OT Underwriting Evidence Starts with the Right Questions

IT security underwriting questionnaires (aka., UWQs) were not designed for OT environments. Most OT supplemental questionnaires are adapted from IT security questions, producing three compounding problems: the wrong questions being asked, exhausted respondents providing incomplete answers, and an IT security attestation that tells the underwriter little about the OT risk they are actually pricing. OT underwriting evidence starts with knowing what controls reduce financial risk in ICS/OT environments, asking questions prioritized around those controls, and where possible, replacing annual attestations with data-driven evidence that reflects current conditions.

The IT UWQ was built for a different problem

IT security underwriting questionnaires were developed around the risks that drive IT cyber losses: privacy regulation compliance (GDPR, PCI, HIPAA), data loss prevention (DLP), and data breaches involving personal or financial records. These are legitimate IT concerns. They are largely irrelevant to the risks that define OT cyber exposure: production downtime, equipment damage, environmental release, and safety consequences.

The questions that reflect those IT priorities include endpoint protection coverage, email security controls, cloud security posture, patch cadence for servers and workstations, data classification and handling procedures, and business record backup. OT environments only half of these concerns in common.

What is typically missing or poorly addressed in OT supplemental questionnaires:

• Is an OT network perimeter defined and enforced with electronic access controls?
• How well is communication restricted inbound/outbound at the IT-OT boundary?
• How is ICS/OT remote access sessions authorized, monitored, and terminated?
• What is the patching approach for the OT perimeter and DMZ? What about field devices (PLCs, RTUs, DCS controllers) given operational constraints?
• Does OT-specific logging exist, are SOC Analysts trained on its context and appropriate actions?
• Is there an OT-specific incident response plan for upholding operations while degrading gracefully?
• Can the OT environment operate safely in isolation if the IT network is compromised?

When those questions are not asked, the underwriter faces an assumption problem. From my experience across more than 20 years of OT security audits: assume OT is far behind IT. IT and OT are managed by different parts of the organization, different priorities, with different skills, different tools, different vendors, and different accountability structures. A "yes" to MFA implementation on the IT questionnaire almost never means MFA is in place in the OT environment. The two are not correlated in the way underwriters need them to be.

Question fatigue compounds the problem

IT UWQs have grown substantially. Many now range from 30 to 400 questions, covering identity and access management, endpoint protection, cloud security posture, patch management, incident response, business continuity, third-party risk management, and compliance across multiple regulatory frameworks.

By the time an applicant completes that questionnaire and reaches the OT supplemental, they are facing significant question fatigue. The result is predictable: OT supplemental responses tend to be shorter, vaguer, and more frequently incomplete than IT questionnaire responses. The portion of the application that matters most for industrial organizations, the OT-specific section, receives the least careful attention because it comes last.

It is often completed by the IT organization, instead of the OT organization.

This is not deliberate misrepresentation. It is exhaustion producing incomplete evidence, and it is a systemic problem in how OT cyber risk is currently underwritten.

IT security evidence is not OT security evidence

Beyond the question design, there is a more fundamental issue: an IT security attestation does not constitute OT security evidence. The two environments are managed by structurally different parts of the organization with very different priorities.

The IT security team, typically responsible for completing the UWQ, manages corporate networks, endpoints, cloud infrastructure, and data systems. The OT team, typically controls and automation engineers, manages PLCs, DCS, SCADA, HMIs, historians, and the networks that connect them to the physical process.

Different teams. Different skills. Different priorities. Different tools. Different vendors. Different change management. The IT security team completing the questionnaire often has no visibility into OT security posture. The OT team that does have that visibility is rarely involved in the insurance application process.

The attestation that results represents the IT view, at best. It provides no reliable signal about OT risk.

Building OT UWQ from what actually reduces financial risk

When DeNexus was commissioned by a major insurer to develop a better OT-specific underwriting questionnaire, the starting point was not questionnaire design. It was research: what controls actually reduce financial risk (aka., the cost of cyber impact) in ICS/OT environments?

I [Donovan] led that project. The methodology included interviews with more than eight OT cybersecurity experts each with 15 or more years of field experience, combined with review of OT-specific guidance, published research, and incident data. Fourteen control areas were identified and ranked by their effectiveness at reducing financial exposure in ICS/OT environments. The top six form the foundation of an effective OT UWQ. [1]

Briefly, the six:

1. Defensible Architecture: a defined OT network perimeter with enforced ingress and egress controls. Without a perimeter, there is no foundation for protection, detection, or containment.
2. Secure the Perimeter and External Access: the leading OT attack vectors target remote access and internet-exposed devices. This control addresses those vectors directly.
3. Secured and Tested Backups: ransomware operators destroy backups to increase payout likelihood. Immutable, offsite, restoration-tested backups are the recovery baseline.
4. Logging and OT-specific IR/DR Plans: detection and recovery are not possible without OT-native logs and plans. IT incident response plans do not cover OT scenarios.
5. Harden Shared Infrastructure: shared Active Directory domains, virtual hosts, and DMZ assets are how attackers move from IT into OT. Hardening these assets is higher priority than hardening many OT field devices.
6. IT-OT Dependency and Failure Resilience: OT must be able to operate safely in isolation or degraded mode if IT is under attack. That requires dependency mapping and validated isolation capability.

Starting from "what reduces financial risk" changes the question design entirely. The questionnaire prioritizes the controls that matter most for OT cyber loss outcomes, rather than adapting IT security questions that were never designed for operational technology.

From attestation to data-driven evidence

Even a well-designed OT UWQ has a fundamental limitation: it is an annual snapshot. OT cyber posture changes continuously. Vendors gain standing access and are never formally decommissioned. Configurations drift between assessments. Vulnerabilities accumulate. Knowledge retires or staff members change. An attestation completed today may not reflect the posture that exists when an incident occurs twelve months from now.

The insurance industry needs timeliness and confidence. Annual questionnaire attestations provide neither for OT environments.

Data-driven evidence is the upgrade path. Existing OT cybersecurity tools (e.g., firewalls, OT network monitoring, vulnerability scans) can produce the evidence that questionnaires can only ask about:

• Cyber asset inventories: reveals the actual infrastructure the OT team is responsible for managing, including assets that may not appear in any existing documentation.
• Discovered vulnerabilities: surfaces technical debt, patching gaps, and compensating control coverage without active probing that risks disrupting control systems.
• Network communication links: who communicates with whom, and across which boundaries, reveals actual segmentation from the Internet and corporate network, not assumed segmentation based on architecture diagrams that may not reflect current field reality.
• Firewall rules: analysis of firewall configurations reveals which vulnerabilities have been mitigated at the perimeter and which remain exposed. It also signals the rigor that goes into access list filtering at the port/protocol level versus ‘ip any any’.

The distinction from questionnaire attestations: data does not ask "do you have network segmentation?" and accept a yes or no. It shows the actual communication paths. The evidence speaks for itself. DeNexus DeRISK CRQ uses OT telemetry of this type for its data-driven evidence, providing the continuous, facility-level visibility that annual questionnaires cannot.

Why this matters to the OT asset owner

Better OT evidence quality has a direct benefit to the asset owner, not only to the insurer.

When insurers can see actual, current OT risk data rather than an annual questionnaire snapshot, they can understand the portfolios they hold more accurately. They like and recognize when their customers are risk-based cyber decision-makers as well. That understanding allows them to manage risk more precisely, extend higher limits to well-managed facilities, and offer more stable terms at renewal.

The OT asset owner who can demonstrate current, credible evidence of their security posture can earn access to better cyber insurance outcomes. Not because they negotiated harder, but because the evidence justified it. Data-driven evidence is the mechanism that connects OT security investment to insurance market outcomes.

Closing

OT underwriting evidence starts upstream: knowing what controls reduce financial risk in ICS/OT environments, designing questions around those priorities, and where possible, replacing annual attestations with data that reflects current conditions.

The questionnaire will not disappear, and it should not. But its role can evolve from the primary evidence source for OT risk to the structural framework that data-driven evidence fills in. That evolution benefits OT asset owners, insurers, and the broader risk transfer ecosystem that depends on credible OT cyber risk assessment.

For more information on OT cybersecurity underwriting, refer to OT Cyber Insurance & Risk Transfer: Right-Sizing Coverage Using Evidence, Not Guesswork conference session presented at ISA OT Cybersecurity Summit in Prague by:

• José Seara, Founder & CEO, DeNexus

• Rébiah Bardot-Girard, Head of Cyber Risk Consulting Services, AXA XL”

References

[1] DeNexus. "Top 6 Cybersecurity Solutions for Industrial Environments." January 14, 2026. https://www.denexus.io/resources/top-6-effective-cybersecurity-solutions-industrial-environments