On September 22, 2025, Merck, a New Jersey-based pharmaceutical company, was alerted that its third-party service provider, Graebel Companies, suffered a data breach exposing sensitive personal and financial information of current and former employees. The compromised data includes names, dates of birth, addresses, phone numbers, Social Security numbers, and financial account details, heightening risks of identity theft and fraud.The breach was formally disclosed to the Massachusetts Attorney General’s office on November 17, 2025, though the exact number of affected individuals remains undetermined. Merck collaborated with Graebel to contain the incident, strengthen security measures, and notify impacted employees. As a remedial step, Merck is providing 24 months of complimentary credit monitoring and identity theft protection via TransUnion.The exposure of personally identifiable information (PII) and financial records—particularly through a third-party vendor—underscores vulnerabilities in supply chain cybersecurity and the potential for long-term reputational and financial harm to both employees and the company.

The Hidden Costs of Industrial Cybersecurity: Why OT Breaches Are Reshaping Risk Calculations The economics of industrial cybersecurity are undergoing a fundamental shift, moving beyond preventive spending to account for the cascading financial and operational impacts of cyber incidents. With attacks on operational technology (OT) systems rising, the true cost of breaches now extends far beyond ransom payments, encompassing production halts, supply chain disruptions, regulatory penalties, and long-term reputational damage. ### The Staggering Financial Toll of OT Breaches According to IBM’s Cost of a Data Breach Report 2024, the global average cost of a breach has reached $4.88 million, with healthcare incidents exceeding $7 million and ransomware attacks averaging $10 million. OT-specific breaches alone carry an average price tag of $4.56 million, driven by production losses, safety risks, and regulatory fallout. Yet ransom payments represent only a fraction of these costs unplanned downtime in manufacturing, for instance, costs industrial firms up to $50 billion annually, with the average manufacturer losing 800 hours of production time per year. For industrial companies, the financial damage often exceeds immediate recovery expenses. One in four firms experiencing a cyber incident reports losses surpassing $5 million, with downstream effects rippling through supply chains and eroding investor confidence. The stakes are higher in critical infrastructure, where breaches can trigger safety failures, environmental disasters, or even loss of life risks that defy traditional cost-benefit analysis. ### A Paradigm Shift: From Compliance to Board-Level Risk The growing severity of OT threats has elevated cybersecurity from a regulatory checkbox to a strategic business imperative. Insurers, now a key driver of this shift, are tightening underwriting standards, demanding evidence of segmentation, asset visibility, and incident response readiness. With the cyber insurance market projected to reach $16.3 billion by 2025, firms lacking mature OT security programs face higher premiums or outright denial of coverage. This pressure is reflected in spending trends: global cybersecurity investment is expected to hit $240 billion by 2026, with OT security among the fastest-growing segments. Industrial leaders are no longer debating whether to invest but how to align spending with real economic exposure. As Jacob Marzloff of Armexa notes, the question has shifted from “How much does security cost?” to “What is the financial exposure of not having adequate controls?” ### The Threat Landscape: Nation-State Actors and Unremediated Risks The urgency is underscored by escalating threats from state-sponsored actors. U.S. agencies warn that Volt Typhoon, a China-linked group, has pre-positioned itself in IT networks to disrupt OT systems across energy, water, and transportation sectors. Dragos reports that some compromised utilities may never be fully remediated, while Iran-backed groups like Pyroxene and Bauxite have demonstrated destructive OT capabilities, including attacks on U.S. water utilities. These adversaries exploit long dwell times BRICKSTORM, another China-nexus actor, maintained access for an average of 393 days before detection. The result? A threat environment where pre-positioned attackers with demonstrated intent to cause physical harm force organizations to rethink security as a matter of operational resilience, not just breach prevention. ### The Challenge of Quantifying OT Risk Unlike IT breaches, OT incidents defy standardized cost modeling. Tony Turner of Frenos highlights three critical gaps: 1. Insufficient Data: Industrial breaches are too infrequent for reliable statistical modeling. 2. Unpredictable Outcomes: A disruption at an auto plant differs fundamentally from a pipeline shutdown. 3. Unknown Downside: Most firms lack a credible view of cyber-physical event costs across safety, operations, and regulatory impact. As Maarten Oosterink of Indurex argues, “You cannot put a price tag on safety or environmental disaster to calculate an ‘acceptable ROI’ for cybersecurity.” Instead, organizations are adopting consequence-based risk assessments, using frameworks like ISA/IEC 62443 to prioritize investments based on operational impact rather than theoretical vulnerabilities. ### Building the Business Case for OT Security To secure buy-in from CFOs and boards, security leaders are reframing OT cybersecurity as a strategic risk management function, not an IT cost center. Key strategies include: - Translating risk into financial terms: Quantifying downtime, regulatory exposure, and recovery costs as P&L liabilities. - Aligning with operational metrics: Focusing on production availability, mean time to recovery, and avoided penalties. - Prioritizing high-consequence events (HCEs): Identifying assets where failure would trigger safety incidents or sustained production losses. David Mussington of the University of Maryland emphasizes that “CFOs respond to margin impact, not CVE counts.” Meanwhile, Turner advocates for scenario-based planning, where security investments are tied to tangible outcomes “If a refinery goes down, nobody cares how many vulnerabilities were patched. They care how fast you recover.” ### Investment Priorities: Legacy Systems vs. Modernization With resources constrained, industrial firms must balance protecting legacy systems against adopting new technology. Experts recommend: - Risk-based sequencing: Upgrading only where disruption would have the greatest operational or financial impact. - Compensating controls: Using segmentation and monitoring to mitigate risks in legacy environments. - Security-by-design: Embedding cybersecurity in procurement contracts for new technology. Turner stresses that “people are the highest-return investment”, advocating for teams with industrial expertise who can bridge the gap between security and operations. Without this, even the best frameworks remain theoretical. ### The Limits of Cyber Insurance While insurers are pushing for stricter OT security standards, coverage gaps persist. Policies often exclude safety impacts, prolonged disruptions, and nation-state attacks the very scenarios most critical to industrial firms. As Oosterink notes, “Insurance cannot compensate for poor engineering or weak security practices.” The Merck vs. insurers dispute over NotPetya losses, settled only in 2024, underscores the limitations of risk transfer. Ultimately, cyber insurance is evolving into a market signal one that highlights exposure but cannot replace robust security. As Mussington concludes, “The renewal process has become an unintentional security audit, exposing maturity gaps that internal reviews missed.” ### The New Equation: Security as Operational Continuity The industrial cybersecurity landscape is no longer defined by the cost of security vs. cost of breach but by the financial and operational consequences of inaction. With adversaries increasingly targeting physical systems, the imperative is clear: OT security must be treated as a core business function, not a discretionary expense. The question is no longer if organizations will invest but whether their strategy accounts for the real economic value of resilience.

The computer systems of Science and Technology company Merck were targeted in a sophisticated cyber-attack. The company immediately took preventive steps to contain the attack and informed its employees to disconnect mobile phones from the network.