Manufacturing now accounts for more than one in four cyberattacks globally, making it the most targeted sector for the fifth consecutive year. Ransomware incidents against the sector surged 61% year over year through the first three quarters of 2025 — the sharpest growth of any industry. Our new report, The State of Cybersecurity in Manufacturing, puts financial specificity behind those numbers. It draws on nearly five years of Resilience’s proprietary claims data, spanning March 2021 through February 2026, and identifies which failures actually drive loss, where the money concentrates, and which controls deliver the highest leverage for the investment. The full report is available now — download it here.

Ransomware drives almost all of the financial damage

Ransomware makes up only about 12% of claims in the Resilience manufacturing portfolio. But it drives 90% of incurred losses.

That concentration shapes everything about how manufacturers should think about their risk profile. The day-to-day claim baseline — transfer fraud, email compromise, minor incidents — holds remarkably steady quarter to quarter. Most manufacturers in the portfolio handle those threats well. The financial volatility comes from whether a given quarter includes a material ransomware event, and a single BlackCat-attributed incident represents the most expensive loss in the entire dataset. We saw the same pattern across all sectors in the 2025 Cyber Risk Report, where ransomware dominated total loss despite representing a minority of claims. The implication is practical: reducing claim frequency does not meaningfully change your financial exposure. Targeting the controls that prevent or contain ransomware does.

The costliest failure is a control that was already deployed

The single most expensive point of failure in the portfolio is MFA misconfiguration — multi-factor authentication that a team deployed but configured improperly, failed to enforce on all accounts, or left subject to bypass conditions. MFA misconfiguration accounts for approximately 26% of all incurred losses, more than three times the 8% attributable to having no MFA at all. The most expensive ransomware event in the dataset, the BlackCat incident, traces directly to misconfigured MFA. The control existed. It did not work the way the team intended.

The finding reframes the MFA conversation. The question for your next audit is not whether MFA is in place but whether every account is enforced, whether bypass conditions have crept in since the initial rollout, and whether your conditional access policies still match how your team actually works. In our data, closing those gaps ranks among the highest-leverage actions a manufacturing security team can take.

Unpatched software feeds the most severe ransomware events

Software vulnerability exploits account for approximately 13% of total portfolio losses, concentrated in high-severity ransomware events that Resilience attributed to Black Basta and Cactus. These are not data breaches — they are ransomware outcomes enabled by unpatched software.

The finding carries particular weight in manufacturing, where teams often cannot patch legacy OT systems without taking production offline. The financial cost of that technical debt shows up directly in the claims data. If you are still running end-of-life infrastructure, you face a version of the challenge we explored in why killing legacy systems might be your smartest financial move — except in your environment, production dependencies complicate every patching decision. Where your team cannot patch, compensating controls — network isolation, virtual patching, enhanced monitoring — become the critical line of defense.

Phishing drives the most frequent claims

Transfer fraud and email compromise together account for nearly 30% of all claim activity in the portfolio, and phishing serves as the point of failure in virtually all transfer fraud claims. The average transfer fraud claim pays out roughly ten times what the average email compromise claim costs.

These incidents do not dominate the total loss picture — ransomware holds that position. But they represent the most consistent source of claims by volume, and they are addressable through procedural controls: out-of-band verification for payment changes, dual authorization for large transactions, and targeted training for finance and accounting teams.

What the full report covers

The findings above are the headlines. The full report traces the history of manufacturing cybersecurity from air-gapped assumptions through Stuxnet, WannaCry, and NotPetya to the current threat landscape. It breaks down the claims data by cause of loss, point of failure, and quarterly trend. It maps each finding to a specific strategic priority, ordered by demonstrated financial impact in the portfolio. And it covers the structural vulnerabilities — IT/OT convergence, legacy systems, the cybersecurity maturity gap — that make this sector uniquely exposed.

Download The State of Cybersecurity in Manufacturing here.