Cyber risk doesn't stop at the firewall. From cloud platforms and payroll processors to customer support software and data analytics tools, the average organization now relies on a complex ecosystem of third-party vendors. This growing web of digital interdependence has created a new frontier of exposure, one that traditional cyber insurance models are not equipped to handle. It's a new frontier of exposure for buyers of cyber insurance, too, as to date they have been underwritten primarily based on a carrier's understanding of their cyber controls, rather than concern for the cyber posture of their third-party vendors.
While cyber insurers have made meaningful progress in maturing their underwriting models, supply chain risk remains a persistent blind spot. Despite rising awareness, the industry continues to underestimate the operational and financial exposure introduced by third-party vendors. As the frequency and severity of vendor-related incidents grow, insurers and enterprises alike must rethink how they assess, measure and mitigate this form of connected risk.
Assumptions That Fall Short
The challenge is not a lack of concern. It's a lack of clarity. Many underwriting models today rely on assumptions and heuristics to estimate vendor exposure. For example, some insurers approximate concentration risk by applying vendor market share estimates to their book of business. This approach misses the nuance of actual enterprise dependency. A software vendor with a small market share may be a critical integration partner for dozens of policyholders. Conversely, a widely used vendor might have minimal operational importance in certain segments. Without visibility into these relationships, insurers are flying blind.
Recent incidents have underscored this problem. High-profile breaches traced back to third-party vendors have caught insurers and policyholders off guard, not because those vendors were unknown but because their risk wasn't understood. One example is the breach of CDK Global, a widely used vendor serving U.S. auto dealerships. The incident triggered cascading disruptions across hundreds of businesses. An Eastern European and Russian hacker group, thought by security researchers to be BlackSuit, claimed responsibility and demanded tens of millions of dollars in ransom.
Despite insuring many affected policyholders, carriers were unaware of the shared dependency or the magnitude of its potential impact. At least eight lawsuits alleging negligence were filed against CDK by dealerships whose operations were affected by the outage. Within the first two weeks, the dealers recorded financial losses amounting to approximately $605 million.
The implications of a network interruption resulting from a third-party vendor having a network outage became only too clear with this event. Events like the one that affected CDK are not exclusive to technology vendors. Organizations need to consider the risks associated with all types of vendors they work with.
Flawed Inputs, Flawed Outcomes
Why does this keep happening? Part of the problem lies in how enterprises classify and evaluate their own vendors. Traditional procurement processes may assess vendor "fit" and financial stability but often overlook cybersecurity control posture or fail to quantify how critical a vendor truly is to business operations. Even when vendor risk assessments are conducted, they're rarely shared upstream to inform insurers' portfolio-level analysis.
To solve this, the industry needs a new model, one that accounts for both technical controls and operational dependency. A vendor with weak cybersecurity hygiene may not pose significant exposure if they are loosely integrated and easily replaceable. Conversely, a vendor with strong controls may still introduce high systemic risk if their service is deeply embedded into business-critical workflows.
A Blueprint Already Exists
This dual-lens approach is already in use by leading enterprises, especially in financial services, where vendor risk oversight is a decades-old discipline. These organizations combine third-party cyber risk insights with internal assessments of vendor criticality to make more informed decisions. Insurers can follow suit by encouraging greater transparency, standardizing reporting frameworks and adopting technologies that can scale risk evaluation across thousands of policyholders.
Just as the requirement for multi-factor authentication has become standard in underwriting, we now need to expand expectations to include vendor risk transparency and supply chain assessment. The industry must evolve beyond evaluating the insured in isolation.
Opportunity for Industry Leadership
The good news? We're not starting from scratch. Emerging data sources, improved telemetry and advances in automation make it increasingly possible to map vendor dependencies and evaluate cyber posture at scale. But technology alone isn't enough. New ways of quantifying risk, incorporating a company's third-party vendor risk alongside historical elements of risk are being developed. Insurers, brokers, security professionals and enterprise leaders must work together to close the supply chain visibility gap.
This isn't just an underwriting challenge. It's a systemic risk to the broader digital economy. Addressing it will require more collaboration, shared standards and a willingness to evolve outdated models. The cyber insurance industry has an opportunity to lead the way. Let's not wait for the next breach to prove how urgently that leadership is needed.
