The Challenge
The group operates across multiple Lloyd's syndicates and employs underwriters, claims professionals, actuarial staff, and a significant support function. The IT infrastructure is a patchwork of proprietary systems, market-standard platforms, and third-party service providers that have accumulated over two decades of acquisitions and platform migrations.
The incident originated outside the group's direct perimeter. A technology provider supplying claims processing software to the group, and to a number of other Lloyd's market participants, was compromised in a supply chain attack. The attacker had embedded malicious code in a routine software update. The update was deployed automatically by the provider's clients, including this group, before the compromise was detected and the update was pulled.
The group's IT security team identified the affected systems within six hours of the provider's notification. No client data was confirmed as exfiltrated. The malicious component had not reached the data tier before detection. The incident was classified as a near-miss rather than a breach.
The near-miss classification meant no regulatory notification obligation was triggered. It also meant there was no external pressure to treat the incident as a significant learning event. The natural institutional tendency was to note that the security team had responded well, the damage was limited, and the provider had remediated quickly.
The group's Chief Risk Officer pushed back on that framing. The near-miss outcome was not a reflection of the group's security posture. It was a reflection of how far the attacker had progressed before detection. A more patient or sophisticated attacker might have reached the data tier. The relevant question was not whether the group had been lucky but whether staff across the business understood the nature of supply chain attacks and could identify the warning signs in their day-to-day interactions with third-party systems and suppliers.
A threat recognition assessment run by the group's security team before the LimitedView engagement began found that 67% of staff involved in third-party procurement, contract management, or operational use of third-party platforms could not identify the key indicators of a supply chain attack scenario when presented in a structured assessment. The assessment was not designed to be punitive — staff were not expected to be security specialists — but the results indicated a significant gap between the threat environment the group operated in and the working knowledge of the staff who interacted with that environment daily.
The Approach
LimitedView structured the engagement around two distinct staff populations that had different risk profiles and different knowledge gaps.
The first population was the 140 staff involved in procurement, vendor management, and technology governance. These were the people who reviewed supplier contracts, approved software deployments, and managed the third-party relationships through which a supply chain attack would typically propagate. Their gap was less about technical recognition and more about the process indicators: what due diligence questions to ask, what contract clauses mattered, what behavioural warning signs preceded a supplier compromise.
The second population was the broader operational staff — underwriters, claims handlers, and support functions — who used third-party systems daily but had no formal role in managing the relationships. Their gap was recognition: what a compromised system might look like in use, what anomalous behaviour in a familiar platform should trigger a report, and who to report it to.
The first triggered module was delivered to both populations within forty-four hours of the incident being classified. It was built specifically around the supply chain attack vector: the software update delivery mechanism, the indicators that the group's IT team had used to detect the affected component, and the timeline from initial compromise to detection.
The module for the procurement population included a scenario-based exercise modelled on the due diligence process that would apply to a new software provider. Participants were asked to identify which questions in a fictional procurement checklist were relevant to supply chain security and which were missing.
The module for the operational population focused on platform anomaly recognition: visual changes in familiar interfaces, unexpected permission requests, unusual data transfer prompts, and the internal reporting pathway.
Both modules were delivered through the group's existing LMS. Completion was strongly encouraged through line manager communication but not made mandatory, preserving the voluntary engagement signal.
Over the following four months, LimitedView delivered three further triggered modules as the group's security team refined its third-party risk posture. One was triggered by a further supplier security notification (a different provider, a minor vulnerability, no exploitation). Two were triggered by Lloyd's Market Association bulletins highlighting supply chain attack patterns circulating in the sector.
The group also used the engagement to rebuild its third-party security assessment questionnaire. The new questionnaire incorporated the specific questions that had been identified as missing in the scenario-based procurement exercise.
The Results
Threat recognition scores, measured using the same structured assessment administered before the engagement began, were re-run at the three-month and five-month marks.
At three months, the proportion of procurement and vendor management staff who could correctly identify supply chain attack indicators in the assessment scenario had risen from 33% to 61%. At five months, it reached 74%.
For operational staff, the recognition score improved from 29% at baseline to 58% at five months. The group's security team set an internal target of 60% as the threshold for acceptable sector coverage. That target was reached in the fifth month.
The overall improvement across both populations combined was 41 percentage points: from 31% at baseline to 72% at five months.
The group also tracked voluntary reporting of third-party anomalies in the five months following the programme launch. Reports submitted through the internal security channel increased from an average of three per month in the prior year to eleven per month in the intervention period. The security team assessed the quality of reports as significantly improved: reports were more specific, included more operational detail, and were easier to triage.
The third-party security assessment questionnaire, rebuilt using the insights from the procurement exercise, was deployed to forty-three active suppliers in the four months following the engagement. Seven suppliers returned assessments that prompted further due diligence. One supplier relationship was terminated following the due diligence review.
What Changed
The Chief Risk Officer described the most tangible shift as the reconnection between the group's formal risk register and the working knowledge of the people whose behaviour actually determined the risk. The supply chain risk had been on the register for three years. The staff managing supplier relationships had not been equipped to act on it in practice. The triggered training closed that gap in a way that periodic risk register reviews had not.
The procurement team's response to the scenario-based exercise was the moment the engagement team noted most clearly. Staff working on vendor management found the exercise credible and immediately applicable. One participant noted that the missing questions in the fictional checklist were questions she had not thought to ask in an actual procurement process the previous month. That connection — between the training scenario and a real recent event — was precisely the mechanism the model was designed to create.
The group's security team also noted a secondary benefit that had not been planned for. The supply chain attack had created some tension between the IT security function and the procurement team, who felt the incident had originated in a process area they managed. The triggered training, by framing the response as a shared learning exercise rather than a post-incident attribution exercise, helped rebuild the working relationship between the two functions. Both teams had completed the same content, understood the same threat model, and had the same frame of reference for future conversations about supplier risk.
