Third-Party Cyber Risk: A Growing Threat
In the ever-evolving landscape of cybersecurity, one significant risk factor may be flying under the radar of many businesses: third-party risk. According to new data from cyber risk solutions company Resilience, this area was a major contributor to cyber insurance claims and financial losses in 2024.
Increased reliance on interconnected systems and software vendors has amplified the impact of third-party risk, the report noted. Businesses now face the complex challenge of securing not only their own systems but also those of their partners to effectively mitigate potential financial losses.
Exploiting Vulnerabilities: Cybercriminals Target Weak Links
Cybercriminals are adept at exploiting single points of failure within companies, often leading to widespread disruptions and substantial financial consequences. High-profile breaches involving PowerSchool, CDK, and Change Healthcare exemplify this troubling trend.
Resilience’s data provides compelling evidence of this growing threat. In 2024, third-party risk, including ransomware and vendor-related outages, accounted for a significant 31% of all claims. Moreover, third-party risk contributed to claims with incurred losses for the first time, representing 23% of such claims in 2024, a stark contrast to the absence of such claims in 2023.
“Third-party risk isn’t only making headlines—it’s driving unprecedented losses. While this risk is often invisible until it’s too late, it’s now clear that the industry has reached a tipping point,” stated Vishaal Hariprasad, co-founder and CEO of Resilience. “Businesses can no longer afford to consider their partners’ vulnerabilities as siloed from their own. By understanding this new reality of shared risk, enterprises can make smarter business decisions and meaningfully mitigate material loss.”
Third-party risk is a growing concern for businesses.
Ransomware Remains a Top Threat
Ransomware continued to be a leading cause of financial loss during the past year. First-party ransomware incidents accounted for a substantial 43% of incurred claims, while ransomware attacks targeting vendors made up an additional 18%, cumulatively accounting for 61% of all claims with losses.
Additionally, transfer fraud incidents saw an uptick, rising from 14% of incurred claims in 2023 to 18% in 2024. The transportation, manufacturing, and healthcare sectors experienced the highest frequency of incurred claims, possibly due to their reliance on outdated operational technology and the potential financial impact of downtime.
Hospitals and financial institutions faced the highest claim reporting frequency, which may be tied to regulatory requirements mandating the public declaration of incidents, even if no material losses resulted. Meanwhile, phishing-related claims showed a decrease, accounting for 9% of incurred losses in 2024, down from 20% in 2023.
“As a company that provides both cyber risk quantification software and cyber insurance, we have unique insight into how companies are mitigating financial fallout from today’s cybersecurity challenges,” said Jeremy Gittler, global head of claims at Resilience. “Even in the face of an evolving threat landscape over the past year, enterprises are continuing to make major improvements in how they manage cyber risk and prevent material loss.”
