SAN FRANCISCO, CA – February 27, 2025 – Third-party risk emerged as a dominant driver of cyber insurance claims and material losses in 2024, new data from leading cyber risk solutions company Resilience found. Buoyed by interconnected systems and reliance on ubiquitous software vendors, third-party risk has quietly taken center stage as one of the industry’s most insidious threats. Today’s enterprises must not only stay abreast of their own security posture, but that of their partners as well—or risk catastrophic losses.
Threat actors have a track record of exploiting a single point of failure in one company to create a cascading effect of disruption and chaos downstream, as evidenced by recent incidents like the PowerSchool, CDK, and Change Healthcare breaches. New cyber insurance claims data from Resilience’s portfolio illustrates the financial fallout of this domino effect, finding that third-party risk, including ransomware and outages affecting vendors, accounted for 31% of all claims in 2024. Even more startling, third-party risk led to claims with incurred losses for the first time ever, making up nearly a quarter (23%) of incurred claims in 2024 (compared to 0% in 2023).
“Third-party risk isn’t only making headlines—it’s driving unprecedented losses. While this risk is often invisible until it’s too late, it’s now clear that the industry has reached a tipping point,” said Vishaal “V8” Hariprasad, Co-Founder and CEO of Resilience. “Businesses can no longer afford to consider their partners’ vulnerabilities as siloed from their own. By understanding this new reality of shared risk, enterprises can make smarter business decisions and meaningfully mitigate material loss.”
Additional findings across Resilience’s portfolio include:
Ransomware, Transfer Fraud Led To Most Losses
- Ransomware held its position as a top cause of loss in 2024. 43% of incurred claims involved first-party ransomware incidents and 18% of incurred claims involved ransomware attacks targeting vendors; together, a staggering 61% of all claims with losses were related to ransomware.
- Transfer fraud rose in popularity, rising from 14% of incurred claims by frequency in 2023 to 18% in 2024.
Vulnerable Industries Were Hit Hard, But Some Effects Were More Visible Than Others
- Transportation, manufacturing and healthcare led in incurred claim frequency, potentially due to their reliance on often outdated operational technology and high downtime costs.
- Healthcare and finance led in claim reporting frequency, potentially due to their stricter regulatory environments and requirements to report incidents, even if they are not material.
Despite Challenges, Silver Linings Remain
- Once a primary point of failure, phishing proved less effective in causing financial loss. In 2024, phishing led to just 9% of incurred claims, a significant drop from 2023, a year in which it led to 20% of incurred claims.
“As a company that provides both cyber risk quantification software and cyber insurance, we have unique insight into how companies are mitigating financial fallout from today’s cybersecurity challenges,” said Jeremy Gittler, global head of claims at Resilience. “Even in the face of an evolving threat landscape over the past year, enterprises are continuing to make major improvements in how they manage cyber risk and prevent material loss.”
The new findings follow Resilience’s August 2024 Midyear Cyber Risk Report and leverage data from the company’s Threat Intelligence team and insurance claims portfolio to provide a comprehensive, up-to-date look at trends in cyber risk and how enterprises have responded throughout 2024.
