Some of the world’s largest firms are leaving critical security weaknesses unaddressed for months, a new KYND study finds, highlighting potential consequences for insurers assessing cyber risk exposure.
The analysis examined more than 2,000 organisations, including members of the FTSE 350 and the S&P 500, and found that 11% were exposed to vulnerabilities actively exploited by attackers.
Alarmingly, 88% of those exposed remained unpatched for six months or longer. Actively exploited cyber risks refer to weaknesses that threat actors are currently leveraging in real-world attacks.
KYND’s cyber analysts identified risks across a broad range of critical infrastructure and enterprise software. Exposures were found in web applications and widely used platforms such as Oracle, WordPress and Apache, as well as networking hardware and secure communication protocols essential to business operations. The findings highlight widespread delays in essential maintenance and an ongoing gap between detecting vulnerabilities and addressing them.
The study is particularly relevant for InsurTech firms and cyber insurers, who increasingly factor remediation speed into pricing and risk models. KYND Founder and CEO Andy Thomas said, “A company’s approach to patching tells you a lot about its approach to risk. As demand for cyber coverage continues to grow, cyber insurers are increasingly recognising that it’s not just the number of vulnerabilities that matters, but how quickly critical vulnerabilities are addressed. When exposure lasts for months, it’s rarely a one-off. It’s a behavioural signal that an organisation struggles with remediation in general. Across a portfolio, the same slow-to-fix firms remain persistently vulnerable, exposures stack up over time, and an insurer’s true risk can look very different from a point-in-time snapshot.”
The analysis focused exclusively on vulnerabilities known to be actively exploited, meaning organisations leaving these risks unaddressed are potentially inviting major breaches rather than managing minor issues. The most common vulnerability type was remote code execution (RCE), accounting for 31% of the top risks. RCE flaws allow attackers to run malicious commands on a target system without physical access or valid credentials.
Recent incidents underscore the scale of this threat. In October 2025, a critical Microsoft Windows Server Update Services flaw (CVE-2025-59287) was exploited, enabling attackers to take full control of unpatched servers. Thomas added, “The Microsoft Windows Server incident prompted emergency updates from Microsoft and urgent advisories from CISA, highlighting how quickly threat actors can move when known weaknesses remain unaddressed. Such vulnerabilities can be exploited to steal data, deploy malware, or disrupt operations, turning preventable flaws into serious business risks.”
Keep up with all the latest FinTech news here
Copyright © 2026 FinTech Global
