DeNexus Blog - Industrial Cyber Risk Quantification

Why Infrastructure Funds Should Care About OT Cyber Risk | DeNexus

Written by Jose M Seara | Jan 21, 2026 10:31:34 PM
This post is part one of a 4-part series for infrastructure fund professionals (GPs, portfolio operations, and risk leaders) focused on Operational Technology (OT) cyber risk and cyber-physical loss. 

 

Infrastructure assets increasingly depend on automation. Turbines, pumps, compressors, substations, rail signaling, and treatment plants are operated by Operational Technology (OT) - industrial control systems that translate digital commands into physical outcomes. 

For investors, OT is usually discussed as an efficiency and reliability story. In cyber risk terms, it is also the pathway where a compromise can become an operational disruption, a safety event, or physical damage. That distinction matters because cyber-physical loss maps directly to availability, cash flow stability, refinancing terms, and exit valuation. 

I am Jose Seara, CEO and founder of DeNexus. I come from the infrastructure business and built this DeNexus after seeing how often diligence and assurance focus on corporate IT controls while the economic value is concentrated at the asset's OT layer. 

 

OT risk is portfolio risk, not just an operating-company issue 

Infrastructure funds are exposed to OT cyber risk because their portfolio companies invest in and operate assets where OT is embedded in daily operations. When OT is compromised, the consequences propagate through the ownership chain. 

  • Distributions and liquidity: outage-driven revenue loss and unplanned OPEX volatility pressure cash yields. Research shows 14-18% reduced returns compared to estimated (Link to extreme attacks blog). 
  • Covenants and refinancing: operational incidents can trigger tighter terms, higher spreads, or extended diligence. 
  • Reputation and stakeholder trust: critical infrastructure events attract regulator, customer, and public scrutiny. 

 

Why traditional cyber assessments miss the economic exposure 

Many cyber programs are built around corporate IT: email security, endpoints, identity, and data protection. Those controls are necessary but not sufficient for OT. OT environments often include long-lived equipment, vendor-managed access, safety constraints, and uptime requirements that limit patching and architectural change. 

The result is a common mismatch: a portfolio company may score well on generic cyber frameworks while the asset-level OT pathways that drive downtime and physical loss remain under-modeled. 

  • Connectivity pathways: remote access, vendor connections, and IT/OT integration create bridge points. 
  • Legacy constraints: control systems may run for decades and cannot be upgraded like IT systems. 
  • Operational prioritization: availability and safety can outweigh security changes unless risk is clearly quantified. 
  • Digitalization: this only accelerates the integration and convergence of IT and OT systems, increasing cyber risk and exposure. 

 

Ready to quantify your OT cyber exposure and get investor-ready outputs?

Click Here to Get Started →

 

What good looks like for infrastructure funds 

Funds do not need to become OT operators, but they do need a fund-level view of cyber-physical exposure and a repeatable governance model. A pragmatic posture is to treat OT cyber risk like any other material operational risk: quantify exposure, prioritize mitigations, and monitor residual risk over time. 

  • Adopt a portfolio-wide OT risk taxonomy and minimum information set for all assets. 
  • Require scenario-based reporting for material assets (downtime, recovery timeline, safety constraints, and loss drivers). 
  • Track leading indicators that management can influence (remote access hardening, segmentation, backups, incident response readiness). 
  • Integrate OT cyber risk into investment committee (IC) memos, 100-day plans, refinancing packages, and board oversight. 

 

The bridge to action: quantification that supports decision-making 

The critical shift is to translate technical pathways into financial exposure. That enables consistent prioritization: which assets matter most, which scenarios drive tail loss, and which mitigations create measurable risk reduction. 

This is the purpose of OT Cyber Risk Quantification: to produce defensible, investor-usable outputs that align operators, risk teams, lenders, and insurers. 

Next steps 

Ready to quantify your OT cyber exposure? Complete the form below to:
• Schedule a 15-minute platform demo
• Discuss your portfolio's specific risk profile
View full post