When it comes to cyber attacks and digital disruptions, it’s easy to assume that sprawling multinationals remain the primary targets and victims.
This could have been true a decade ago, but the reality today is far more indiscriminate: from niche businesses to global conglomerates, no company is immune to the ripple effects of a supplier’s compromised system.
According to QBE’s global head of cyber, Serene Davis (pictured), it’s a dangerous myth that smaller organizations can fly under the radar or that larger ones are somehow better protected.
“Your exposure depends less on your size and more on your vendor relationships and the complexity of your operations,” Davis told Insurance Business. “Businesses are more connected than ever before. Even if you’ve done everything right within your own environment, a vulnerable supplier can take you down.”
Increasing dependence on technology and non-technology vendors demands more cyber vigilance from organizations of all sizes, particularly as QBE’s data has shown a sharp rise in targeted supply chain attacks, as cybercriminals increasingly exploit interconnected systems to cause cascading operational failures.
The number of strategically disruptive cyber attacks worldwide has nearly doubled, said QBE, from 103 in 2020 to 196 in 2024.
“By the end of 2025, we'll likely hit one of the highest levels of cyber activity we've seen,” Davis said. “Some events slow things temporarily, but overall, the trend is upward.”
The Control Risks report, commissioned by QBE, surveyed business leaders across nine Western countries and revealed that 52% of businesses with 100 to 2,000 employees reported experiencing a cyberattack in the last 12 months. In 14% of those cases, the disruption lasted for at least one full working day.
Notably, three in five of these attacks (59%) were linked to third-party suppliers, underscoring the rising threat of supply chain cyber risk.
The survey also found that 49% of companies affected by cyber attacks experienced revenue loss. Davis warned that an organization’s risk is amplified when companies lack visibility into their vendor ecosystem.
“One of the biggest blind spots we still see is inadequate assessment of third-party risk, especially from non-tech vendors,” she said. “Every company has its own level of security around suppliers. Some have backups or incident response plans; others don't. That variation is something cyber insurance continues to evolve around.
“You can no longer apply the same assumptions across all models. Ten years ago, one major supplier outage might have been assumed to affect everyone equally. That's not the case. Threat actors understand that a single point of failure can cascade damage quickly, and they’ve been targeting those.”
Geopolitics is one of the top drivers of cyber risks. Between 2023 and 2024, Europe and North America saw a 42% increase in significant cyber incidents, according to QBE. The insurer attributed this rise largely to fallout from the war in Ukraine and related geopolitical tensions.
Additionally, generative artificial intelligence (Gen AI) is becoming both a weapon and a vulnerability. QBE’s research shows that 10% of successful cyber attacks last year involved deepfakes or other Gen AI tools. Attackers have also begun exploiting AI systems directly by injecting malicious prompts or tampering with training data.
Despite the risks, businesses are embracing AI rapidly. Two-thirds (67%) already use it in some capacity, and 86% believe it will benefit their national economies in the next two years. Sectors like computing (79%), tech-media-telecom (75%), and financial services (71%) lead adoption.
“AI is creating incredible efficiencies, but it’s also expanding the attack surface,” Davis said. “That’s something we’re monitoring very closely.”
When asked how companies can better prepare for these scenarios, Davis laid out several best practices that QBE recommends for clients. Her biggest advice? Thoroughly mapping vendor dependency.
“Organizations need to know who their Tier 1, Tier 2, and Tier 3 suppliers are and understand their level of reliance on each,” Davis said. This allows companies to identify single points of failure and implement strategies like diversification or redundancy where possible, the QBE cyber leader said.
However, she also acknowledged that not all companies have the flexibility to diversify. “In some industries, consolidating with one supplier is necessary for cost or operational reasons,” Davis said. “In those cases, it’s even more crucial to build robust incident response and business continuity plans that account for supplier disruption.”
As the cyber threat landscape evolves, Davis sees an opportunity – and a responsibility – for insurers and brokers to do more. She stressed that cyber insurance is no longer optional for firms of any size.
“Every supply chain event is an opportunity for cyber insurance to show its value. Some companies don't fully recognize that value until they're affected,” said Davis. “There's also a perception that cyber insurance is more complicated than it is. It's on us to simplify the message and how we talk about coverage.
“At QBE, we’re focusing on simplifying the conversation, meeting clients where they are and giving them the tools to protect what matters.”
