When the Underwriter Becomes the Target: Supply Chain Attacks Are Coming for Insurance
Insurers price everyone else's supply chain risk. Now the same attacks target underwriting infrastructure itself — pricing models, portfolios, and TPAs.
Cyber underwriters spend their careers pricing supply chain risk for everyone else. We dissect a manufacturer’s SaaS dependencies, a hospital’s billing vendor, a logistics firm’s cloud provider. We model the cascade: one upstream compromise, many downstream losses.
Then we walk back to our own desks and log into an underwriting workstation that depends on a dozen vendors we have never vetted.
The inversion is now the threat. Supply chain attacks are not just something insurers cover — they are increasingly aimed at the insurance and underwriting sector itself. The infrastructure that prices, binds, and services risk is, it turns out, exceptionally valuable to compromise. And it runs on the same fragile, interconnected software supply chain as everyone else.
Why underwriting infrastructure is a high-value target
Most breaches are valuable because they expose payment data or credentials. A breach of an underwriting environment is valuable for a different and more durable reason: it exposes judgment.
An underwriting file is a compressed map of how a carrier thinks about an entire market segment. It contains:
- Proprietary pricing and actuarial models — the accumulated intellectual property of the firm. Steal it and you hand a competitor, or a hostile state actor, the ability to price against you, to cherry-pick your best risks, and to understand your blind spots.
- Portfolio and accumulation data — which insureds you write, where they sit geographically, how they overlap in supply chain dependencies. This is the data that lets a carrier manage aggregation. In an adversary’s hands, it is a targeting list: here are the organisations whose simultaneous failure would hurt this carrier most.
- Sensitive submission data — security questionnaires, incident histories, financials, and often personal or health data attached to submissions and claims. Regulation-grade PII and PHI sit inside underwriting systems of record.
- Reinsurance and cession data — who cedes what to whom, treaty structures, and the terms. Compromise this and you compromise the risk-transfer architecture itself.
This is why an underwriting environment is not just another corporate network. It is a concentration of intelligence. An attacker who reaches it gains something more valuable than a ransomware payment: a durable, strategic advantage.
The insurance software supply chain
The sector’s attack surface is not abstract. It runs on a remarkably small, remarkably concentrated set of third parties:
- Policy administration and core platforms — Guidewire, Duck Creek, Sapiens, and their hosted/managed-service variants. A vulnerability or insider compromise in a core platform vendor can reach an entire market segment in a single stroke.
- MGA and brokerage SaaS — the rapidly proliferating tools that bind, quote, and reconcile. These are often smaller vendors with thinner security teams, holding exactly the submission data described above.
- Actuarial and pricing engines, analytics vendors, and rating bureaus — the systems that consume exposure data and emit price. Compromise here is a direct attack on the firm’s pricing integrity.
- Claims-data feeds, TPAs, and reinsurer data exchanges — high-volume file flows moving PII and money instructions between parties who trust each other implicitly.
- File-transfer tooling — the managed file transfer (MFT) platforms and SFTP gateways that carry all of the above between organisations.
- Identity providers — the Okta-class systems that broker access to every one of these.
Note the shape of that list. It is a small number of vendors, each touching a large number of carriers. That is not a resilient topology. That is an aggregation engine, and it points in only one direction.
The precedent is already written
We do not need to speculate about insurers being caught in supply chain attacks. It has already happened, repeatedly, and the pattern is consistent: one widely-used tool is compromised, and a correlated set of victims falls out the other side.
The MOVEit Transfer mass exploitation in 2023 (CVE-2023-34362, a SQL injection in Progress Software’s widely-deployed MFT) is the canonical example. The Cl0p group weaponised a single vulnerability in a single product and harvested data from a sprawling, interlocking set of organisations across finance, government, and benefits administration — including third-party administrators that handle insurance and benefits data. The lesson underwriters should internalise is not which names appeared in the headlines. It is the topology: one product, one flaw, hundreds of organisations, simultaneously.
GoAnywhere MFT (Fortra) saw the same dynamic earlier in 2023, again exploited by Cl0p against a concentrated user base. The Change Healthcare attack in 2024 demonstrated the systemic consequences when a single backbone provider in the healthcare-payments chain fails — downstream operational and financial disruption rippled across the entire sector for weeks. And the 2024 wave of credential-driven SaaS compromises (infostealer-driven intrusions into cloud data platforms) showed that you do not even need a software vulnerability: a reused credential on a critical third party is enough.
In every one of these cases the same structure repeats. The attacker did not need to defeat every victim individually. They compromised the shared node, and the victims arrived pre-correlated.
Aggregation risk, turned inward
Underwriters understand accumulation risk better than anyone in cybersecurity. We agonise over whether a single hurricane, or a single cloud region outage, could generate correlated losses across an entire book. We build models to bound it.
Supply chain attacks on the sector are accumulation risk turned inward — and most carriers have not modelled them that way.
When a core platform vendor or a major MFT provider is compromised, the losses are not independent. Every carrier on that vendor experiences the event at once. That breaks the diversification assumption that underpins how cyber books are currently priced and how reinsurance is structured. Worse, it creates a channel for silent cyber inside the insurers’ own books: a vendor failure can trigger business interruption and recovery costs that flow back through commercial policies the insurer itself holds — not the cyber book it was watching.
The uncomfortable truth is that the same concentration the sector relies on for efficiency is the concentration an adversary relies on for leverage. Efficiency and aggregation are the same topology, read in opposite directions.
What underwriters and carriers must now do
The response is not a new tool. It is the disciplined application of third-party risk thinking to the sector’s own spine — exactly the discipline we demand of the insureds we price.
1. Map the ICT supply chain, starting with the spine. You cannot underwrite what you have not enumerated. Identify the small set of vendors whose compromise would be catastrophic rather than merely painful: core policy platforms, the identity provider, file-transfer tooling, TPAs, and any data exchange feeding pricing. DORA calls this mapping your ICT third-party providers; for European insurers it has been a hard requirement since 17 January 2025. Treat the map as a living asset, not a one-off exercise.
2. Shift scrutiny to systemic, not just critical, vendors. A vendor can be low-risk to your controls and catastrophic to your book because everyone else uses it too. Concentration is the risk metric that matters here, and traditional vendor risk scores — which grade a single vendor in isolation — are blind to it. Ask the question they cannot answer: if this vendor fails, how many of my peers fail at the same moment, and what does that do to my reinsurance?
3. Use the contractual levers you already have. NIS2 Article 21(2)(d) requires supply chain security measures, and DORA Chapter V imposes concrete ICT third-party obligations on financial entities — including insurers. These are not just compliance checkboxes. They are the legal basis to demand software bills of materials, vulnerability disclosure and patching SLAs, sub-processor transparency, breach notification timelines, and audit rights from the vendors on your spine. Write them into renewals and enforce them.
4. Treat your own cyber posture as a claims driver. An underwriting environment breach is not purely an IT incident — it is a claims event across the commercial book, a regulatory event under NIS2 and DORA, a reputational event with brokers, and potentially a reinsurance recovery event. Model it that way before it happens, the same way you would model an insured’s scenario.
5. Price the fact that you are now an insured too. Carriers increasingly buy cyber coverage for their own operations. The underwriters on the other side of that transaction are doing to you exactly what you do to your clients. Your own third-party risk posture is now an input to your own premium — which is the clearest possible signal that this risk has become material.
The underwriter's supply-chain risk checklist
- Map the spine. Enumerate the handful of vendors whose simultaneous compromise would be catastrophic — core platform, IdP, MFT, TPAs, pricing feeds.
- Score concentration, not just severity. For each spine vendor, ask how many market peers share it and what correlated loss that implies.
- Contract for transparency. Demand SBOMs, disclosure and patching SLAs, sub-processor lists, and audit rights — anchored in NIS2 Art. 21(2)(d) and DORA Chapter V.
- Model the inward event. Treat an underwriting-environment breach as a cross-book claims and reinsurance scenario, not an IT ticket.
- Protect the IP, not just the perimeter. Pricing models and portfolio data are the crown jewels — segment, monitor, and assume the network is already reachable.
The point
For years the sector’s job has been to look outward — at the insured, at the insured’s vendors, at the accumulation in someone else’s book. The next generation of supply chain attacks asks the harder question: what happens when all of that is turned on the underwriter.
The carriers that answer it first — by mapping their own ICT spine, contracting for real transparency, and pricing their own concentration risk — will be the ones who keep pricing everyone else’s. The ones that don’t will discover, in a single correlated event, that they were the accumulation risk all along.
For a deeper treatment of how to operationalise this, the NIS2 supply chain and third-party risk management guide and the DORA ICT risk management framework guide cover the regulatory machinery in detail. And if you want to walk through what the downstream loss actually looks like when a vendor compromise hits an insured, see the supply chain attack loss scenario — the mechanics are the same; only the victim has changed.
Michael Guiao Michael Guiao founded Resiliently AI and writes Resiliently. He has CISM, CCSP, CISA, and DPO certifications — but let them lapse, because in the age of AI, knowledge is cheap. What matters is judgment, and that comes from eight years of hands-on work at Zurich, Sompo, AXA, and PwC.
Go deeper with premium cyber risk reports
Professional-grade analysis, NIS2 compliance guides, and threat intelligence — used by underwriters across Europe.
Professional
Full platform — continuous monitoring, API access, white-label reports
Everything in Starter plus professional tools
Upgrade Now →Free NIS2 Compliance Checklist
Get the free 15-point PDF checklist + NIS2 compliance tips in your inbox.
No spam. Unsubscribe anytime. Privacy Policy
blog.featured
WordPress Plugin Flaw CVE-2023-4213 Exposes 10K+ Sites to Cyber Claims
6 min read
WordPress Plugin XSS Vulnerability Exposes Cyber Insurance Portfolios to Persistent Web Risks
5 min read
WordPress Security Plugin Flaw Exposes Organizations to Cyber Claims
6 min read
WordPress Plugin Flaw Exposes Cyber Insurance Portfolios to SQL Injection Risks
6 min read
Premium Report
2026 Cyber Risk Landscape Report
24 pages of threat analysis, claims data, and underwriting implications for European cyber insurance.
View Reports →Related posts
The Five Toxic Powers of Agentic AI — What Underwriters Need to Know
Agentic AI introduces five double-edged powers that create toxic risk combinations. Here's how underwriters, brokers, and CISOs should assess the threat.
Agentic Security: What Underwriters Need to Know in 2026
Autonomous AI agents are entering production at scale — and they bring a completely new attack surface that traditional cyber insurance questionnaires weren't designed to capture.
An AI Agent Deleted a Startup's Production Database — Can You Insure Against That?
PocketOS lost its production database to a Cursor AI agent in 9 seconds. The incident exposes a gap in cyber insurance that most policies don't cover: AI-caused operational destruction with no external attacker.