This article examines the cyber security risks facing Lloyd's market participants, including syndicates, managing agents, brokers and coverholders, from their extended and often overlapping digital supply chains, and suggests a collaborative way forward.
For more than 300 years, Lloyd’s market has used its collective expertise to protect people and businesses around the world from a variety of risks they face. In today’s world of heightened geopolitical and cyber security threats, the Lloyd’s ecosystem itself is increasingly at risk - not least from cyber attacks against their extensive digital supply chains.
The network of syndicates, managing agents, brokers, coverholders, members (“Names”), and insurance buyers, that make up the Lloyd’s insurance market, along with all their suppliers and service providers, create a vast digital supply chain ecosystem. This ecosystem as a whole presents a large attack surface that threat actors are increasingly exploiting.
In this article, we outline the scale of the challenge facing participants in the Lloyd’s ecosystem, the importance of third-party risk management, and how to overcome its shortcomings through collective action within syndicates - between managing agents, coverholders, brokers and their suppliers.
Specifically, you will learn about:
In its annual Allianz Risk Barometer 2024, Allianz confirmed that “cyber incidents such as ransomware attacks, data breaches, and IT disruptions, rank as the top global risk in the Allianz Risk Barometer – and by a clear margin for the first time.” And according to the European Union Agency for Cybersecurity (ENISA), supply chain attacks are fast becoming the number-one cyber security risk facing organisations today.
One of the main reasons for this is the increasing scale and complexity of modern supply chain networks – thanks to rapid digitalisation and outsourcing. Organisations can now connect easily with suppliers or clients anywhere in the world, creating vast webs of interconnected organisations.
Meanwhile, any third-party supplier or partner connected to a business will in turn each have their own network of suppliers and connections, infinitely increasing the scale of the problem.
A cyber security breach at any one of those companies in an organisation’s extended supply chain ecosystem could compromise the security of any connected organisation, potentially enabling criminals’ to gain access to confidential information and personal data, or even to internal IT systems.
Supply chains are a weak link for cyber security because organisations cannot easily control or monitor the security measures taken by their vendors, service providers and other external partners they work with. That means the safety and resilience of a company’s own data and systems now also relies on the security standards of every organisation in their supply chain – so their security is only as strong as the weakest link in that vast chain.
Geopolitical uncertainty and increasing digitalisation mean that many large organisations have significantly strengthened their security in recent years, so cyber criminals have had to find new ways to attack. Recognising this, cyber criminals are increasingly targeting weak supply chain links to infiltrate large organisations. Vulnerable supply chains give them a way in.
Pointing to the particular exposure facing the Lloyd’s ecosystem, in its Whole Insurance Market Priorities letter from September 2023, the Financial Conduct Authority (FCA) noted: “As the London market holds a great amount of information on sensitive risks in the UK, data losses could pose substantial harm to wider society.”
As already stated, the complex web of relationships between brokers, syndicates, managing agents and coverholders, each with their own suppliers and service providers, makes for an extensive matrix of digitally connected entities, and thus cyber vulnerabilities.
As of mid-2024, Lloyd’s had 77 syndicates, more than 380 brokers, and 3,434 coverholder locations. All of these participants are vital to the Lloyd’s insurance market, and many of them handle confidential or sensitive data.
All of these entities, or collection of entities, have their own exposure to supply chain attacks, but they also have a combined exposure, given their interconnected nature.
As well as market participants, Lloyd’s itself has a large number of critical suppliers. Some of the most critical, for example, include providers of central technology and business process services for the Lloyd’s market, Operations & Strategic Sourcing agents that provide shared services to the London insurance market as well as electronic placement services.
Some service providers are deeply integrated into the Lloyd’s market, including the Lloyd’s Corporation itself, which provides market infrastructure and oversight for all participants. There are also the underwriting platforms used by syndicates and managing agents for risk assessment and pricing, broker management systems, reinsurance platforms and risk modelling tools.
Other critical suppliers offer core operational services, such as data centres and cloud computing services, telecommunications, cyber security services, payment processing systems and document management systems.
A cyber attack or operational failure affecting any of these critical suppliers or service providers could significantly disrupt the functioning of the market, potentially impacting policy issuance, claims processing and overall market stability as well as put internal as well as client data at risk. From the vantage point of insurers, it could also impact insurance buyers and thus result in unforeseeable increases in claims.
The deeply integrated nature of many of these services and suppliers means that they cannot easily be replaced if they were to be compromised by a cyber attack. This highlights the vital importance of robust third-party risk management (TPRM) not only throughout the Lloyd’s marketplace, but also for insurance buyers.
In summary, the unique and complex structure of the Lloyd’s marketplace mean it faces some significant supply chain risks:
Managing the risks associated with third parties and wider supply chains has thus become increasingly important in recent years. Faced with the new and emerging risks highlighted above, government and industry bodies have introduced a raft of new regulations to ensure that organisations take appropriate steps to minimise supply chain risks.
Some of the regulations and laws that Lloyd’s market participants must now comply with include:
In addition, participants must comply with new rules associated with the Appointed Representative (AR) regime, anti-money laundering requirements, the Bribery Act, third-party oversight requirements and various other rules that have a bearing on cyber security and supply chain risk management.
It’s clear that Lloyd’s market participants as well as policyholders are now expected to have comprehensive third-party risk management processes in place, to ensure cyber security, financial crime prevention and regulatory compliance.
Lloyd’s itself has already taken significant steps to address the growing problem of supply chain cyber security risks. It has hosted events like the Cyber Risk Summit, Cyber Attack Simulation and Cyber Innovation Forum to bring together stakeholders and discuss solutions to cyber threats.
Through Project Rio, it is also trying to bolster the operational resilience of the whole Lloyd’s ecosystem, by setting out clear principles for performance, solvency and most importantly for the subject of this article, operations. It has also introduced a Cyber Market Management Strategy, which is a three-year plan to strengthen oversight of cyber risk while supporting syndicates’ risk appetites – using oversight to support those who show good capability in cyber risk management. Lloyd’s is also conducting cross-functional evaluations of cyber capability across multiple disciplines, similar to the way it assesses natural catastrophe capability.
These efforts go in the right direction and demonstrate that Lloyd’s is taking the scale of the challenge seriously. But third-party risk management programmes today, still based, as they are, on individual one-to-one supplier assurance efforts, simply cannot be made to work at scale, are not sufficiently mitigating the risks out there, and can not demonstrate, at least satisfactorily, compliance with various supply chain security-related regulations.
A new and more collaborative approach is needed to achieve greater synergies, efficients and burden sharing, as well as a more holistic approach to hardening the security of our digital supply chains.
To help businesses today tackle the burgeoning challenges of supply chain cyber security, Risk Ledger has developed a new approach to third-party risk management. We are building a network of connected organisations for different industries all working together with peers and their suppliers to detect, respond and ultimately prevent cyber attacks, continuously and in real-time. It’s a collaborative approach that could provide solutions to many of the supply chain security issues facing the Lloyd’s insurance market.
A necessary first step to improve supply chain security is to gain greater visibility of risks in the extended supply chain network, beyond just immediate third-parties. Risk Ledger is an online platform that enables organisations and suppliers to work together to build up a comprehensive overview of their entire supply chain ecosystem. It works like a social network. Each supplier creates a profile containing information about their business, security controls and other relevant risk areas, and then shares this with their connected clients and partners.
Because organisations often use Risk Ledger in both capacities, i.e. as a supplier wanting to showcase its security to its client; and as a client wanting to assure its own third-parties, this creates a comprehensive map of supply chain connections that reveals, 4th, 5th and nth party connections, as well as uncovers hidden concentration risks.
Organisations can also collaborate directly on the platform not only with their suppliers, but also with select peers of their choosing, sharing the burden of assessments, reviewing and grading the criticality of suppliers, but also on risk mitigation and incident response, and even reporting.
In the context of syndicates, for example, managing agents might want to have greater visibility into the risks facing participating coverholders, brokers, members (“Names”) and potentially even insurance buyers, to better assess overall risks facing the syndicate as a whole. They might also want to collaborate with coverholders and brokers on their respective supply chain cyber due diligence efforts, and create integrated reporting solutions, as well as harmonise their respective TPRM strategies and classification of suppliers - all of which would go a long way to not only reduce time and resource burdens, but also harden their collective and often overlapping supply chains.
Risk Ledger is already helping various industries of peers and large federated organisations and group structures to collaboratively identify risks, strengthen their supply chains and pinpoint systemic risks that they could not identify alone. We are today working today with Police Forces, ISfL (Information Security for London), FS-ISAC (Financial Services Information Sharing and Analysis Center), UK water companies, local councils and large government departments and their arms length bodies to do just that.
The Lloyd’s insurance marketplace faces an unprecedented challenge in tackling the risks associated with its unique structure, its closely integrated network of participants and complex network of suppliers and service providers. Understanding the potential vulnerabilities anywhere in this network is a crucial first step in mitigating the risks, and requires collaboration and data sharing among all participants within individual syndicates.
Risk Ledger offers a powerful platform to enable this essential collaboration and risk monitoring across the vast digital supply chains in the Lloyd’s marketplace.
If you are a managing agent, coverholder, or broker in the Lloyd’s marketplace, please get in touch for an informal discussion about how Risk Ledger can help you address today’s supply chain risks effectively and efficiently.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
