Dive Brief:
- Cyberattacks targeting third-party vendors are causing more financial damage than ever before, cyber risk management firm Resilience said in a recent report.
- Nearly a quarter (23%) of cyber insurance claims filed with Resilience last year involved material losses resulting from a third-party breach, according to the analysis. It’s a first for the company, which hasn’t previously observed customer claims with material losses in the third-party risk category.
- “Many of the vendor-related incidents from 2024 resulted in some sort of pause on our customers’ ability to conduct business and, as a result, had a much larger financial impact,” Ann Irvine, chief data and analytics officer at Resilience, said via email.
Dive Insight:
Increasingly, threat actors have focused their energies on exploiting a single point of failure in one company to “create a cascading effect of disruption and chaos downstream,” Resilience said in a press release on the research findings.
The global average cost of a data breach in 2024 was nearly $4.9 million, according to IBM research. But the year saw some incidents that were far more costly.
UnitedHealth disclosed in January that it spent a total of $3.1 billion last year responding to a massive cyberattack against its Change Healthcare subsidiary, which processes billions of medical claims annually. The ransomware attack set off weeks of disruptions for the healthcare sector.
“It was the most significant and consequential cyberattack in the history of U.S. health care,” John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, said in a blog post last year.
CDK Global, a software firm serving car dealerships across the U.S., was also targeted by a major ransomware attack last year. That incident cost car dealerships more than $1 billion collectively, according to an estimate by Anderson Economic Group.
The 2024 breaches at Change Healthcare and CDK “illustrate how attacks on highly interconnected organizations can ripple across entire industries,” Resilience said in its report.
Resilience said its analysis indicates that third-party risk has emerged as a dominant driver of cyber insurance claims, accounting for 31% of the claims filed by its clients in 2024. While the number of third-party claims in 2023 was slightly higher (37%), none of those claims involved material losses.
The research also found that ransomware targeting vendors has emerged as a “new and significant” source of incurred claims, contributing to 18% of such claims.
While ransomware held its position as the top cause of loss in 2024, accounting for 62% of claims with losses overall, there are indications that it may be declining in frequency within broader markets, according to Resilience.
This is likely due to threat actors focusing on larger, high-profile organizations that “yield bigger payouts, as opposed to the previous ‘spray and prey’ approach,” the report said.
