Continental Europe,
Global Specialty Underwriting,
Zurich Insurance Company
Cyber supply chain risk seem to be one of the biggest and least controlled exposures facing organizations today. Captives that expand cyber risk management beyond the parent company are finding the benefits are more than just financial.
In this Thought Leadership piece, the authors explore how captives can play a broader role in managing supply chain cyber risk and strengthening third-party cyber resilience.
Cyber risk has entered a new phase. With over three quarters of all data breaches now originating with a vendor or third party, cyber risk does no longer seem confined to isolated enterprise incidents but has become an ecosystem-driven disruption risk.
When a healthcare provider and critical component of a local health care system, was subject to a major ransomware attack in 2024, the disruption spread far beyond the company itself, impacting hospitals, pharmacies, insurance claims and millions of patients across the country. Just one cyber incident reportedly impacted 94% of US hospitals surveyed with 82% reporting an impact on cashflow, 60% of which saw a daily loss of revenue in excess of $1 million.
Third parties such as cloud providers, software-as-a-service and data processors are the lifeblood of modern organizations. The rise in supply chain cyber incidents therefore has important implications for global enterprises – and captives. Indeed, captive managers are increasingly finding that traditional methods of managing and transferring cyber risk are no longer sufficient in this new increasingly complex era.
First, cyber incidents that originate within the supply chain typically have a disproportionate impact as the disruption caused by a single compromised provider cascades across multiple organizations, amplifying the financial damage and increasing aggregation risk. Estimates suggest the cost of a third-party breach can be 40% higher than the cost to remediate an internal cyber security breach.
Second, business interruption losses can be significant, often exceeding the direct costs of restoring IT systems. Supply chains have become more specialized, with some companies relying on niche or single-source suppliers, leaving businesses with little or no alternatives. Meanwhile, modern ‘just in time’ supply chains seem to prioritise cost and efficiency above resiliency, increasing their vulnerability to disruption.
Third, supply chain cyber risks sit outside the direct control of the captive. Second, third and fourth tier suppliers are often smaller businesses with limited budget for cyber security. Their potential lack of cyber maturity can create invisible entry points into the parent company’s systems, possibly allowing threat actors to bypass even the most stringent cyber security.
Why traditional approaches are likely falling short
Traditional contingent business interruption (CBI) insurance has largely retreated from the market and rarely covers supply chain disruptions and business interruption losses from a supplier’s cyber attack.
The challenge for captives is therefore twofold. First, they must find ways to measure, manage and potentially transfer cyber risk that sits outside of their organization’s boundaries. And second, they must consider how to actively enhance the cyber resilience of their supply chain.
The cyber threat landscape has evolved at pace over the past five years, with increasingly sophisticated attacks, the use of ransomware-as-a-service and the emergence of ‘zero day’ attacks. The cumulative impact is a faster-paced and more complex threat landscape than when cyber insurance became mainstream over a decade ago.
Cyber underwriting has evolved with it, shifting from purely technical metrics to more qualitative and scenario-based insights. Underwriters seem no longer focussed solely on the controls in place, but whether the organization takes a transparent and defensible approach, driven not by compliance but by a broader risk strategy.
As supply chains come more into focus, this approach must extend to suppliers. Currently, however, vendor cyber assessments are usually limited to contractual obligations and technical audits of tier one suppliers. Vetting is often surface deep or, for tier two suppliers and beyond, non-existent.
Driving supply chain security: a practical approach
This approach is no longer sustainable. Increasingly, captives looking to finance cyber risk find that third party risk management (TPRM) is likely one of the most practical and effective ways to understand, measure and mitigate cyber exposures – and to regain control over their supply chain.
TPRM takes the risk-based scenario approach to cyber risk adopted by mature organizations and extends it throughout the supply chain, mapping and classifying third parties, defining key risk indicators and establishing processes to quantify scenarios and monitor ongoing risk.
With the support of cyber risk engineering specialists, effective TPRM becomes a powerful tool for captives. Fronted third‑party cyber policies can insure key suppliers could provide competitive premiums As the captive reinsures this pooled supplier risk, it may be better positioned to set cyber insurance standards, while unlocking access to the suppliers’ cyber maturity data and risk insights.
The result is that it may support enhanced underwriting discipline and the potential to reduce loss frequency and limit correlated events that put pressure on captive capacity.
A pragmatic TPRM approach is best structured as a simple six-step lifecycle.
- Understand your cyber supply chain. Map external dependencies and identify which third parties support critical processes, handle sensitive data or have privileged access. Identifying shared dependencies and third parties that could cause operational or systemic disruption is particularly relevant for captives.
- Define KRIs with third parties. Agree a small set of evidence-based key risk indicators (KRIs), balancing control and outcome indicators and include protocol for when a threshold is breached.
- Classify third parties by tiers. Determine how deep you go – and where you spend time. Typical criteria include data sensitivity, access level, operational criticality, regulatory impact and connectivity. Risk concentration is important: a vendor that underpins many services may warrant a higher tier even if it processes limited sensitive data.
- Tailor assessments by tier. For lower tiers, outside-in assessments may suffice. As criticality increases, include maturity assessments and then cyber risk quantification. For top-tier vendors, include penetration testing and joint incident response exercises. This validates notification, coordination and evidence-sharing which are often the biggest drivers of severity.
- Document decisions and strengthen contracts. Record vendor tiering, assessments, KRIs, remediation plans and risk acceptances. Contracts should enforce cyber requirements such as rapid incident reporting and forensic and regulatory cooperation.
- Monitor and avoid risk drift. Combine continuous monitoring with trigger-based reassessment. The objective is to catch ‘risk drift’ early – reducing both the likelihood of loss and the chance of correlated events that can accumulate across the captive’s exposures.
Expanding horizons
Supply chain cyber risk is one of the biggest unmanaged exposures facing many companies today. For many organizations, it feels inaccessible and out of their control or too fragmented to manage.
Deploying a TPRM approach may help organizations to overcome these obstacles, bringing greater transparency and influence across cyber ecosystems. In our experience, captives are ideally placed to drive the process and, in doing so, support their position as a strategic enabler of business continuity and sustainable growth.
The benefits of TPRM go well beyond the financial implications. By extending its role beyond the parent organization, the captive can strengthen its relationship with critical suppliers, introduce financial incentives that may support to improve risk maturity, and shield the parent company from systemic disruption and reputational fallout.
The tactics and tools available to threat actors are likely going to increase in speed and sophistication. Best-in-class enterprise security may no longer be enough to ensure resilience – collectively, we must think bigger and extend horizons beyond enterprise boundaries. The most resilient organizations today seem to be those that can actively shape the resilience of the ecosystems they depend on.
