Manufacturers across Asia-Pacific are carrying uninsured exposure to cyberattack-triggered physical damage, with insurance purchasing patterns failing to reflect the scale of the threat facing the region’s industrial base, Lloyd’s specialist insurer Tokio Marine Kiln (TMK) warns. In a statement released June 25, TMK said the mismatch between where manufacturing risk is concentrated and where insurance protection is most developed has reached a point where large industrial losses could fall entirely outside the scope of existing cover. The insurer’s underwriting data shows that major regional corporates are routinely purchasing multi-million-dollar property programs to protect multi-billion-dollar industrial assets while those same assets carry no coverage for losses originating from a cyberattack.
Asia-Pacific generates more than half of global manufacturing output, according to the United Nations Industrial Development Organization, yet holds just 10% of global cyber insurance premium. North America, by comparison, commands 66% of global cyber premium despite a considerably smaller industrial footprint. Swiss Re’s September 2025 analysis further shows that cyber insurance penetration among small and medium enterprises in Asia sits below the global average of approximately 10%, leaving the majority of the region’s industrial operators without dedicated cover.
IBM’s X-Force Threat Intelligence Index 2025 found that Asia-Pacific accounted for approximately one-third of global cyber incidents in 2024 – the highest regional share, up 13% year-on-year – with manufacturing identified as the most targeted sector globally. Verizon Business’s Asia-Pacific release of its 2025 Data Breach Investigations Report found that four out of five regional data breaches originated from system intrusion attacks – up from 38% the prior year – with ransomware present in 51% of breaches and malware in 83%.
Munich Re’s Cyber Insurance: Risks and Trends 2025 report identifies manufacturing as the industry with the highest proportion of ransomware claims in its dataset. The reinsurer also flags the convergence of operational technology, industrial Internet of Things systems, and AI-driven robotics as a risk frontier that will further complicate cyber-physical underwriting – and notes that the concentration of uninsured industrial cyber-physical risk in Asia-Pacific creates unmodelled accumulation exposure that reinsurers have yet to fully account for.
TMK attributes the protection shortfall to a structural fault line between two standard policy types. Cyber policies are written around data and network exposures and exclude physical damage. Property policies cover physical perils but exclude losses originating from a cyber event. When a cyberattack disrupts or damages industrial machinery, neither policy may respond as policyholders expect. This gap has a traceable regulatory origin. Lloyd’s Market Bulletin Y5258, implemented through Y5277 from January 2020, required all Lloyd’s syndicates to either affirmatively include or explicitly exclude cyber cover in property damage policies – the silent cyber mandate intended to eliminate ambiguity in property books. In practice, syndicates responded predominantly with exclusion. The result for industrial policyholders is a defined gap: cyber is removed from property policies while standalone cyber policies have not been uniformly extended to cover physical damage.
Georgie Furness-Smith, cyber underwriter at TMK Asia, said the growing integration of information technology and operational technology is reshaping the threat profile for industrial operators in ways the current market structure does not adequately address. “As operational technology becomes more integrated with IT systems, cyberattacks are increasingly targeting systems that control industrial activity, raising the potential for disruption to physical operations impacting machinery, facilities, and production processes,” Furness-Smith said.
She attributed part of the market’s slow response to the absence of large, publicised losses: “One of the reasons this risk remains underinsured is that it has not yet translated into a large number of visible losses, so it is not always prioritised by buyers. However, the underlying risk is building. We are seeing more attacks targeting the systems that control industrial operations, while the way these risks are assessed and insured is still largely based on traditional IT exposures.”
TMK identifies manufacturing, logistics, healthcare, utilities, and power generation as the sectors carrying the greatest exposure, given their dependence on interconnected operational technology where a disruption at one point can propagate across integrated production networks. Underwriting this risk category requires more than cybersecurity expertise – it demands an understanding of how industrial control systems behave under stress, a capability that sits outside conventional IT-focused underwriting frameworks. “Insuring cyber physical damage risk requires a different level of understanding – not just of cyber security, but how industrial systems behave under stress. That is where the gap between exposure and protection becomes most pronounced,” Furness-Smith said.
INTERPOL’s 2025/2026 Asia and South Pacific Cyberthreat Assessment Report, published June 17, recorded more than 6.5 billion cyber threats detected and mitigated across the region during 2024, with ransomware striking more than 135,000 targets and distributed denial-of-service attacks rising 92% year-on-year. INTERPOL cybercrime director Neal Jetton noted that “cybercriminals are leveraging artificial intelligence, ransomware-as-a-service models and sophisticated social engineering techniques on an industrial scale.”
TMK said a limited number of insurers – including itself, drawing on more than a decade of relevant underwriting experience – currently offer affirmative coverage for cyberattack-triggered physical damage and resulting business interruption. The broader market has been slower to develop dedicated products for this exposure class. Regulatory momentum is building in parallel, though it has not yet translated into wider industrial cyber insurance take-up.
The Monetary Authority of Singapore (MAS) established its Cyber and Technology Resilience Experts Panel in April 2025 to advise on technology and cyber resilience across the financial sector. Separately, MAS is supporting a Cyber Risk Management Project at Nanyang Technological University’s Insurance Risk and Finance Research Centre focused on supply and demand constraints in the cyber insurance marketplace – signalling that the regulator treats insurance market development as a supervisory concern rather than a peripheral one.
TMK said its full findings will be published in a white paper on Asia-Pacific risk and protection gaps later in 2026. With low regional premium penetration, rising attacks on operational technology, and limited affirmative product availability, the protection gap for the region’s industrial base is more likely to widen than narrow until specialist underwriting capacity expands to meet it.
