Key Takeaways:
- The pressure on northeast Indiana shops in 2027 isn’t one threat — it’s three running at the same time: ransomware that specifically targets manufacturing, cyber insurance carriers voiding claims for misrepresented controls, and OEM / prime questionnaires that freeze contracts for months while buyers review your posture.
- Most shops fail not because they don’t have controls, but because nobody’s verified the controls actually work the way the IT guy said they would. The insurance application asks a binary yes/no. The carrier denies the claim if the answer was wrong, regardless of intent.
- A 45-employee Wisconsin manufacturer lost roughly $1.2M and 12 jobs to a single ransomware incident — and they had an MSP the whole time. Having an MSP doesn’t mean being ready. Knowing what your MSP is and isn’t doing for you is the difference.
- CMMC Level 2 third-party assessments aren’t somewhere on the horizon for DoD-adjacent shops in northeast Indiana. The phase requiring C3PAO assessment for many Level 2 contracts begins November 10, 2026. If you have flow-down notices in your inbox, the clock is already running.
- The first move isn’t buying more software. It’s getting an honest outside read on where you actually stand — so the budget conversation in front of your wife, your CFO, or your cousin is about real numbers, not vendor pitches dressed up as urgency.
You’re heading into the back half of the year. Quoting is steady. The floor is full. The 2027 picture is getting clearer — which customers are growing, which contracts are renewing, which OEMs are sending another round of questionnaires.
Cybersecurity probably isn’t on your top-five list of things to deal with. It rarely is. But it’s quietly become the thing that decides whether 2027 goes the way you’ve planned, or whether it goes sideways in a way you spend six months cleaning up.
The shops in northeast Indiana — from the Auburn machining floor to the New Haven processing plant — that came through 2025 and into 2026 in good shape did one thing different. They got an honest read on where they stood, fixed the things that actually moved the needle, and stopped paying for the things that didn’t. The shops that took hits — the names that came up at IMA lunches and NIDIA meetings — generally did the opposite. They trusted what the IT guy said was in place without verifying it.
The real question for the next six months is which group you’re going to be in.
What are northeast Indiana shops actually facing in 2027?
Three pressures are converging on shops your size, and they don’t politely take turns.
Manufacturing-targeted ransomware is still the fastest-moving threat. Manufacturing was the most-targeted sector for industrial ransomware in 2024 and 2025. The mean recovery cost has hovered around $1.67M per incident — and that’s the average, not the worst case. Northeast Indiana hasn’t been spared. Indiana-based Rose Acre Farms was named in a Lynx ransomware claim. Fabcon, the precast concrete manufacturer, faced an Akira incident with roughly 190 GB of data threatened for leak. These aren’t headlines from California — these are operations a couple hours from your shop.
Cyber insurance has stopped being polite. MFA (multi-factor authentication — two-step login on top of a password), EDR (endpoint detection and response — the modern replacement for plain antivirus), tested offline backups, and a documented incident response plan are now binary yes/no requirements on the application. Carriers are voiding policies mid-incident when the application turns out to have misrepresented control status. That’s not a hypothetical. Your broker has probably already mentioned it.
OEM and prime customer questionnaires got teeth. Five years ago, the supplier cybersecurity questionnaire was a paperwork exercise. In 2026 and into 2027, automotive OEMs and tier-1 customers are freezing contracts for six months while they review posture. CMMC flow-down from primes is no longer an “eventually” conversation — roughly half of surveyed sub-tier suppliers have already received one.
How do you know if your MSP is keeping up or just keeping the lights on?
This is the question most owners don’t want to ask out loud. Here’s a way to ask it that doesn’t require firing anyone or starting a fight.
Pick three controls you believe are in place. MFA on all administrative accounts. Tested offline backups in the last twelve months. EDR running on every workstation, including the ones in the front office. Then ask your IT guy to prove each one. Not describe — prove. A screenshot, a report, a test result, an incognito-browser login attempt that gets blocked without the second factor.
If the proof comes back in a day with documentation, you’ve got a partner who’s keeping up. If the proof comes back vague, slow, or with phrases like “we should be good there” — you’ve learned something important without burning the relationship. That’s a conversation, not a confrontation.
How four different shops compare on the controls that matter
| Control or Capability | Shop A: Trusts the MSP | Shop B: Verified Once | Shop C: Documented & Tested | Shop D: Ready for 2027 |
| MFA on admin accounts | Assumed yes | Tested once | Tested + monitored | Verified + alerted |
| Backup restore tested | “We have backups” | 2+ years ago | Tested annually | Tested quarterly |
| Incident response plan | None or shelf binder | Written, not rehearsed | Rehearsed annually | Rehearsed, roles assigned |
| Insurance application accuracy | Best guess | Reviewed once | Reviewed at renewal | Verified by outside party |
| Customer questionnaire-ready | Guessed answers | Some answers on file | Maintained answer library | Documented + updated |
Most northeast Indiana shops live in Column A or B. The ones in Column C and D didn’t get there by spending more — they got there by verifying.
What does a ransomware incident actually cost a shop your size?
The Wisconsin case is the right-size reference point. A 45-employee manufacturer, ransomware hit, 14 days of full shutdown, roughly $1.2M in losses, 12 layoffs, and a CFO resignation letter that reportedly called the whole thing a “preventable disaster.”
Two weeks down. Twelve people gone. One letter on the way out the door.
Now run the math against your own shop. If your floor is doing $X an hour of value-add when it’s running, multiply by your shift hours, multiply by 14 days, and add the overtime to catch up afterward, the customer concessions, the consultant bills, and the insurance deductible. The number gets uncomfortable fast — and it gets there before you’ve added any reputational hit with your top customer.
Where Most Shops Sit on the 2027 Readiness Ladder
Step 5: Verified, documented, rehearsed
│ – claims hold up under audit
│ – questionnaires take days, not weeks
▲
Step 4: Controls in place, tested in last 12 months
│ – MFA, EDR, backups, IR plan are all real
│
▲
Step 3: Controls bought, never verified
│ – the most common spot for shops your size
│
▲
Step 2: Controls promised, results unclear
│ – “my IT guy said it’s covered”
│
▲
Step 1: No idea, hope for the best
– one phishing click from a bad month
If you read down that ladder and felt your gut land somewhere on Step 2 or Step 3 — you’re in the same place as most shop owners in northeast Indiana. The good news is moving from Step 3 to Step 4 is a lot less work than moving from Step 1 to Step 3.
Why are cyber insurance carriers voiding more claims in 2026 and 2027?
Because applications have gotten specific, and shops keep checking “yes” without verifying.
The 2024 and 2025 questionnaires asked broad questions about whether MFA was “deployed.” The 2026 and 2027 versions ask whether MFA is enforced on all administrative accounts, all remote access methods, and all email. Same word — “MFA” — but a much narrower question. A shop with MFA on its email but not on remote desktop access is now answering “yes” to a question the carrier reads as “no.”
When the claim hits, the carrier sends a forensic firm to validate the application. If the application doesn’t match the environment, the carrier has grounds to deny coverage or rescind the policy. Your broker can’t save you from that. Your MSP can’t either, especially if the misrepresentation traces back to something they assured you was in place.
The fix is straightforward and not expensive: have someone outside your MSP do an honest read on the application before you sign it. Two hours of review can save the entire policy.
What changes for DoD-adjacent shops in November 2026?
Phase 1 of CMMC enforcement (November 10, 2025 through November 9, 2026) made Level 1 and Level 2 self-assessments a condition of contract award for applicable new DoD work. That phase is now in motion.
Phase 2 — beginning November 10, 2026 — is expected to require third-party C3PAO assessment for many Level 2 contracts. Self-attestation stops being enough. An outside assessor walks through your environment and verifies all 110 NIST 800-171 controls. The assessment itself runs a few days on-site plus document review. The real investment is the readiness work in the months before — scoping the CUI (Controlled Unclassified Information) enclave, closing control gaps, and getting the System Security Plan in actual shape.
If you’re sitting on flow-down notices from a prime, working on aerospace-qualified parts, or have 20–45% of your revenue tied to DoD work as a sub-tier, the calendar isn’t your friend. Shops that started readiness in early 2026 are landing assessments in late 2026 or early 2027. Shops starting readiness in mid-2026 are looking at the back half of 2027 — assuming nothing else slips.
A small but useful note for Indiana shops: Purdue MEP has been running SBA-funded free CMMC Level 1 assessments for qualifying operations. If you haven’t talked to them, that’s a free phone call worth making.
What should your next 30 minutes on this look like?
Don’t call a vendor. Don’t sign anything. Don’t agree to a discovery meeting.
Open your last cyber insurance application and read the questions you said yes to. Pick the three you’re least sure about. Email your IT guy and ask him to send proof — screenshots, reports, test results — that those three controls are actually in place the way you said they were on the application. Set a deadline of one week.
That’s your first 30 minutes. The next 30 minutes belong to whatever comes back from him. If the proof is solid, you’ve earned real peace of mind heading into renewal. If the proof is vague or slow, you’ve got specific information to work with — not a feeling, not a worry, but documented gaps you can prioritize.
Either way, you’re now operating on facts instead of assumptions. That’s the difference between Step 3 and Step 4 on the ladder above. And it didn’t cost you a dollar.
Want a second set of eyes on what your IT guy sends back?
Once the proof comes in, you might want someone outside the relationship to read it honestly — not to switch you, not to pitch you, but to tell you what the answers actually mean and where the real gaps are. That’s the kind of conversation we have most often with shops your size.
No pitch, no follow-up campaign, just a working conversation about what the answers tell you and what to do next.
Call Aptica: (260) 243-5100
Or schedule a 15-minute call at your convenience: calendly.com/jnewburg-1/15min
Frequently Asked Questions
What does CMMC Level 2 third-party assessment actually involve for a sub-tier supplier?
A C3PAO — a certified third-party assessor — evaluates how your environment meets all 110 NIST 800-171 controls. The on-site portion typically runs a few days, plus document review beforehand. The bigger investment is the readiness phase in the months prior — scoping the CUI environment, closing control gaps, and getting the System Security Plan into shape. Most shops underestimate readiness work by half.
My MSP says I have MFA. Is that enough to check “yes” on the insurance application?
Not by itself. Carriers are now asking whether MFA is enforced on all administrative accounts, all remote access, and all email — not just whether MFA exists somewhere in the environment. The way to know for sure is to have someone outside your MSP test it. An incognito-browser login attempt without the second factor is a ten-minute test that tells you whether the answer on your application is honest.
How long does a ransomware shutdown actually last for a shop with 30 to 50 employees?
The Wisconsin case ran 14 days of full shutdown plus weeks of degraded operations after. Most northeast Indiana incidents that have come up at IMA and NIDIA events have run between six and twenty-one days from hit to back-to-normal. The variable that matters most is whether tested offline backups exist. Shops with tested backups recover in days. Shops without recover in weeks — or pay.
How long does it take to complete an OEM cybersecurity questionnaire?
For a 25-to-50-person shop the first one runs five focused days of work — a day to inventory and triage, two days to verify the answers you think you have, a day to build a remediation plan for the gaps, and a day to write and submit the response. Plan on the owner, the office manager, and the IT contact each putting time in. The second questionnaire is meaningfully cheaper because the answer set is reusable. By the fourth or fifth, the office manager can run an annual update in a half-day.
What are the signs my manufacturing IT setup needs an upgrade?
Three signals. How quickly your MSP responds when you ask them to prove a control is in place. How recent your most recent restore test was. And how confident you’d be explaining your current setup to a peer at an IMA lunch. If those three answers come back shaky, the question stops being whether to make a change — it becomes whether to make it before or after the next bad week.
About Aptica
Aptica is a locally owned IT provider serving manufacturers, distributors, engineers, healthcare practices, and professional services firms across Northern Indiana, Southern Michigan, and Northwest Ohio. Founded in 2003 and based in Angola and Fort Wayne. BBB Accredited, A+ rated.
Angola: 113 E Maumee St, Angola, IN 46703 · (260) 243-5100 Fort Wayne: 1690 Broadway, Bldg 19, Suite 10, Fort Wayne, IN 46802 · (260) 243-5182 Web: apticallc.com · Email: info@apticallc.com
Call us. We answer the phone.
