Technology supply chain attacks pose significant cyber risks to companies, as demonstrated by incidents involving CrowdStrike and Change Healthcare, among others. These attacks exploit vulnerabilities in third-party software and services, leading to widespread disruptions and financial losses to customers of the targeted company.

In July 2024, a software update from CrowdStrike caused major functionality issues for thousands of organizations globally. Similarly, in February 2024, Change Healthcare, a unit of UnitedHealth Group, suffered a ransomware attack that severely impacted the healthcare sector. This attack disrupted claims processing and revenue cycle management services.

Due to their widespread impact, attacks on the technology supply chain are highly attractive to those looking to cause maximum disruption. When you consider how long it takes some companies to timely patch known vulnerabilities, the attackers can exploit the vulnerability for months, if not years, and continue to drive losses for cyber insurance carriers. As a result, we expect a lot of underwriting scrutiny around third-party risk management controls in 2025.