Manufacturing clients and cyber insurance: a conversation worth having

Here's something I've seen come up more and more in conversations with partners who serve manufacturing clients. The cyber insurance renewal arrives, the questionnaire is longer and more specific than it was two years ago, and the client asks their MSP for help completing it. What tends to happen next reveals quite a lot about the state of the relationship and the service. Some MSPs have the evidence ready. A lot of them don't, and they're not entirely sure which parts of the environment the questions are referring to.

Manufacturing is an interesting sector for this conversation because it straddles two worlds: the IT environment most MSPs are comfortable managing, and the operational technology environment of production systems, SCADA controllers, building management systems and industrial networks, where the MSP's visibility and tooling are often less mature. Insurers have started asking questions that probe both. And the evidence requirements for the OT side are quite different from the IT side.

The reason I mention this is not to suggest that MSPs serving manufacturers need to become OT security specialists overnight. It is to help frame where the specific gaps tend to be and what a practical approach to closing them looks like. In my experience, the manufacturing clients who go into insurance renewal in the best shape are the ones whose MSPs have had this conversation with them proactively, rather than the ones who are working through the questionnaire together for the first time at renewal.

What insurers focus on for manufacturing clients

IT and OT network segregation

This is the question that catches a lot of manufacturing clients unprepared. Insurers want to know whether the IT environment (user laptops, servers, Microsoft 365) is segregated from the OT environment (production systems, SCADA, industrial controllers). The concern is ransomware propagation: an attack that starts on the IT network and reaches production systems has a significantly higher business impact than one that stays within the IT environment.

The evidence the insurer wants is documentation of the network architecture showing the segregation, and confirmation of the controls that enforce it. Firewall rules between IT and OT segments, VLAN separation documentation and access control logs for crossing between environments are the most commonly requested. Manufacturing OT security threats in the context of insurance are primarily about whether a ransomware incident would halt production, and the segregation evidence directly addresses that question.

Production system resilience and recovery

Insurance questionnaires for manufacturers increasingly ask about recovery time objectives for production systems, not just IT infrastructure. How long would it take to restore production in the event of a ransomware attack? Is there a documented business continuity plan that covers production system outages? Have recovery procedures been tested?

This is an area where the MSP may not have full visibility. Production system recovery often sits with the client's engineering or operations team rather than with the IT function. But the insurer is asking the question and the client needs to answer it. An MSP who helps the client identify the right people to answer this part of the questionnaire and frames the documentation requirements clearly is providing genuine value, even if the technical work sits elsewhere.

Supply chain and third-party access

Manufacturing clients typically have suppliers, contractors and maintenance engineers who access their systems, sometimes remotely. Insurers ask about how third-party access is managed: are contractors given individual accounts or shared credentials, is remote access through a VPN with MFA enforced, and is there a process for revoking access when a contractor relationship ends. Why compliance matters for manufacturers in this context is partly about regulatory requirements and partly about the specific risk profile that third-party access creates in an environment where production systems are connected.

Ransomware resilience specifically

Ransomware targeting manufacturers is a documented and growing risk, and insurers are well aware of it. The specific questions tend to cover: immutable backups that cannot be encrypted by ransomware, tested recovery from backup, endpoint detection and response deployed across managed devices, and a documented process for isolating affected systems quickly. Demonstrating compliance around ransomware resilience for a manufacturing client means producing evidence for each of these areas, not just confirming they exist.

Building the evidence for manufacturing clients

From what I've seen, the most practical approach is to run a manufacturing-specific insurance readiness assessment 3 to 4 months before the renewal date. This gives time to identify and close the most significant gaps rather than documenting them after the fact.

The assessment covers 5 areas: IT and OT network segregation documentation, production system resilience and recovery planning, third-party and contractor access management, ransomware resilience controls, and the standard IT baseline that applies to all clients. Each area has a documentation requirement alongside the technical control. The gaps between what's in place and what insurers assess for manufacturing clients tend to fall into a consistent pattern, and the gap analysis produces a prioritized list of what needs to be addressed before the questionnaire is completed.

The OT visibility question is worth addressing directly, because it's where a lot of MSPs feel least confident. You don't need to be an OT security specialist to help a manufacturing client with their insurance renewal. You need to understand which questions on the questionnaire relate to OT environments, which parts of the client's environment those questions are asking about, and who within the client organization can provide the relevant documentation. In many manufacturing businesses, the operations manager or production engineer can answer the OT-related questions. Your role is to identify that and help structure the documentation, not to provide the technical OT answers yourself.

For manufacturing cybersecurity at a more technical level, the continuous monitoring piece is where an MSP's SOC capability adds most value. Continuous monitoring coverage across the IT environment, with documented evidence of alerts and responses throughout the year, directly answers the insurer's questions about detection capability. And it's evidence the client can produce immediately rather than reconstructing at renewal time.

The commercial conversation for MSPs

Manufacturing is a large sector with a lot of mid-market businesses that have reasonable IT setups and relatively under-developed security evidence practices. The cyber insurance renewal is a concrete, recurring commercial trigger, and the MSPs who help clients through it well are the ones who become genuinely embedded in the relationship.

What I've seen work is positioning the manufacturing insurance readiness assessment as a named service rather than something that happens informally when the renewal arrives. It has a clear output, a clear scope of work, and a direct commercial benefit for the client. And it naturally leads into a conversation about ongoing monitoring and reporting that keeps the client in good shape for next year's renewal too.

Does that make sense as a commercial framing for this sector? Because from what I've seen across the channel, the MSPs who have proactively built manufacturing as a focus area, rather than waiting for the client to raise the insurance question, are finding it one of the more productive vertical conversations they're having.