X-Industry

Vendor-related risks, from both tech providers and non-tech partners, have always been a concern, but they’re now becoming increasingly apparent in a growing number of cyber insurance claims.  While data breaches were once the main concern, we are now seeing more severe first-party losses caused by ransomware attacks and major system outages.  These issues are not always the result of a cyberattack, either.  Sometimes they come from non-malicious errors, like critical system failures or software glitches from key vendors that still cause significant disruption.[1]

The reality is that no matter how carefully and thoroughly a business manages its third-party relationships, some level of vendor risk is unavoidable. That is why it’s so important for companies to have a solid understanding of their own cyber risk exposure, and that of their partners, so they can plan accordingly, both in terms of continuity and insurance protection.

In the age of digital transformation, most companies are connected to an array of third-party vendors.  This is an indispensable part of the modern economy, but it is also a significant source of risk.  Vendor-related incidents have, unfortunately, simply become something of an occupational hazard.  Companies have incurred significant first-party losses from both malicious and non-malicious vendor failures.

In 2024, several high-impact incidents underscored the growing risk exposure tied to third-party technology providers.  For example, a ransomware attack targeting CDK Global, a key software supplier to the automotive sector, brought operations to a halt across thousands of businesses.  This resulted in estimated losses of $1 billion, including a $25 million payout for the attackers.  Similarly, an attack on Change Healthcare disrupted billing systems across hospitals and physician practices nationwide.  That same year, a flawed software update from CrowdStrike triggered widespread system outages, with estimated losses to insurers ranging from $300 million to $1 billion.

Though these disruptions stemmed from third-party vendors, the financial and operational fallout landed squarely on their clients, highlighting the critical importance of managing supply chain and technology risks.  Safeguarding against third-party risks, particularly those involving critical IT providers, is far from simple. When an organization depends on a single vendor for an essential function, and there’s no manual workaround in place, it becomes fully reliant on that provider’s ability to recover before its own operations can resume.

But given how integral third-party vendors and digital supply chains are to the modern economy, it’s unlikely that the trend of outsourcing critical IT systems will ever go out of fashion. 

A critical first step in mitigating risk is to establish robust processes to assess vendors’ cyber risk.  First, businesses should make use of vendor risk reports, treating this as standard due diligence.

• Vendor risk reports are detailed evaluations of a vendor’s cybersecurity measures, offering a snapshot of a vendor’s vulnerabilities, along with publicly observable risks such as exposed digital assets, misconfigurations, or outdated systems.
• Second, they should integrate these vendor risk assessments with their risk management platforms. This will provide company boards and IT departments with a live dashboard of vendor risk and other security alerts, informing decisions such as vendor selection, cybersecurity investment, and cyber insurance spending.
• Third, vendor risk assessment should become a continuous process. Even if a vendor is known to be a reputable one with appropriate controls to protect their clients, it is not guaranteed that these protocols will succeed in all instances. Companies should therefore continuously monitor their vendors for risk intelligence.
• Fourth, encourage supply chain members to subscribe to RedXray https://redskyalliance.com/redxray and share the results with the buyer of their services. The business can then view daily cyber threats in a portfolio on one screen.

Given the unfortunate increasing inevitability of some kind of incident, businesses should start to view vendor risk as a standard cost of doing business like any other.   A key part of this shift in mindset is risk quantification, the ability to assign a clear, monetary value to the cyber risks a company faces.

By putting concrete numbers to potential threats, IT teams and boards gain a more complete understanding of their exposure.  This insight helps guide smarter decisions around cybersecurity investments, vendor selection, and insurance coverage that aligns with the company’s specific risk profile and tolerance.

Focusing on mitigating risk from vendors does not mean organizations should neglect their internal security fundamentals.  It is more important than ever to maintain resilient data backups stored offline, multi-factor authentication (MFA) for critical environments, and regular employee security awareness training to combat phishing, which remains a leading cause of cyber insurance claims.

This also means that proactive monitoring and effective risk management start with identifying and addressing vulnerabilities before they lead to loss.  This entails not just the monitoring of threats to a company’s own systems, but also the digital environments of the third-party vendors it interfaces with.  As we have seen, the distinction between the two is becoming increasingly illusory.  To reduce that risk, organizations need a comprehensive strategy that blends strong internal security with robust vendor oversight, thorough due diligence, and a consistent focus on cybersecurity fundamentals.

Digital transformation and the growing reliance on third-party vendors, both of which show no signs of slowing, have fundamentally changed the cyber risk landscape.  In today’s highly interconnected world, the traditional approach of trying to prevent every incident, whether malicious or accidental, is no longer realistic.  Instead, by taking practical steps and treating third-party risk as a core business risk, companies can meaningfully reduce the impact of disruptions and limit first-party losses.

This article is shared with permission at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings: 
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

[1] https://www.cybersecurityintelligence.com/blog/how-to-keep-third-party-events-from-becoming-first-party-losses-8611.html