Third-party attacks and policy exclusions are rewriting the rules of cyber risk
Business continuity plans are lagging behind the speed and complexity of modern cyberattacks, according to Eric Schmitt (pictured), chief information security officer at Sedgwick.
“In most cases, it is not,” Schmitt said, when asked whether current business continuity frameworks are adapting to today’s cyber threat environment. He drew a sharp line between business continuity and disaster recovery, noting that many organizations blur the two. “Business continuity is business operations. Disaster recovery is the technical restoration – the nerd side, if you would,” he said.
This distinction matters as attackers increasingly exploit weak links across interconnected digital ecosystems. Schmitt pointed to a consistent trend: attackers no longer go through the front door. Instead, they target third-party vendors and ancillary service providers to gain access or cause disruption. “What you’re seeing is just, in my opinion, the natural evolution,” he said. “They realized you can attack a large, very well-secured company via a third party who does not necessarily meet those same standards.”
Critical infrastructure no longer means power and water
As the definition of critical infrastructure expands, so does the attack surface. Schmitt acknowledged the shift in how regulators and threat actors now perceive sectors once considered low priority. “We’re now considered critical infrastructure in a number of the countries we operate, even though, should our entire industry disappear, life goes on fairly normally for most people,” he said.
This change is being driven by the increasing importance of data, particularly in industries that manage sensitive information. “Anything now that holds sensitive data is considered critical infrastructure, regardless of the impact upon society or the ability of a government or society to function,” he said. Sectors such as logistics, insurance, entertainment, and claims management are now being included in this expanded scope – an evolution Schmitt called “fascinating,” albeit one that introduces significant new risks.
Insurance intel is fueling ransom strategies
As cybercriminals grow more sophisticated, their tactics are no longer random. Schmitt said some groups are going after high-profile targets for maximum visibility and payout, while others simply follow the path of least resistance.
“When you look at what’s available now with the use of AI, open-source intelligence gathering has become a matter of seconds, not hours or days,” he said. In one internal test, Schmitt said his team used AI to generate a complete profile of Sedgwick – including supply chain details – within seven minutes. “Instead of me devoting two or three analysts, two weeks or three weeks to do the research, we turned it over to an AI.”
He also raised concern over threat actors using compromised insurance data to estimate a company’s ransom potential. “Now these threat actors know I can go after Company X and potentially they’d be able to tap their insurance,” he said. “Which is a much larger number than I may be able to sort them for directly.”
Exclusions and controls are reshaping coverage
With cyber claims rising and high-profile attacks drawing scrutiny, insurers are tightening their terms – and companies are feeling the pressure. “We just went through our cyber liability renewal a few weeks ago… the war exclusions was a far larger conversation than it’s been in the past,” Schmitt said. He pointed to NotPetya as a turning point – what was once seen as a nation-state incident now influences how syndicates write exclusions today.
“Kinetic warfare” is no longer the benchmark. Instead, broader digital conflict is being excluded, leaving companies exposed in incidents with geopolitical undertones. “The cyber policy war exclusions are now taking a much broader brush than what they have in the past,” he said.
That’s forcing companies to rethink their risk strategy. For boards weighing preventive controls versus insurance coverage, the exclusions are beginning to tip the scales. “Even though you’re paying for millions of dollars in coverage, if you fail to meet the basic controls that the cyber insurers are asking you to attest to… your coverage is not going to hold,” Schmitt said.
Rather than replace security investment, insurance is now driving it. “Cyber liability insurers are actually setting baseline controls across multiple industries that are not necessarily regulated,” he said.
Cyber is now a boardroom conversation
As boards elevate cybersecurity from a back-office concern to a core operational risk, Schmitt has seen significant changes in engagement. “The board is truly embracing cyber as a business risk, not just a technical risk,” he said.
That shift is visible in everything from meeting frequency to reporting protocols. “Instead of an annual report, it’s now quarterly,” Schmitt said. “Incident response plans now must include board-level engagement… it’s now the whole organization.”
Metrics once siloed in technical dashboards are making their way into enterprise risk frameworks. “You’re also seeing a much deeper interest by board members in the cyber metrics,” he said.
With attackers adapting faster than many organizations can respond, and insurance no longer a catch-all safety net, cyber resilience now requires active governance, strong controls, and better visibility across the value chain.
Related Stories
LATEST NEWS
