One of cyber’s biggest risks may be being overlooked: third-party risk was a key factor in cyber insurance claims and financial losses in 2024, according to new data from cyber risk solutions company Resilience.
Increased reliance on interconnected systems and software vendors contributed to its growing impact, the report said, adding that businesses now face the challenge of managing not only their own security but also that of their partners to avoid significant losses.
Cybercriminals continue to exploit single points of failure in companies, creating widespread disruptions, according to the report. Recent breaches involving PowerSchool, CDK, and Change Healthcare illustrate this trend.
Resilience’s data shows that third-party risk, including ransomware and vendor-related outages, accounted for 31% of all claims in 2024. Additionally, third-party risk contributed to claims with incurred losses for the first time, representing 23% of such claims in 2024, compared with none in 2023.
“Third-party risk isn’t only making headlines—it’s driving unprecedented losses. While this risk is often invisible until it’s too late, it’s now clear that the industry has reached a tipping point,” said Vishaal Hariprasad, co-founder and CEO of Resilience. “Businesses can no longer afford to consider their partners’ vulnerabilities as siloed from their own. By understanding this new reality of shared risk, enterprises can make smarter business decisions and meaningfully mitigate material loss.”
Ransomware remained a leading cause of financial loss. First-party ransomware incidents accounted for 43% of incurred claims, while ransomware attacks targeting vendors made up 18%, totaling 61% of all claims with losses. Transfer fraud incidents increased, rising from 14% of incurred claims in 2023 to 18% in 2024.
The transportation, manufacturing, and healthcare sectors saw the highest frequency of incurred claims, possibly due to their reliance on outdated operational technology and the financial impact of downtime. Healthcare and finance had the highest claim reporting frequency, which may be linked to regulatory requirements mandating disclosure of incidents, even if they did not result in material losses.
Meanwhile, phishing-related claims accounted for 9% of incurred losses in 2024, a decline from 20% in 2023.
“As a company that provides both cyber risk quantification software and cyber insurance, we have unique insight into how companies are mitigating financial fallout from today’s cybersecurity challenges,” said Jeremy Gittler, global head of claims at Resilience. “Even in the face of an evolving threat landscape over the past year, enterprises are continuing to make major improvements in how they manage cyber risk and prevent material loss.”
