A Highlight Year For Systemic Risk – And Single Point Of Failure Events

Technology interdependence is a Faustian pact. The interconnectedness that defines our world ushers in innovation, collaboration, and business growth — yet brings with it great risk.

Systemic cyber risk — the potential for a cyber incident to cause widespread disruption and instability across multiple entities or industries — is escalating. It’s becoming more evident that many organizations cannot control the vendors with which they do business or the technology platforms which drive their business operations. Aon’s U.S. Cyber Broking data shows that supply chain issues contributed to 28.5 percent of reported cyber incidents in 2024.1 The risk is growing. Gartner predicts that by 2025, 45 percent of companies will have experienced attacks on their software supply chains, a threefold increase from 2021.2 Regardless of what organizations do when it comes to assessing their vendors’ business continuity or disaster recovery processes, the potential entry point to introducing new risk is very real and unavoidable.

As was seen throughout 2024, losses typically result from an aggregate event and can either be malicious or non-malicious.3 The ransomware breach of a healthcare payments technology provider involved the private data of approximately 190 million individuals and also rippled to doctors’ offices and hospitals, resulting in severe cashflow problems and threatening patients’ access to care.4 The direct financial costs for the breached company was likewise extreme, tallying $3.09 billion pre-tax,5 6 and the company also provided $9 billion in interest-free loans to impacted businesses. The June ransomware attack on a company that provides software for automotive dealerships disrupted operations at thousands of dealerships across the U.S., resulting in tens of millions of dollars in lost earnings for a wide range of companies.7 The ‘CrowdStrike event’ caused 8.5 million systems to crash, disrupting operations across thousands of organizations worldwide and resulting in a revenue impact of $500 million for a major U.S. airline.8 Wrapping up the year, the ransomware attack on a U.S. supply chain management provider rippled globally.

Single Points of Failure

A single point of failure refers to any technology or system that, if it fails, will cause disruption to many companies. Last year was a notable year across the cyber reinsurance space for the sheer number of single points that may exist. For businesses and insurers, this was a catalyst for action. However, gaining visibility into this risk is a real challenge. Fortunately for insurers, the losses across 2024 were lower than expected. For Aon clients, through January 2025, 70 claims were reported in response to the CrowdStrike incident, and of those, only 10 percent remain open, and 90 percent closed without any payment. Despite this positive outcome for carriers, the marketplace remains on high alert.

In response to systemic risk, organizations are striving to protect themselves contractually. Many organizations, especially technology platform providers, are attempting to mitigate their potential limitational liability. On the counter-side, businesses that depend on certain technologies are trying to increase their limitation of liability so that, in the case of a system failure, a written demand can be issued. While contracts can protect, systemic risk is a shared responsibility. Large organizations, for example, might distribute cloud computing dependencies across several geographic regions. This way, they are not solely dependent on a single point of failure associated with a cloud provider. These large organizations might also think through business continuity disaster recovery to help mitigate as much of the financial exposure as possible.

As insurers become more educated about systemic risk, coverage waiting periods surrounding business interruption and contingent business interruption are more common within policies. These waiting periods specify a timeframe during which the insured must cover losses before activating insurance benefits, almost like a deductible in time. Straight-period deductibles pay benefits based on the total business interruption time minus the “time deductible.” With a franchise deductible, businesses are paid for the complete downtime once the “time deductible” window has passed. Waiting periods present another layer of protection for insurers from single points of failure risk. For retail insurers, it is essential to be aware of the policy nuances regarding business interruption, as this can have a meaningful difference on loss.

Ultimately, insurers know that certain risks are unavoidable. For example, most businesses will be interdependent on large cloud providers. This web of interdependencies is challenging even to contemplate — let alone manage. Insurers can still work to help balance systemic risk by investigating which clients and providers are connected — including their downstream dependencies — and then segmenting that data within industry, country, and business size groupings. They should also identify which combinations have higher concentration with specific single points of failure and build a portfolio considering the difference in levels of diversity across the technology stack. This segmentation can be critically vital for smaller companies, as this segment typically relies on the same subset of managed service providers and the take-up of cyber insurance is significantly lower for small businesses. Less than 5 percent of companies with annual revenue of less than $1 million have cyber insurance, and approximately 20 percent to approximately 40 percent of companies with annual revenue of $1 million to $10 million have cyber insurance. Contrasted with over 55 percent of companies with annual revenue over $10 million have cyber insurance, scaling up with company size.9

Financial quantification and cyber scenario modeling are essential for organizations to understand their systemic risk exposure. Devising a roadmap and investment strategy for scenarios that could cause the most material financial loss can make the risk more manageable. Organizations are urged to invest in critical, or red flag, controls defined by the cyber insurance industry.

Based on 2024 Aon global data, 57 percent of global and enterprise clients reported cyber vulnerability scans that cover less than 100 percent of the enterprise, and 36 percent had greater than 10 service accounts. Rounding out the top five red flags for large and multinational organization were backups not stored in a secondary data center, no tabletop exercises performed in the last year and target time for patching that exceeded seven days. Middle market and small to mid-sized enterprise critical red flags differed, with 59 percent reporting a lack of annual tabletop exercises and 49 percent reported backups not stored in secondary data center. The next three critical red flags included vulnerability scans that covered less than 100 percent of the enterprise, no incident response plan for ransomware, and no multi-factor authentication to combat ransomware.

Key Observations:

• Although the number of service accounts is greater in larger organizations, privileged service accounts tend to be better managed.
• When a client has less than 100% covered in vulnerability scanning, segmentation is reviewed which is not captured in the above.

Key Observations:

• Privacy, while not necessarily from a risk perspective is an increased focus of carriers in terms of the controls that are in place around how insureds collect user information.
• *IBM’s Cost of a Data Breach Report found that having an incident response team and formal incident response plans enables organizations to reduce the cost of a breach by almost half a million US dollars (USD 473,706) on average.

Across 3,200 Aon global clients, of which North America and EMEA account for 94 percent of the data, the average global risk score was 2.71 or approaching managed. Endpoint Security at 2.96 was the highest scoring domain, and within that are contained the subdomains endpoint protection, logging and monitoring and security configuration. Conversely the lowest scoring domain was third-party at 2.26 with its top scoring subdomains of due diligence, third-party contracts, and third-party inventory.

While companies can’t eliminate reliance on third parties, they can identify which are the most business-critical to operations and develop a mitigation plan and a response playbook in the event one or more of those vendors suffer a significant event.

Recommended Actions

• Analyze the impact of systemic risk. Understand the interdependencies across your technology stack and develop a response playbook in the event one or more vendors suffer a significant event.
• Be cognizant of cyber insurance policy nuances regarding business interruption, as this will have a meaningful difference on loss. Consider waiting periods, what events your business interruption and contingent business interruption (BI/CBI limits cover and, for insurers, strategically balance cyber risk portfolios.
• Strengthen third-party risk controls, including back-ups, incident response (IR) and business continuity management.