农夫导航

Vendor-related risks, whether from technology suppliers or non-technology partners, have always been a concern and often drive a large number of cyber insurance claims notifications. Vendor risks have traditionally come in the form of data breaches, but increasingly, ransomware attacks and outages are driving more severe first-party losses.

Supply-chain attacks are not the only risk involving vendors. Vendor risk also shows up in outages of critical technology suppliers resulting from non-malicious system failures.

For example, a 2024 ransomware attack on software supplier CDK Global disrupted thousands of automotive businesses, costing them an estimated $1 billion, with $25 million going to the attacker. A similar attack on Change Healthcare led to billing delays for thousands of hospitals and physician practices. Also in 2024, a software update error by CrowdStrike led to widespread system outages estimated to cost insurers between $300 million and $1 billion. With the increased adoption of cloud applications for critical business operations, there is more interconnectedness and potentially more fragility in the technology ecosystem.

Each of these incidents originated with third-party vendors, but the resulting disruptions generated first-party expenses for their customers.

Mitigating Third-Party Risks

Mitigating third-party risks is not straightforward, especially when it comes to critical IT providers. For example, if an organization relies on a single IT company for a critical function and there are no manual workarounds, the organization is dependent on the provider recovering before it can restart operations.

How many third-party incidents will need to occur before the trend in outsourcing critical applications to the cloud reverses?

Assess Vulnerabilities

Organizations should assess vendors’ cyber risks through a process that includes understanding the evolving landscape of third-party risk, utilizing vendor risk reports, and integrating vendor risk management into their overall security posture. Vendor risk reports are detailed evaluations of a vendor’s external cybersecurity measures, along with publicly observable risks such as exposed digital assets, misconfigurations or outdated systems.

Identifying vendor-related risks is a first step–whether those arise from external malicious threats or inadequate internal processes. Additional actions include addressing security weaknesses, strengthening due diligence, and making informed decisions about vendor partnerships.

Quantify Impact

Business and technology consolidation–including mergers and acquisitions–and increasing reliance on single suppliers for critical platform services have created numerous new points of failure that hackers can exploit. High-profile incidents like Change Healthcare and CDK exemplify how attacks on interconnected systems or vendors can have devastating and long-lasting downstream effects.

Organizations should quantify the operational impact a critical vendor disruption could have. A good way to approach this is to consider the costs of disruptions of various lengths: How much revenue would our organization lose if a vendor disruption lasted 24 hours, three days, or longer?

Prioritize Mitigation Strategies

Knowing the potential impact of a cyber incident involving a critical third party enables organizations to make informed decisions regarding mitigation, especially which strategies to deploy first. It’s prudent to prioritize fixing the biggest cybersecurity problems while keeping in mind less urgent improvements.

Improve Cyber Resilience

Focusing on vendors does not mean organizations should neglect their internal security fundamentals and cyber insurance. Important basics of cybersecurity include resilient data backups stored offline, multifactor authentication (MFA) for critical environments, and regular employee security awareness training to combat phishing.

When cyber incidents strike, they often reveal how deeply interconnected organizations have become–and how quickly a third-party issue can escalate into a first-party crisis. To reduce that risk, organizations need a comprehensive strategy that blends strong internal security with robust vendor oversight, thorough due diligence, and a consistent focus on cybersecurity fundamentals.

Topics Profit Loss