technology remaining a key risk concern for regional markets.6

Aon’s CyQu7 data shows that overall risk score improved from 2.2 to 2.5 in 2022 for mid-market clients — however 56 percent of the companies reported risk scores lower than 2.5 in 2022. We anticipate risk maturity across small to medium-sized companies to continue pushing upward as more prominent manufacturers require additional cyber maturity requirements from their supply chains. As a result, smaller manufacturers may also be required to demonstrate resilience to secure cyber insurance policies.

For global companies, scores improved marginally from 2.7 to 2.8, however 80 percent of the companies reported scores higher than 2.5, showing that this revenue sector as a whole is getting closer to a “managed” risk profile.

CyQu Risk Scores for Manufacturing Client Segments

Annual Revenue (group) 2020 2022 Change

CyQu Risk Maturity Scoring

Initial: 1.0 - 1.9

Basic: 2.0 - 2.5

Managed: 2.6 - 3.4

Advanced: 3.5 - 4.0

Looking to the U.S., manufacturers reported improvement in information technology (IT) controls implementation between 2021 and 2022. According to Ransomware Supplemental Applications red flag controls data 90 percent of clients in 2022 reported improvement in access management control implementation focused on unique credentials for system administrators. On an average, in 2022, clients implemented 75 percent of key underwriting multi-factor authentication (MFA) controls versus 58 percent in 2021. Progress in these areas is unsurprising. The manufacturing industry was not a work from home sector pre-pandemic, and the move to remote work coupled with new insurance requirements around MFA likely drove this progress.

U.S. manufacturers also reported that business resilience is still a work in progress. Strikingly, in 2022, 65 percent of the companies reported lack of tabletop exercises as part of a business resilience plan. This statistic appears to support the reality that companies tend to focus more on securing technology rather than considering on people, policy and procedure when it comes to incident response and recovery.

Percent of Lack of Critical IT Controls' for Given Industry in US (red flags)

While trend data is not yet available, we can look at 2022 as a year in point for the UK. UK manufacturers reported the strongest maturity in access management respectively. UK manufacturers did, however, lag their U.S. counterparts in maturity across all IT controls in 2022, except access management, where they reported equal scores.

Percent of Lack of Critical Controls' for Given Industry in EMEA and UK (red flags)

Across the operational technology (OT) environment, the U.S. and UK manufacturing industries, on average, reported more robust maturity than other sectors. Historically, the manufacturing industry focused on OT resilience; thus, we expected these higher scores. However, manufacturing organizations still have significant work to do across controls and segmentation. Clients reported a lack of 41 percent across critical OT controls, a gap that must be closed.

Percent of Lack of OT Controls' for Given Industry in US

Percent of Lack of OT Controls' for Given Industry in EMEA and UK

Now What? Actions for Manufacturing Organizations


1 “Fixing the US Semiconductor Supply Chain.” Levi, David Simchi-Levi, Zhu, Feng, Loy, Matthew. Article. Harvard Business Review. 25 October 2022.

2 “Value added by the manufacturing industry to GDP in 2020 by country.: Data Chart. Statista. Retrieved from https://www.statista.com/statistics/456342/realtive-comparison-of-value-added-in-manufacturing-of-leading-countries/ 

3 “United States GDP From Manufacturing.” Data Chart. US Census Bureau.

4 “2023 X-Force Threat Intelligence Index.” Report. IBM. 2023.

5 “Manufacturing and Small Business.” SCORE. Infographic. 24 May 2022.

Buyer-Friendly Cyber and E&O Market: How to Take Advantage | Aon

7 Aon’s Cyber Quotient. Patent-pending technology.

8 NIST Cybersecurity Framework 2.0. Retrieved from https://www.nist.gov/system/files/documents/2022/10/03/NIST_CSF_update_Fact_Sheet.pdf

9 EU Cybersecurity Act (ENISA). Retrieved from The EU Cybersecurity Act | Shaping Europe’s digital future (europa.eu)

Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.

The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.