Managing cyber risk in the insurance supply chain

Cyber insurance is the fastest-growing sector of the world’s insurance markets, but a recent increase in ransomware attacks and business email compromises has led to a sharp uptick in claims, resulting in significant losses for cyber insurers and increased premiums. The UK insurance industry is facing increased scrutiny from regulators, so it has become extremely important for these insurers to understand how to manage cyber risk within their own supply chains.

This industry plays a critical role in managing risks and protecting individuals and businesses from potential losses. However, with an increased reliance on digital technologies and interconnected systems, the insurance supply chain is becoming more vulnerable to cyber risks. From insurance carriers to intermediaries and third-party service providers, each entity within the supply chain can be a potential target for cyberattacks.

To provide further insight into the UK cybersecurity insurance market, our cyber ratings service SecurityScorecard shared some key data regarding the top 50 insurers by gross written premium. This research, drawn from data from the SecurityScorecard platform, found that 50% of the top 50 UK insurers by gross written premium are exposed to third-party entities that have experienced a domain breach since 26 January 2023.

The data also revealed that 26% of the top 50 UK insurers have such poor cyber ratings that they would struggle to get cyber insurance for themselves.

Of the top 50 insurers in the UK: 40% have an A rating; 34% have a B rating; 24% have a C rating; 2% have a D rating; 26% have a risk rating of C or below; 74% have a B or higher risk rating; and 28% have an active infection from their public footprint

Clearly, more needs to be done by insurers to safeguard their web presence and the third-party vendors that they work with before new regulations catch up with them.

With the White House’s recent release of its National Cybersecurity Strategy, multiple sectoral risk management agencies (SRMAs) have put forth new requirements to measure, report and manage third-party risk. In Europe, DORA will mandate banks, financial entities and select IT third-party providers within the EU to adopt robust cybersecurity measures. And, in France, a new cyber score law will require Internet-facing platform companies to disclose 'report cards' on cyber resilience based on third-party audits of systems and processes. You can’t manage what you don’t measure.

The move towards metrics, regulations and securing the supply chain all point to a future with greater cyber resilience. One where all stakeholders will benefit by improving their individual cybersecurity health for the sake of the greater good. With a more transparent and measurable view of cyber risk, the insurance industry as a whole can move towards a more sustainable and resilient future. By taking proactive measures to reduce cyber risk, insurers can significantly strengthen their cybersecurity posture and better protect themselves and their clients from cyber threats.

Cybersecurity ratings can help with detecting these issues and remedying the problem long before the regulation is due to come in. Ratings can objectively monitor organizations’ cyber hygiene and gauge whether their security posture is improving or deteriorating over time. The third parties that comprise an insurer’s supply chain allow it to lower costs, innovate rapidly and work more efficiently and effectively. These are cloud hosting providers, vendors, service providers and any other supplier that assists an organization. They make doing business easier. Unfortunately, they also expose organizations to risk.

To mitigate this risk, organizations must build portfolios of the vendors in their ecosystems and be able to identify common security vulnerabilities, rank suppliers and partners according to risk and collaborate with these partners to remediate known vulnerabilities. Detecting these vendors and continuously monitoring them will enable organizations to assess risk in real time and stay ahead of threats to make these supply chains more resilient.