Third-party cyber risk is becoming a bigger financial headache

Here’s one more thing to add to the undoubtedly long list of cybersecurity risks that need mitigating: financial losses that stem from third-party compromises.

In an analysis of 2024 claims data, cyber insurer Resilience found that third-party cyber risk is “driving unprecedented losses.”

When vendors suffer from a ransomware attack or other disruption, it can have a “domino effect” on partner organizations, Resilience noted in a news release.

To drive this point home, Resilience brought the receipts. Third-party risk made up 31% of all claims the insurer received last year, compared with 37% in 2023. But it wasn’t until 2024 that third-party risk was significant enough to trigger incurred, or material, losses on insurance claims. Third-party incidents accounted for 23% of claims with incurred losses for the year, compared with a big fat 0% the year before.

What exactly was different about last year? The third-party incidents, which also included the disruptive CrowdStrike outage, disrupted operations at organizations Resilience insures, according to Ann Irvine, chief data and analytics officer.

“In previous years, third-party incidents that resulted in data breaches typically did not cause our insurees large losses,” Irvine told CFO Brew. “In contrast, many of the vendor-related incidents from 2024—including Change Healthcare, CDK, and CrowdStrike—all resulted in some sort of pause on our customers’ ability to conduct business and, as a result, had a much larger financial impact.”

It’s a risk that organizations will have to pay attention to in the coming years, according to Vishaal Hariprasad, cofounder and CEO of Resilience.

“Businesses can no longer afford to consider their partners' vulnerabilities as siloed from their own. By understanding this new reality of shared risk, enterprises can make smarter business decisions and meaningfully mitigate material loss,” he said in a statement.