The outage that crippled airports is a warning shot for every business relying on third-party platforms.
On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to manual, paper-based processes. Gate agents frantically scribbled information on clipboards while thousands of frustrated passengers watched flights get delayed or cancelled.
While no flight safety systems were compromised—and a British man was arrested by the following Tuesday—the operational paralysis was complete. And if you think this was just an aviation problem, our claims data tells a very different story.
Why this matters beyond aviation
The problem isn’t unique to aviation. It’s a pattern we’re seeing across every industry that relies on shared digital infrastructure: Third-party risk is rapidly becoming everyone’s risk.
According to the Resilience 2025 Midyear Cyber Risk Report, vendor-related incidents accounted for 32% of claims notices in 2023, but resulted in 0% of incurred losses. These were primarily vendor data breaches—concerning from a notification standpoint, but rarely causing significant financial damage.
Then 2024 happened. Vendor-related incidents surged to 37% of claims notices in the Resilience 2025 Midyear Cyber Risk Report and, more critically, jumped to 22% of incurred losses—making business interruption from vendor unavailability the second-highest cause of loss in our portfolio, behind only direct ransomware attacks.
The first half of 2025 has shown some stabilization at 26% of claims notifications and 15% of incurred losses. But here’s what matters: when our clients experience business interruption from a vendor-related incident, their losses rival those of companies directly hit by ransomware. The transformation from “claims notices with no losses” to “second-highest cause of loss” happened in a single year, accelerated by high-profile incidents like CDK Global and Change Healthcare.
The single point of failure problem
The Collins incident exposes a vulnerability that exists across nearly every modern enterprise: multi-tenant platforms create concentration risk that can paralyze operations across dozens of organizations simultaneously. When MUSE went down, it wasn’t just one airport that struggled—it was every airport that depended on that shared infrastructure.
This same pattern plays out in every industry. Your payroll processor, your CRM platform, your logistics coordination system—each represents a potential single point of failure. The question isn’t whether these platforms are secure (though that matters), but rather: What happens to your business when they inevitably face disruption?
Exploiting a single point of failure in one company leads to cascading disruption downstream, affecting entire industries and economic sectors. This is vendor concentration risk, and it belongs in your enterprise risk register alongside market volatility and supply chain disruption.
The ripple effects of vendor failure
The immediate operational fallout from the Collins outage was visible to anyone watching the news: delayed flights, manual processes, frustrated customers. But the true cost extends far beyond headlines, creating financial, regulatory, and governance challenges that can define organizational performance for quarters to come.
The hidden costs of manual operations
Manual fallback processes might technically keep operations running, but they exact an enormous toll. At affected airports, staff pulled out clipboards and reverted to paper-based systems. Planes still departed—eventually—but at what cost? Lost ticket revenue, passenger compensation payouts, emergency staffing expenses, and incalculable reputational damage all compounded as recovery stretched from hours into days.
The regulatory time bomb
Perhaps the most underestimated consequence is the regulatory pressure that begins the moment a vendor fails. Under NIS2 and DORA in Europe, organizations face reporting requirements as tight as 24 to 72 hours for significant cyber incidents. In the United States, SEC rules mandate disclosure within four business days. These aren’t flexible guidelines—they’re strict deadlines with serious consequences for non-compliance. Miss these windows, and an operational incident transforms into a governance failure, complete with fines, legal exposure, and shareholder lawsuits.
The regulatory burden becomes exponentially more complex when the root cause sits with a third party. You’re dependent on your vendor to communicate incident details quickly and accurately, yet you remain personally liable for timely disclosure. Our claims experience shows that organizations with pre-established vendor communication protocols and real-time monitoring capabilities navigate these requirements far more successfully than those scrambling to gather information during a crisis.
Board-level accountability
This accountability now extends directly to the boardroom. Under NIS2 in Europe and SEC disclosure rules in the United States, board members bear personal responsibility for vendor resilience. Directors are expected to understand concentration risks, validate business continuity plans, and ensure that third-party risk management is tested, verifiable, and reported at the governance level. Vendor resilience is no longer just the CISO’s problem—it’s a board-level governance imperative requiring the same rigor and oversight as financial risk management.
Questions every organization should ask now
The Collins Aerospace incident should trigger urgent conversations in every executive suite and boardroom. Based on our analysis of thousands of cyber claims, here are the critical questions that can’t wait:
1. Vendor dependency mapping
Which of your critical business functions depend on shared or multi-tenant platforms? What would be the financial and operational cost if each one went offline for 24 to 48 hours? Our data shows that 79% of clients attacked with ransomware successfully avoided paying because they had viable alternatives.
Do you have a consolidated view of concentration risk across your third-party ecosystem? If multiple critical functions depend on the same vendor or interconnected vendors, a single incident could cascade across your entire operation.
2. Evidence vs. promises
Do your vendors provide tested evidence of their recovery time objectives and recovery point objectives? Have you run exercises simulating prolonged vendor outages? Don’t accept vendor assurances at face value—demand documented proof of their business continuity capabilities.
Organizations with robust backup systems, regular validation testing, and comprehensive business continuity planning are far less likely to face extended disruptions. Your vendors should demonstrate the same level of preparedness.
3. Architecture and containment
How well are your vendors architected to limit the blast radius of an attack? The Collins incident affected dozens of airports simultaneously because they all relied on the same multi-tenant platform with insufficient isolation.
Look for evidence of tenant isolation, network segmentation, and offline or local operating modes. If one customer experiences a breach, your operations shouldn’t automatically follow.
4. Incident response protocols
Do your vendor contracts include strict incident-notification timelines and access to telemetry or logs during an outage? Could you meet EU or US reporting obligations if a vendor disruption impacted your operations but the vendor was slow to communicate?
Our claims data consistently shows that organizations with clear incident response protocols and real-time vendor communication capabilities recover faster and with lower total losses. Without these agreements in place, you’re flying blind during the most critical hours of an incident.
5. Governance and oversight
Is vendor risk explicitly reported to your board or audit committee at the same level as financial or strategic risk? Do board members understand which vendors create concentration risk across your ecosystem?
As seen in our 2025 Midyear Cyber Risk Report, vendor-related incidents went from essentially zero losses in 2023 to 22% of all losses in 2024—a transformation that should have triggered board-level visibility and response. If your governance structures don’t provide this oversight, the Collins incident should be your catalyst for change.
What the data shows works
While vendor risk has surged, our claims data reveals what separates organizations that weather these storms from those that don’t. In the first half of 2025, only 42% of ransomware attacks in our portfolio developed into incurred claims, down from 60% in 2024. This improvement stems directly from organizations implementing robust backup systems, conducting regular testing, and maintaining comprehensive business continuity plans.
The contrast with broader industry trends is striking. According to Sophos’ State of Ransomware report, 46% of victims paid ransoms to recover their data. In the Resilience portfolio, that number was just 22% in 2024 and has dropped to approximately 14% in the first half of 2025. Organizations with tested recovery capabilities simply aren’t forced into the corner of ransom payment—they have alternatives.
Proactive vs. reactive
The difference between prepared and unprepared organizations often comes down to visibility and speed of response. When Eye Security identified the ToolShell vulnerability in Microsoft SharePoint in July 2025, our Risk Operations Center didn’t wait for clients to discover the risk themselves. We analyzed our entire portfolio within hours, identified high-risk clients based on exposure analysis, and delivered targeted notifications with immediate remediation guidance.
The result? One client received our notification just as threat actors attempted exploitation, enabling mid-attack detection and containment. Early warning prevented data exfiltration and limited business disruption to one to two days of partial operations—instead of the weeks-long recovery we’ve seen in similar incidents where organizations lacked real-time threat intelligence.
This proactive approach reflects a fundamental shift from reactive security to predictive defense. Rather than waiting for vendors to notify you of problems, leading organizations are implementing continuous monitoring, threat intelligence sharing, and proactive risk assessment across their vendor ecosystem.
The next vendor outage is coming
The Collins Aerospace outage offers a preview of the vendor risk landscape every organization now faces. Vendor failures are inevitable in our interconnected digital ecosystem. The only question is whether your organization will be caught scrambling with metaphorical clipboards, reverting to manual processes and hoping for the best, or whether you’ll have the resilience infrastructure in place to weather the storm without losing operational effectiveness.
The fundamental vulnerability remains clear: every organization that depends on shared platforms, cloud-based services, or third-party operational technology faces the same concentration risk that paralyzed European airports on September 19. The Collins incident should be your wake-up call—not because it happened in aviation, but because it exposed vulnerabilities that exist in every industry, every sector, every organization that has outsourced critical functions to specialized vendors.
The question isn’t whether the next major vendor outage will occur, but whether your organization will be prepared when it does.
