Risk Management
4 min read

Supply Chain Cyber Risk: Third-Party Vendor Breaches Drive 30% of Claims

Vendor cyberattacks account for 30% of cyber insurance claims as businesses face liability for partners' security failures in their supply chains.

C
Written by
Christie Williams
Supply Chain Cyber Risk: Third-Party Vendor Breaches Drive 30% of Claims

Third-party vendor and supply chain cyberattacks now account for 30% of all cyber insurance claims in 2025, surpassing direct ransomware as the most common cause of insured cyber losses according to recent claims data analysis. The shift reflects attackers' recognition that it's often easier to compromise a business through its vendors—particularly small vendors with weaker security—than to attack the target directly.

For businesses relying on cloud services, payment processors, HR platforms, and other third-party vendors (which is virtually every business), supply chain cyber risk creates exposure that traditional cybersecurity controls can't eliminate. Even businesses with excellent internal security face significant claims when vendors experience breaches that expose customer data, disrupt operations, or enable network intrusions.

The Supply Chain Attack Pattern

How Attacks Work

Traditional cyberattack: Attacker targets your business directly

  • Phishing your employees
  • Exploiting vulnerabilities in your systems
  • Installing ransomware on your network

Supply chain attack: Attacker targets your vendor, then pivots to you

  1. Compromise small vendor with weak security
  2. Use vendor's access to your systems/data
  3. Exploit trust relationship to bypass your security
  4. Extract data or deploy ransomware via "trusted" vendor connection

Why it works: Your security focuses on external threats, not trusted vendor connections

Notable 2024-2025 Supply Chain Breaches

SolarWinds (ongoing impact):

  • Software vendor compromised
  • Malicious updates pushed to 18,000 customers
  • Estimated cost: $10+ billion across all victims
  • Cyber insurance claims: $500M+ and rising

Change Healthcare breach (February 2024):

  • Healthcare payment processor compromised
  • Impacted 100+ million patients
  • Disrupted claims processing for months
  • Estimated cyber insurance claims: $2.2 billion

MOVEit vulnerability (mid-2024):

  • File transfer software exploited
  • 2,000+ organizations breached via vendor
  • Cyber insurance payouts: $850M+

Coverage Implications

What Cyber Insurance Covers

Direct costs:

  • Breach notification expenses
  • Credit monitoring for affected individuals
  • Forensic investigation
  • Legal fees
  • Regulatory fines

Contingent business interruption:

  • Income loss when vendor breach disrupts your operations
  • Extra expenses to maintain operations
  • Critical: Only if policy includes contingent BI coverage

Third-party liability:

  • Lawsuits from customers whose data was exposed via vendor breach
  • Regulatory penalties for inadequate vendor oversight

Coverage Gaps to Watch

Vendor security requirements:

  • Many policies now require minimum vendor security standards
  • Failure to assess vendor security can void coverage
  • Document vendor security reviews

Notification of vendor access:

  • Must disclose all vendors with systems/data access during underwriting
  • Undisclosed vendors may not be covered

Contractual liability:

  • If vendor contract shifts liability to you, ensure policy covers contractual obligations

Vendor Risk Assessment Requirements

Insurers increasingly require documented third-party risk management:

Minimum Requirements

  1. Vendor inventory: List all vendors with system access or data exposure
  2. Security assessments: Annual security reviews for critical vendors
  3. Vendor contracts: Must include security requirements and breach notification
  4. Access controls: Limit vendor access to minimum necessary
  5. Monitoring: Log and review vendor access activity

Failure to comply**: Premium surcharges of 15-35% or coverage exclusions

Key Takeaways

Supply chain attacks are now the top threat: 30% of claims and growing.

You're liable for vendor failures: Customer data exposed by vendors creates legal liability for your business.

Insurance coverage varies: Ensure your cyber policy includes contingent BI and third-party vendor coverage.

Vendor assessment is mandatory: Insurers require documented vendor security reviews—not optional.

Contract protection matters: Vendor contracts should require minimum security standards and insurance.

Small vendors are highest risk: They lack resources for strong security but have access to your data.

Supply chain cyber risk is the new frontier of business liability. Managing third-party risk requires formal vendor assessment programs, contractual protections, and cyber insurance that covers vendor-related losses. Businesses that treat vendor cybersecurity as their own cybersecurity will avoid the costly claims that are becoming increasingly common.

Concerned about vendor cyber risk? Assessing third-party cybersecurity, implementing vendor management programs, and securing appropriate insurance coverage requires specialized expertise. Work with cyber insurance professionals who understand supply chain risk and can help protect your business from vendors' security failures.

Sources: Allianz Cyber Risk Trends 2025, Coalition Cyber Claims Report, Munich Re Cyber Insurance Study, Verizon Data Breach Investigations Report 2025