I gave this talk at the Fortinet OT Summit 2026 because I keep running into the same gap inside industrial organizations — a gap that doesn't show up on a network diagram and won't be closed by another firewall. It's the gap between what an OT incident does and how the business actually accounts for it.
For years we treated OT cyber as a security problem. It isn't anymore. It's a balance-sheet problem.
As industrial operations get more connected and more modernized, the range of things that can go wrong financially gets wider — not narrower. A single OT event can trigger business interruption, equipment damage, environmental liability, contractual penalties, and in the worst case, safety impacts. None of those land in the SOC. They land in the P&L, the insurance program, and occasionally the front page.
That's the reframe I want every CISO, CFO, and engineering leader to make: stop asking "are we secure?" and start asking "what does this cost us, and who carries it?"
Here's the part that surprises people. Many organizations assume they're covered — and then discover, after an incident, that they weren't. Traditional cyber policies were written for data and IT. Property policies were written for fires and floods. A cyber-triggered physical loss in a plant can fall into the seam between the two, where neither policy fully responds.
That seam is the cyber-physical insurance gap. You can't close it by buying more of the wrong coverage. You close it by quantifying the exposure in financial terms first, then structuring coverage around the actual loss distribution — not around a checklist.
The bridge between the engineering view and the financial view is risk quantification. This is the heart of the talk, and it's the heart of what we build at DeNexus.
Cyber Risk Quantification translates technical reality — your architecture, your threat exposure, your controls — into the language the business runs on: Expected Annual Loss and Value at Risk, expressed as a loss exceedance curve rather than a red-amber-green heat map. That's DeRISK CRQ. Once loss is quantified, you can do something a heat map never lets you do — put a dollar figure on the benefit of a given mitigation before you spend the budget, and prioritize accordingly. CRQ and DeRISK QVM handle that reduce step.
This is the move from "this CVE is critical" to "this scenario carries this much expected annual loss, and this control reduces it by this much." Engineers keep their rigor; finance gets numbers it can defend.
Once you can see the loss distribution, the insurance conversation changes completely. You're no longer guessing at limits. You can decide — deliberately — which risk to retain on the balance sheet and which to transfer to an insurer, with numbers both sides recognize.
That's also why we built DeRISK UWA Agentic, launched in May 2026 — to give underwriters and actuaries the same quantified view of industrial cyber risk that operators get, so the transfer market can finally price this exposure with confidence. Quantify, reduce, transfer — that's the whole arc.
If this resonates, the next step is to see it on your own numbers. Book a 30-minute walkthrough of the DeRISK platform — we'll show you what quantifying, reducing, and transferring OT cyber risk looks like for an operation like yours.
Explore the platform: denexus.io/derisk-platform