How supply chain risk can affect cyber insurance

Gaining visibility into supply chain threats — and adding controls for software risk — are essential to insurability.

Ericka Chickowski, Freelance writer.

As cyber-insurance companies get more sophisticated in managing risk, vetting policyholders’ internal controls like multifactor authorization and incident-response plans, it’s only a matter of time before they do the same for digital supply chain risks, experts believe.

That means cyber insurability — and even broader business-interruption insurability — could come to hinge on the strength of software supply chain security and third-party risk management controls.

Here’s why gaining visibility and controls of software risk is essential for being insurable

See webinar: The 2025 Supply Chain Breach Roundup: Lessons Learned

Software supply chain risk is on insurers’ radar

At the moment, the cyber-insurance market tips in buyers’ favor. Average premium rates are down, and policy renewal terms have loosened up over the last few years. Brokers and other industry watchers say the soft market conditions are attributable to new competition in the cyber managing general agent market and a stabilization in claims since the spikes that occurred in the early 2020s.

Ben Beeson, founder and CEO of Galahad Risk Solutions, said this is a great time to pick up cyber insurance and cyber business-interruption policies that cover third-party risks and software supply chain security incidents — although he added that you shouldn’t expect the conditions to last.

The cyber-insurance market offers that coverage and it offers it in some instances with full policy limits. And I think that’s undersold, and I think it’s a key selling point for cyber insurance. But that could quickly change. We’re in a soft market. Rates are very low; it’s very competitive. That’s good for the buyer. It’s not good for market sustainability.
Ben Beeson

Beeson said that the spikes in claims occurred about five years ago with ransomware coverage. That type of risk had been broadly covered until the surge in claims, which led insurers to scramble to tighten up the market with increased rates, add significant restrictions to ransomware policies, and carefully scrutinize their insureds’ controls.

Although software supply chain attacks are on the rise, insurers have not yet reduced coverage or increased rates. That could change, though, with just a couple of costly incidents, said Rich Seiersen, chief risk technology officer at Qualys.

A major wild card is the possibility of a systemic cyber event — a cloud outage, a widespread supply chain compromise, or a high-impact ransomware wave that hits many insureds at the same time. Such an event could push the market into a sharper hardening cycle.
Rich Seiersen

Many of the big players in the insurance industry are watching closely, especially at the confluence where ransomware threats meet the risk aggregation of the digital supply chain.

Last week, a report from insurance brokerage Marsh included the finding that 70% of organizations experienced at least one material third-party cyber incident in the past year. The report said managing third-party and supply chain cyber risks is “an integral part of overall cyber resilience strategies.”

Thomas Reagan, global cyber practice leader for Marsh, said in a statement:

While many organizations are boosting budgets, true resilience comes from balancing technology, talent, and preparedness — especially in managing third-party risks.

And earlier this year in a cyber-insurance trend report, Munich Re stated that it sees vulnerabilities of supply chains as “one of the most pressing cyber risks” today and expects software supply chain attacks to cost businesses $138 billion by 2031, up from $60 billion this year.

How supply chain risks will impact underwriting

The prevailing long-term outlook is that cyber-insurance underwriting will grow more scrupulous and advance in how it collects and analyzes security evidence.

Saša Zdjelar, chief trust officer at ReversingLabs (RL), said companies are moving away from risk questionnaires toward systems that offer telemetry and documentation of what environments look like.

Cyber-insurance companies are pushing very hard for things that are provable. It’s a shift from a trust-based approach toward something that is evidence-based. As a result, companies should be looking more and more at the types of capabilities they have, to be able to prove they're doing something versus just saying it.
Saša Zdjelar

Diana Kelley, CISO at Noma Security, said that, to date, most cyber insurers have focused on the risk postures of the systems owned by or directly controlled by the insured. They are not asking for information about the software supply chain and digital ecosystems that companies rely on — yet digital supply chain mapping “will play a central role in insurability,” she said.

Most large cyber losses now stem from supply chain failures involving SaaS platforms, cloud providers, managed service providers, and fourth-party dependencies. Without verifiable visibility into these digital dependencies, underwriters lack the information needed to assess concentration risk and potential cascade paths.
Diana Kelley

Zdjelar said he’s had numerous discussions with major brokers and insurance providers, and reports that they are at the very least starting to do their research on the requirements for visibility and control over software supply chain risks.

Some have now even added a software supply chain pillar as a key domain that they focus on in their underwriting. The question is trying to figure out what should go into that pillar and how sophisticated they can build it out. So they’re starting to look at things like binary analysis and software bills of materials as up-and-coming controls they can use as risk indicators.
Saša Zdjelar

Supply chain risks — and the link to business insurance

This kind of scrutiny may extend beyond traditional cyber-insurance policies. Organizations will need to consider how the software supply chain impacts broader business policies and improve their controls to mitigate those risks.

Bridget Quinn Choi, lead product counsel for the cyber practice at Woodruff Sawyer, said in a webinar earlier this year that some insurers are putting restrictions in these policies such as expanded waiting periods, higher self-insured retentions, limits on the types of third parties covered, and lower available limits to minimize their exposure.

In the context of insurance for supply chain cyber risk, it is important to consider the quality and breadth of an organization’s business-interruption and contingent business-interruption insurance coverage.
Bridget Quinn Choi

This is still a work in progress for underwriters, said John Hennessy, U.S. central regional vice president of underwriting at Cowbell.

The underwriting of contingent business-interruption and contingent system-failure exposures has not been able to fully comprehend the complexity of the exposure from a cyber perspective. From a cyber CBI perspective, the insured’s vendor relationships are often much more complex than a traditional supply chain. To fully comprehend the exposure, insurers need insight into their insureds’ complete tech stacks.
John Hennessy

Why insurers will reduce overall risk from ‘risky’ suppliers

Software supply chain risk is worrisome for insurers because the risk grows when a major supplier or major component triggers sweeping coverage events, said Galahad Risk Solutions’ Beeson.

The No. 1 concern is what they call ‘accumulation risk’ from events like what we’ve seen at AWS recently or something unforeseen like what happened with CrowdStrike last year. It’s some event that has a ripple event across multiple thousands of companies. Insurance and reinsurance companies are trying to get much more visibility into what that looks like and manage their portfolio or risk that way.
Ben Beeson

RL’s Zdjelar said that is the reason why he goes so far as to speculate that insurers may start raising rates or writing exclusions in policies for companies that don’t declare their use of specific risky vendors or components that have proven exposure to supply chain threats.

For example, he said, if one of your company’s hardware providers has its entire codebase stolen and exposed to cybercriminals, insurers may demand higher rates from your organization. And if you’re unable to determine or don’t declare use of any infrastructure that later leads to a coverage event, your claim could be denied.

It’s almost like how car insurance providers refused to cover certain cars with very stealable key-fob technology. In the future, we can probably expect them to say, ‘If you buy software that contains any of these bad components, you have to find alternatives or have a control for that.'
Saša Zdjelar

Keep learning

Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: See RL's webinar for expert insights.
Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.
Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our webinar for discussion about the findings.
Get up to speed on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
Learn how commercial software risk is under-addressed: Download the white paper — and see the related webinar for more insights.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security