By Sergio Pierro, Senior Cyber Underwriter
This article was first published by Commercial Risk Europe
In an increasingly digitised economy – with some sectors almost entirely reliant on technology – the threat posed by risks within the supply chain related to dependencies on third-party vendors, both IT and non-IT has never been greater, and it is only set to grow. According to the World Economic Forum (WEF), 54% of executives cited third-party risk management as a major challenge for their organisation for 2025.
The anticipated losses from cyberattacks originating within the supply chain are substantial. As reported in the WEF’s 2024 cybersecurity report, 41% of organisations that suffered a cyberattack said it originated from a third party. A recent Cybersecurity Ventures study predicts that cyberattacks targeting software suppliers will result in losses of $60 billion in 2025, a figure expected to rise by 15% annually. Additionally, Gartner forecasts that by 2025, 45% of companies will experience a cyberattack via their software supply chain.
This mass migration of data and critical dependence on the supply chain has dramatically reshaped the risk landscape. For example, within the aerospace, automative and retail sectors, threat actors are targeting intermediate operators within the production supply chain to destabilise entire sectors or even states. A single successful attack can lead to data infiltration, ransomware opportunities and business interruption across a whole network of organisations, making it both more efficient and lucrative for cybercriminals.
Moreover, the systemic nature of cyber risk is not limited to malicious attacks. A notable example is the CrowdStrike incident in 2024, where an error in a software update led to almost immediate global consequences, disabling approximately 8.5 million systems for several days. Although the impact of the event could have been more severe for businesses, it highlighted the systemic risks inherent in today’s interdependent digital economy.
Closing the Information Gap
The latest renewal season has been marked by increasing demand for cyber coverage to extend across the entire supply chain of insureds, whether or not they are IT or non-IT suppliers and whether or not they are named suppliers on the contract. This request from clients is becoming more commonplace and the cyber insurance market is already providing solutions for this need, however with greater transparency around the risk exposure, the more effective this coverage can become.
In a constantly evolving risk landscape, having effective risk modelling is essential for improving the industry’s risk understanding and adequately pricing of new types of coverage. However, the lack of information during both loss modelling and risk selection remains a challenge for the market. And in fact, in 2024, the WEF’s cybersecurity report established that 54% of organisations don’t sufficiently understand their supply chain’s cyber exposure.
Third parties are often an overlooked component of a company’s architecture, yet they can be essential to the smooth running of an organisation. Greater transparency is required for insurers around what risk mitigation practices are in place by insureds to manage third-party supply chain risk. If there’s a failure from one of the suppliers, is there a back-up in place? Is each element of the supply chain being managed by a different supplier? Do these suppliers have their own risk mitigation strategies in place? The duplication, distribution and diversity of suppliers are necessary to minimise the impact of any disruption across the supply chain.
With such information, more informed and tailored solutions can be created for insureds, specific to the complexity of their supply chains. Sectoral risk modelling is also becoming increasingly important to offer more relevant pricing and coverage to clients.
Simply put, the more information available to insurers, the more measurable and granular the view of the cyber risk and ultimately, the more effectively risk-aligned the coverage solutions will be.
Furthermore, ensuring coverage robustness through reasoned and disciplined underwriting will encourage greater stability in what is often seen as a volatile and still reasonably young market.
For cyber insurers to evolve from mere capacity providers to true resilience partners, it’s essential to offer insurance solutions that consider the entire value chain of insureds. The key to building this partnership lies in the quality and transparency of shared information, as well as insurers’ flexibility in providing their services and solutions.