How Smart Manufacturing is Intensifying Business Risk

Emerging risks such as incorporating blockchain and “smart facilities,” global supply chain disruptions, industrial Internet of things (IIoT, and intellectual property theft can pose a significant challenge to manufacturers. A recent MIT project demonstrated the power of supply chain disruption on semiconductor supply chains, finding that a 10-day disruption in a company’s production, on average, leads to at least 300 days before its inventory is back to normal.1

The manufacturing sector is a leading driver of the global economy. China is a manufacturing superpower and the U.S., Japan, and Germany are the top countries in terms of value added by the industry to gross domestic product (GDP).2 Manufacturing in the U.S. contributed $2.3 trillion to the country’s GDP in the fourth quarter of 2022.3 The sheer size and interconnectedness of the manufacturing industry mean that there is a great potential for a significant cyber incident —evidenced by its recognition as the top industry plagued by ransomware attacks in 2022.4

Large manufacturers rely on a vast network of smaller businesses in the supply chain. These small companies typically fail to match the sophistication of their larger counterparts  when it comes to cyber maturity. In the U.S., 98.6 percent of all manufacturing companies are small businesses, and most have fewer than 20 employees.5 From our experience, merger and acquisition (M&A) business transactions also introduce risk, with some of the biggest cyber events in the manufacturing industry resulting from limited or poor integration of acquired companies into the whole.

Adding to this landscape is a harsh economic and operating environment. Our experience showed us that the global manufacturing industry experienced a rough two years during the COVID-19 pandemic, plagued by high costs for shipping, employee shortages and supply chain issues. With a limited budget, leaders tackled challenges from all angles and were forced to make decisions based on the return on investment for each expenditure.

Aon Clients Report: Manufacturing Industry and Risk

Ransomware claims for the manufacturing industry decreased by 32 percent between 2020 and 2022 as organizations reported steady improvement in overall cyber maturity. The median percent of the IT budget reportedly spent on security also rose globally, with companies reporting 8.5 percent of the IT budget dedicated to security. According to Aon’s E&O Cyber Insurance Broking 2023 H1 Snapshot, from a loss trends perspective in APAC, manufacturing was particularly in focus owing to the significant manufacturing centers across the region, with operational technology remaining a key risk concern for regional markets.6

Aon’s CyQu7 data shows that overall risk score improved from 2.2 to 2.5 in 2022 for mid-market clients — however 56 percent of the companies reported risk scores lower than 2.5 in 2022. We anticipate risk maturity across small to medium-sized companies to continue pushing upward as more prominent manufacturers require additional cyber maturity requirements from their supply chains. As a result, smaller manufacturers may also be required to demonstrate resilience to secure cyber insurance policies.

For global companies, scores improved marginally from 2.7 to 2.8, however 80 percent of the companies reported scores higher than 2.5, showing that this revenue sector as a whole is getting closer to a “managed” risk profile.

Looking to the U.S., manufacturers reported improvement in information technology (IT) controls implementation between 2021 and 2022. According to Ransomware Supplemental Applications red flag controls data 90 percent of clients in 2022 reported improvement in access management control implementation focused on unique credentials for system administrators. On an average, in 2022, clients implemented 75 percent of key underwriting multi-factor authentication (MFA) controls versus 58 percent in 2021. Progress in these areas is unsurprising. The manufacturing industry was not a work from home sector pre-pandemic, and the move to remote work coupled with new insurance requirements around MFA likely drove this progress.

U.S. manufacturers also reported that business resilience is still a work in progress. Strikingly, in 2022, 65 percent of the companies reported lack of tabletop exercises as part of a business resilience plan. This statistic appears to support the reality that companies tend to focus more on securing technology rather than considering on people, policy and procedure when it comes to incident response and recovery.

While trend data is not yet available, we can look at 2022 as a year in point for the UK. UK manufacturers reported the strongest maturity in access management respectively. UK manufacturers did, however, lag their U.S. counterparts in maturity across all IT controls in 2022, except access management, where they reported equal scores.

Across the operational technology (OT) environment, the U.S. and UK manufacturing industries, on average, reported more robust maturity than other sectors. Historically, the manufacturing industry focused on OT resilience; thus, we expected these higher scores. However, manufacturing organizations still have significant work to do across controls and segmentation. Clients reported a lack of 41 percent across critical OT controls, a gap that must be closed.