Holistic solutions are key to addressing growing multinational cyber threat

Multinational companies have made huge progress in building cyber resilience in recent years, and yet data breaches continued at near historic levels in 2024. Last year, US cyber crime increased by 33% to a record $16 billion, according to the FBI.

Over the past 18 months, supply chain attacks have emerged as the critical vulnerability for multinational companies. In the first half of 2025, 79 supply chain attacks were reported, affecting 690 entities and compromising the data of 78 million individuals. Earlier this year, UK retailer Marks & Spencer suffered a £300m hit after criminals gained access to its systems via a third party, taking its online sales platform offline for months. An attack on US aviation software provider Collins Aerospace in September which reportedly caused flight delays and disruption at several major European airports.

Achilles heel

The impacts of such attacks are not confined to the target company. A cyber attack or technical glitch at a critical customer, supplier, outsourcing service provider and/or a software provider can ripple through the value chain, affecting each company’s ability to produce products and/or take delivery of goods and services from suppliers. This effect was particularly evident when a cyber attack shut down production at UK luxury car manufacturer JLR in August, affecting over 5,000 suppliers and resulting in total estimated losses of £1.9 billion, according to the Cyber Monitoring Centre.

While many corporations now have relatively good oversight and control of their own cyber risks, there are significant challenges when it comes to understanding those of their customers and suppliers, both physical and digital. These challenges are amplified for multinational companies. More than half (54%) of large organizations cite supply chain challenges as the biggest barrier to cyber resilience, driven by complexity and lack of visibility into suppliers' security and interdependencies.

Holistic approach

Increasingly companies recognize that managing cyber risk requires a holistic approach across the entire value chain. Unlike most other risks, cyber does not respect organizational or geographic borders. It is highly interconnected and can touch on almost all aspects of a company’s operations and those of its suppliers. At the same time, the ability to identify, quantify and manage cyber risk, as well as respond quickly to a cyber incident, is reliant on effective collaboration and good communication.

This is where risk managers can play a vital role. They are ideally positioned to bring stakeholders together and facilitate the exchange of views, as well as support critical exercises, such as cyber risk assessments and risk quantification – including for third party suppliers as well as risk mitigation strategies. The ability to form a single, consolidated view of cyber exposures globally, across subsidiaries and the supply chain is key. Yet, just 12% of risk managers are responsible for cyber risk mapping, and under half (43%) are involved in their organization’s IT security committee, according to the 2024 FERMA Global Risk Manager Survey.

Multinational framework

In today’s digitally connected world, cyber threats can affect every part of a global organization at once. With regulatory requirements varying widely across countries, structuring coverage locally can leave organizations exposed to gaps, overlaps, or inconsistent protection. A multinational cyber insurance program ensures businesses can benefit from a single, coordinated strategy and crisis response.

Zurich claims analysis has shown that around 30% of cyber claims over the past five years are multinational, and in 63% of those cases the insured experienced a loss in a location outside their home market.

Multinational cyber insurance programs can provide an excellent framework in which to assess cyber risk and coordinate effective protection and incident response across jurisdictions. When structuring a multinational cyber insurance program, we help clients navigate complex compliance challenges and align global and local interests, reduce administrative complexity and provide the customer peace of mind. Structuring a program can also promote a much deeper understanding of an organization’s cyber risk – it requires the mapping and assessment of all the insureds global entities, their relationship to personal or sensitive data, and dependencies on critical IT or operational services.

Consistent, reliable and coordinated protection

A well-designed multinational program will ensure coverage is adequate by aligning limits and retentions with actual exposure per country or region and avoiding coverage gaps. In addition, a global master policy can provide protection where a local policy is insufficient or doesn’t respond. In short, a multinational program can provide more consistent and broader coverage with higher limits than would otherwise be the case under local policies alone.

A multinational cyber insurance program also means a more co-ordinated approach to risk engineering, underwriting and claims, which should minimize the impact of a cyber incident and get an insured back to business as soon as possible. A well prepared and tested global plan – developed with support from the insurer - will help drive common crisis management and incident response that takes into account local regulations, expertise and experience, along with support from head office and specialist third-party services. Local claims support and specialist services can help minimize business interruption losses and avoid potential violation of local data breach laws.

Global partner

Despite improvements in cyber resilience, multinational companies continue to face challenging risks from cyber, not least from their growing reliance on third party service providers and digital technology. And it is not just about malicious attacks. In October, an outage at cloud service provider AWS affected thousands of companies, including major banks, retailers and service providers. The outage was one of the largest since a faulty update to CrowdStrike software caused widespread disruption, affecting an estimated eight million Windows users globally.

Faced with a growing cyber threat, multinational companies need to adopt a holistic approach to cyber that extends to the entire value chain. How companies assess, prepare, mitigate and respond is critical to the impact a cyber incident can have on a business.

Originally published on Commercial Risk on November 25, 2025.