Third-Party Cyber Risk: A Growing Threat
One of the most significant risks in the cyber landscape may be receiving insufficient attention: third-party risk. Data from cyber risk solutions company Resilience indicates that this factor significantly contributed to cyber insurance claims and financial losses in 2024. The interconnectedness of modern systems and reliance on software vendors are exacerbating this problem, as businesses now face the complex challenge of securing not only their own networks but also those of their partners.
Exploiting Single Points of Failure
Cybercriminals are increasingly targeting and exploiting vulnerabilities in a single system to create widespread disruptions, the report noted. Recent breaches involving PowerSchool, CDK, and Change Healthcare exemplify this concerning trend. Resilience’s data reveals that third-party risk, including ransomware and vendor-related outages, accounted for 31% of all claims in 2024. Furthermore, it contributed to claims with incurred losses for the first time, representing 23% of those claims, compared to none in 2023.
“Third-party risk isn’t only making headlines—it’s driving unprecedented losses. While this risk is often invisible until it’s too late, it’s now clear that the industry has reached a tipping point,” said Vishaal Hariprasad, co-founder and CEO of Resilience.
Hariprasad added that companies can no longer afford to treat their partners’ vulnerabilities as separate from their own. He emphasized that understanding this shared risk is crucial for making smarter business decisions and mitigating material loss.
Ransomware Remains a Top Threat
Ransomware continues to be a major driver of financial loss. First-party ransomware incidents accounted for 43% of incurred claims, while ransomware attacks targeting vendors comprised 18%, totaling 61% of all claims involving losses. The frequency of transfer fraud incidents also increased, rising from 14% of incurred claims in 2023 to 18% in 2024.
The transportation, manufacturing, and healthcare sectors experienced the highest frequency of incurred claims, likely due to their reliance on outdated operational technology and the financial impact of downtime. The healthcare and finance industries had the highest claim reporting frequency, possibly due to regulatory mandates requiring disclosure of incidents, even if they didn’t result in significant financial losses. Phishing-related claims decreased, accounting for 9% of incurred losses in 2024, down from 20% in 2023.
“As a company that provides both cyber risk quantification software and cyber insurance, we have unique insight into how companies are mitigating financial fallout from today’s cybersecurity challenges,” said Jeremy Gittler, global head of claims at Resilience.
Gittler also noted that in the face of an evolving threat landscape, enterprises are improving how they manage cyber risk and prevent material loss.
