• Third-party cyber risks accounted for 31% of insurance claims and 23% of material losses in 2024.
• Ransomware attacks on vendors were the most significant source of third-party financial loss.
• Every third-party insurance claim resulted in an incurred loss, showing the severity of the risk.
• Ransomware accounted for 62% of all losses, targeting supply chains and legacy systems.

Third-party cyber risks have become a dominant factor in insurance claims in 2024, highlighting the growing vulnerabilities created by interconnected business ecosystems.

A new report from cyber risk management firm Resilience reveals that third-party risks accounted for 31% of client insurance claims and nearly a quarter of material losses last year.

The findings underscore an industry-wide tipping point, with ransomware attacks on vendors emerging as the most significant source of financial loss.

According to Resilience CEO Vishaal Hariprasad, businesses can no longer afford to view their partners' vulnerabilities as separate from their own. The report emphasizes that these risks are often invisible until damage has already occurred, making proactive risk management essential.

The increasing reliance on outside vendors has exposed organizations to new threats, with ransomware attacks accounting for 42% of all third-party-related claims.

Notably, every third-party claim resulted in an incurred loss, underscoring the severity of the issue. Additionally, some losses from 2024, such as the widespread business disruption caused by the CrowdStrike outage, have yet to be fully realized.

Ransomware maintained its position as the top cyber threat, responsible for 43% of first-party incidents and 18% of total incurred claims from third-party vendors.

Cybercriminals continue to exploit weak links in supply chains, making vendor-based ransomware attacks a lucrative strategy. In total, ransomware was linked to 62% of all incurred losses, reflecting the scale of its impact across industries. 

Legacy systems, critical infrastructure vulnerabilities, and supply chain weaknesses were major contributing factors to these incidents, with sectors like healthcare and manufacturing proving particularly susceptible due to their reliance on outdated technology and the severe consequences of operational downtime.

In response to the rising threat landscape, businesses are refining their vendor selection processes, while insurance providers adjust their policies to account for the growing financial risks.

The shift highlights a fundamental change in how cyber risk is perceived, with organizations increasingly recognizing that their security is only as strong as that of their partners. 

Regulatory scrutiny is also expected to increase as authorities seek to address the systemic risks posed by supply chain vulnerabilities.

The findings reinforce the urgent need for companies to adopt a more comprehensive approach to cyber risk management.

Much like the corporate world has seen reversals on commitments in other industries – such as BP scaling back its climate targets – cybersecurity strategies must evolve in response to changing conditions.