Building Resilience

Parent Page Home
Parent Page News
Parent Page Spotlight on Tech Transformation & Cyber Risk 2025
Building Resilience

Building Resilience

In 2024, several incidents highlighted the systemic cyber risks of third party suppliers. While some organisations managed the impact, others faced major problems and disruption. Often, the difference came down the risk mitigation measures businesses had in place. Those with a defence in depth approach in place recovered more quickly.

Walls within walls

The need for a multilayered, defence in depth approach to cyber security has never been greater. Cyber criminals continually refine their attack tactics, becoming increasingly adept at exploiting known vulnerabilities quickly and infiltrating systems faster. According to our survey, businesses, irrespective of industry, size or location recognise the increased cyber risks they face.
However, they appear to feel overly resilient in a very fluid and constantly changing threat landscape, where new threats emerge daily and even the most robust lines of defence can be breached.

Multiple layers of defence

Ensuring multiple layers of defence to restrict access to cyber criminals is a critical element of cyber security best practice. A defence in depth strategy, bespoke to each organisation, reflecting its unique supply chain and exposures is needed – and at a minimum should include:

Multi-factor authentication (MFA) – deployed across all applications and systems. Organisations need to also use virtual private networks (VPNs) to help secure remote access points and provide data privacy and protection.
Monitoring and patching – all systems and internet facing infrastructures should be continuously monitored to spot vulnerabilities and suspicious activity, and systems should be updated with new patches promptly.
Segmentation – systems should be segmented to limit lateral movement across a network by cyber criminals during a breach.
Restrict and classify data – identify and protect critical data, encrypting it and restricting access rights to it to ensure that only the relevant people have access. Also ensure that data is regularly backed up.
Credential management – regularly update passwords and keep them and application programming interface (API) keys, digital certificates and biometric data stored securely.
Prepare for an attack – have a practiced and up-to-date incident response plan, which is easily accessible if a system is compromised. Undertake regular employee training, take out insurance and know who to contact in the event of a breach.

“Businesses shouldn't just be enforcing MFA on their devices, requiring strong passwords, or maintaining a robust identity access management programme. All these things are important, but comprehensive cyber security is more than that.”

Craig Linton
Head of US Underwriting Management - Cyber Risks

Understand the third party threat

Organisations must assess the third party exposure of their firm and better understand their risk profile. They also need to check the contractual limitations within vendor contacts, which often restrict the vendor’s liability in the event of a knock-on third party event, leaving the impacted companies to withstand the worst of the financial and legal consequences of the incident. Vendors can also deflect the responsibility for a breach, pointing the finger at the affected companies for not having proper security measures in place.

“I’m not sure that many CEOs appreciate third party attacks can create a double problem. The cyber criminals don’t care about the firms left sitting in the middle. We’ve also seen a trend of vendors getting into disputes with their clients and blaming them for what they see as their part in a third party incident.”

Marcello Antonucci
Claims Leader – Cyber & Tech Claims

Improving cyber hygiene

Our data shows that global executives feel prepared[i] to counter the threat posed by cyber risk, and that over a third plan to invest in improved cyber security this year, with global information security spending forecast to grow 15% this year[23]. However, with the global cybercrime damage cost estimated to be US$10.5 trillion this year – up from US$3 trillion in 2015, it would appear that companies are not appropriately prepared for the impact of cybercrime.[24]

Effective cyber security and data privacy requires a proactive, responsive, and adaptable approach. While no strategy can guarantee prevention, strong defences and quality cyber insurance - with expert support services - helps to keep firms alert and on top of their cyber risk landscape.
“Basic phishing and email compromise attacks remain a common pitfall, and businesses are still getting the basics wrong, failing to secure their data and segment their systems. Training for employees is essential to help mitigate this and forms a crucial part of a business’ cyber hygiene level.”

Sydonie Williams
Head of International Cyber Risks

Walls within walls

Multiple layers of defence

Ensuring multiple layers of defence to restrict access to cyber criminals is a critical element of cyber security best practice. A defence in depth strategy, bespoke to each organisation, reflecting its unique supply chain and exposures is needed – and at a minimum should include:

Multi-factor authentication (MFA) – deployed across all applications and systems. Organisations need to also use virtual private networks (VPNs) to help secure remote access points and provide data privacy and protection.
Monitoring and patching – all systems and internet facing infrastructures should be continuously monitored to spot vulnerabilities and suspicious activity, and systems should be updated with new patches promptly.
Segmentation – systems should be segmented to limit lateral movement across a network by cyber criminals during a breach.
Restrict and classify data – identify and protect critical data, encrypting it and restricting access rights to it to ensure that only the relevant people have access. Also ensure that data is regularly backed up.
Credential management – regularly update passwords and keep them and application programming interface (API) keys, digital certificates and biometric data stored securely.
Prepare for an attack – have a practiced and up-to-date incident response plan, which is easily accessible if a system is compromised. Undertake regular employee training, take out insurance and know who to contact in the event of a breach.

“Businesses shouldn't just be enforcing MFA on their devices, requiring strong passwords, or maintaining a robust identity access management programme. All these things are important, but comprehensive cyber security is more than that.”

Craig Linton
Head of US Underwriting Management - Cyber Risks

Understand the third party threat