The Growing Concern of Third-Party Risk in Cybersecurity
In 2024, third-party risk has emerged as a central driver of cyber insurance claims and substantial financial losses, as revealed by recent data from Resilience, a leader in cyber risk solutions.
As businesses increasingly depend on interconnected systems and a diverse array of software vendors, the threat posed by third-party risks has become both critical and frequently underestimated. Organizations must now address not only their own cybersecurity but also that of their partners and vendors to avert severe financial repercussions.
Cybercriminals have long taken advantage of vulnerabilities within a single organization to create a chain reaction of disruptions across its entire network. This trend was evident in notable breaches involving companies such as PowerSchool, CDK, and Change Healthcare.
Vishaal ‘V8’ Hariprasad, Co-Founder and CEO of Resilience, remarked, “Third-party risk isn’t just making headlines—it’s driving unprecedented losses. While often invisible until it’s too late, it’s now apparent that the industry has reached a tipping point.”
Understanding Shared Risk
Businesses can no longer afford to view their partners’ vulnerabilities as separate from their own. By recognizing this new reality of shared risk, enterprises can make more informed business decisions and significantly reduce material loss.
According to Resilience’s latest data, third-party risks—including ransomware attacks and vendor-related outages—accounted for 31% of all cyber insurance claims in 2024. Even more notably, third-party risk led to incurred losses for the first time ever, comprising 23% of all incurred claims in 2024, compared to zero in 2023.
Ransomware and Transfer Fraud Trends
Ransomware remained a major source of financial losses in 2024, with Resilience finding that 43% of incurred claims involved first-party ransomware incidents, while 18% were linked to ransomware attacks targeting vendors. Combined, these incidents accounted for 61% of all claims with losses.
Transfer fraud also increased in prominence, rising from 14% of incurred claims in 2023 to 18% in 2024, as per Resilience’s findings.
Resilience also noted that certain industries faced a higher frequency of incurred claims, notably in transportation, manufacturing, and healthcare. These sectors’ reliance on outdated operational technologies and the high costs associated with downtime contributed to their elevated risk.
In contrast, healthcare and finance sectors led in claim reporting frequency, driven by stricter regulatory requirements that mandate reporting even when incidents do not cause significant material damage.
Phishing Decline and Industry Adaptation
Phishing, once a leading cause of financial loss, showed a significant decline in 2024. Resilience’s data indicated that phishing accounted for just 9% of incurred claims, a sharp drop from 20% in 2023. This shift reflects the industry’s ongoing adaptation to the evolving cybersecurity landscape and the changing tactics of cybercriminals.
These trends underscore the growing importance of addressing third-party risk, highlighting the necessity for businesses to protect not only their own systems but also those of their partners and vendors to prevent cascading disruptions and financial losses.
Jeremy Gittler, Global Head of Claims at Resilience, added, “As a company that provides both cyber risk quantification software and cyber insurance, we have unique insight into how companies are mitigating financial fallout from today’s cybersecurity challenges. Even in the face of an evolving threat landscape over the past year, enterprises are continuing to make major improvements in how they manage cyber risk and prevent material loss.”
