Insuring the supply chain: Why vendor risk matters

LS

Lee Stauss

Vice President of Cyber Risk Engineering

Your business depends on vendors you don't fully control. Every connection point to an external partner is a connection point to their security posture.

A breach at your vendor becomes your breach. An outage at their data center becomes your downtime. The vendors you trust can amplify your risk far beyond what you can manage alone.

Vendor risk is not a theoretical problem. It has upended enterprises and disrupted industries. Yet many organizations still treat vendor security as a one-time checkbox instead of an ongoing operational concern. The gap between what vendors can access and what businesses actually monitor is widening. That gap is where problems live.

The real cost of vendor incidents

A vendor breach typically manifests in four ways. First, loss of access. If your vendor's platform goes down or is locked by an attacker, you cannot operate. You cannot process transactions, fulfill orders, or serve customers until they restore service. This creates hard-dollar downtime costs and can break customer commitments.

Second, data exposure. Vendors often hold sensitive customer information, financial records, or intellectual property. They may also hold credentials or API keys that grant access to your internal systems. When vendors are compromised, that data spills. You face notification costs, regulatory fines, and reputational damage.

Third, business interruption. Many vendors integrate deeply into your operations. Payment processors, communication platforms, and identity systems have no straightforward replacement. If a vendor goes down or is compromised, workarounds are expensive and incomplete.

Fourth, liability and contract disputes. When a vendor fails, customers may sue you, not the vendor. Your contracts with customers do not name the vendor as a party. You absorb the liability. Your vendor contract may disclaim responsibility or cap damages at a token amount, leaving you unprotected.

Supply chain attacks are not theoretical

SolarWinds was a watershed moment. In 2020, attackers compromised SolarWinds' Orion software update mechanism and delivered malware to roughly 18,000 organizations. Those organizations did not choose to trust the attacker. They trusted SolarWinds. The vendor trust became a supply chain weapon. The incident exposed Fortune 500 companies, government agencies, and critical infrastructure. No amount of internal security prevented it.

Kaseya faced a similar incident in July 2021. Attackers compromised Kaseya's remote management software, using it to distribute ransomware to over 1,500 managed service providers and their downstream customers. The attack rippled through MSPs to small and mid-size businesses. Victim organizations had no visibility into the supply chain when they wrote their security requirements.

MOVEit Transfer became a focal point in 2023 and 2024. Progress Software's file transfer application contained a critical vulnerability. Attackers exploited it to gain access to organizations using MOVEit for sensitive file exchange. Insurance companies, universities, government agencies, and healthcare providers were exposed. MOVEit is widely embedded in enterprise workflows, making replacement difficult.

These incidents share a pattern. Trusted vendors become attack vectors. Organizations had security policies in place. Those policies did not prevent the incidents because the breach originated outside the organization's direct control.

Smaller businesses face even higher risk. Enterprise organizations often have dedicated vendor security teams, contractual leverage, and audit rights. Small and mid-size companies typically do not. They may not ask security questions at all. A compromised vendor is often their first real incident.

Modern business relies on a growing web of vendors, where trust and risk are increasingly intertwined.

Top 5 vendor risk steps

1.    Addressing vendor risk requires structured action. Start with inventory. List every vendor that touches sensitive data or critical systems. Categorize them by impact: a data center provider ranks higher than an office supply vendor. Critical vendors require active monitoring. Non-critical vendors require baseline hygiene. Inventory gaps create blind spots where incidents hide.

2.    Know what data vendors can reach. Document which systems vendors can access and what information they can view or modify. This clarity enables faster incident response. When you detect suspicious activity, you can assess whether it affects vendor systems or internal systems. Many breach investigations are prolonged because organizations discover mid-incident that they do not know what vendors can access.

3.    Limit vendor access. Many organizations grant vendors overly broad permissions out of convenience. Admin access is a common request. Blanket access to production data is standard. These permissions should be questioned. Multi-factor authentication is non-negotiable for any vendor with elevated access. If a vendor account is compromised, MFA is the barrier between incident and breach.

4.    Add baseline security expectations to contracts. Require vendors to notify you of material security incidents within a defined timeframe, typically 24 to 72 hours. Specify minimum standards: encryption in transit and at rest, access controls, incident response procedures. Define data handling for your information after contract termination. These clauses create accountability and establish baseline expectations.

5.    Maintain independent backups. Vendors control their infrastructure and their uptime. You cannot control vendor security or vendor operations. If a vendor suffers ransomware, they may shut down systems for recovery. If their recovery fails, your data could be lost. Independent backups protected from vendor access provide recovery optionality. Ransomware attackers cannot encrypt backup data held outside the vendor's infrastructure.

The insurance connection

Cyber insurance applies to third-party incidents. Most policies cover losses from vendor breaches and vendor outages, though terms vary significantly. Coverage typically includes business interruption, data breach notification costs, forensic investigation, and liability defense. Some policies offer incident response retainers so you have immediate expert help when a vendor incident occurs.

However, insurers increasingly condition coverage on vendor risk management. If you cannot demonstrate that you monitor vendors, limit their access, or maintain backups, an insurer may deny a claim or charge higher premiums. Vendor risk management is becoming a requirement, not a nice-to-have. It affects both your security posture and your insurability.

A strong vendor risk program demonstrates to insurers that you understand your exposure and manage it actively. This creates negotiating power. You may qualify for better coverage or lower premiums. When a vendor incident occurs, documented practices and demonstrated controls help substantiate a claim.

Vendor risk is business continuity risk

Vendor risk is not a security problem you can isolate. It is a business continuity problem. Your vendors control access to critical capabilities and sensitive information. Their failure is your failure. Their compromise is your compromise.

The organizations that survive vendor incidents are those that treated vendor risk before the incident occurred. They maintained inventory. They limited access. They kept backups. They knew what their vendors could do. When an incident hit, they responded faster and recovered better.

Vendor risk management is not a compliance checkbox. It is operational discipline. Treat it like you treat any other critical business function.

Ask your insurance carrier about exclusive resources available to you to mitigate vendor risk.

Products

Cyber solutions

Our Cyber teams help businesses stay ahead of the risks tied to modern digital operations, including vendor and supply chain exposures. Learn more about our underwriting expertise and practical, hands-on support.