How To Keep Third-Party Events From Becoming First-Party Losses

Uploaded on 2025-08-06 in TECHNOLOGY--Resilience, FREE TO VIEW

Vendor-related risks, from both tech providers and non-tech partners, have always been a concern, but they’re now being ever more apparent of being behind a growing number of cyber insurance claims.

While data breaches were once the main concern, we’re now seeing more severe first-party losses caused by ransomware attacks and major system outages.

These issues aren’t always the result of a cyberattack, either. Sometimes they come from non-malicious errors, like critical system failures or software glitches from key vendors that still cause significant disruption.

The reality is that no matter how carefully and thorough a business manages its third-party relationships, some level of vendor risk is unavoidable. That’s why it’s so important for companies to have a solid understanding of their own cyber risk exposure, and that of their partners, so they can plan accordingly, both in terms of continuity and insurance protection.

The Nature Of The Threat

In the age of the digital transformation, the vast majority of companies are connected to a vast array of third-party vendors. Of course this is an indispensable part of the modern economy, but it is also a large vector for risk. 
Vendor-related incidents have, unfortunately, simply become something of an occupational hazard. Companies have incurred significant first-party losses from both malicious and non-malicious vendor failure. 

In 2024, several high-impact incidents underscored the growing risk exposure tied to third-party technology providers. For example, a ransomware attack targeting CDK Global, a key software supplier to the automotive sector, brought operations to a halt across thousands of businesses. This resulted in estimated losses of $1 billion, including a $25 million payout to the attackers. Similarly, an attack on Change Healthcare disrupted billing systems across hospitals and physician practices nationwide. That same year, a flawed software update from CrowdStrike triggered widespread system outages, with estimated losses to insurers ranging from $300 million to $1 billion. 

Though these disruptions stemmed from third-party vendors, the financial and operational fallout landed squarely on their clients, highlighting the critical importance of managing supply chain and technology risks.

No Straightforward Solution

Safeguarding against third-party risks, particularly those involving critical IT providers, is far from simple. When an organisation depends on a single vendor for an essential function, and there’s no manual workaround in place, it becomes fully reliant on that provider’s ability to recover before its own operations can resume.

But given how integral third-party vendors and digital supply chains are to the modern economy, it’s unlikely that the trend of outsourcing critical IT systems, will ever go out of fashion. The emphasis, then, must be on mitigation rather than prevention. 

Assess Vulnerabilities 

A critical first step in mitigating risk is to establish robust processes to assess vendors’ cyber risk. First, businesses should make use of vendor risk reports, treating this as standard due diligence.

  • Vendor risk reports are detailed evaluations of a vendor’s cybersecurity measures, offering a snapshot of a vendor’s vulnerabilities, along with publicly observable risks such as exposed digital assets, misconfigurations or outdated systems. 
  • Second, they should integrate these vendor risk assessments with their risk management platforms. This will give company boards and IT departments a live dashboard of vendor risk and other security alerts, informing decisions like choice of vendors, cybersecurity investment, and cyber insurance spending. 
  • Third, vendor risk assessment should become a continuous process. Even if a vendor is known to be a reputable one with appropriate controls to protect their clients, it is not guaranteed that these protocols will succeed in all instances. Companies should therefore continuously monitor their vendors for risk intelligence.

Risk Quantification

Given the unfortunate increasing inevitability of some kind of incident, businesses should start to view vendor risk as a standard cost of doing business like any other.

A key part of this shift in mindset is risk quantification, the ability to assign a clear, monetary value to the cyber risks a company faces.

By putting concrete numbers to potential threats, IT teams and boards gain a more complete understanding of their exposure. This insight helps guide smarter decisions around cybersecurity investments, vendor selection, and insurance coverage that aligns with the company’s specific risk profile and tolerance.

Improve Cyber Resilience

Focusing on mitigating risk from vendors does not mean organisations should neglect their internal security fundamentals. It is more important than ever to maintain resilient data backups stored offline, multi-factor authentication (MFA) for critical environments, and regular employee security awareness training to combat phishing – which remains a leading cause of cyber insurance claims. 

This also means proactive monitoring - effective risk management starts with identifying and addressing vulnerabilities before they lead to loss. This entails not just the monitoring of threats to a company’s own systems, but also the digital environments of the third-party vendors it interfaces with. As we have seen, the distinction between the two is becoming increasingly illusory.

To reduce that risk, organisations need a comprehensive strategy that blends strong internal security with robust vendor oversight, thorough due diligence, and a consistent focus on cybersecurity fundamentals.

Digital transformation and the growing reliance on third-party vendors—both of which show no signs of slowing—have fundamentally changed the cyber risk landscape. In today’s highly interconnected world, the traditional approach of trying to prevent every incident, whether malicious or accidental, is no longer realistic.

Instead, by taking practical steps and treating third-party risk as a core business risk, companies can meaningfully reduce the impact of disruptions and limit first-party losses.

Vishaal ‘V8’ Hariprasad is Co-founder & CEO of Resilience

Image: Andrzej Rostek

You Might Also Read:

How Companies Can Manage Third-Party Vendor Risk:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Predictive Maintenance In The Age Of AI & Cybersecurity Challenges

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Engineering Group

Engineering Group

Engineering is the Digital Transformation Company, a leader in Italy and with over 80 offices across Europe, the United States, and South America.

Exprivia

Exprivia

Exprivia is active in the design, development and integration of IT systems including cyber security.

First National Technology Solutions (FNTS)

First National Technology Solutions (FNTS)

First National Technology Solutions is a leading provider of flexible, customized hosted and remote managed services including IT security and compliance.

ReFirm Labs

ReFirm Labs

ReFirm Labs provides the tools you need for firmware security, vetting, analysis and continuous IoT security monitoring.

Startups.be

Startups.be

Startups.be helps tech entrepreneurs to be successful by providing quality access to service providers, business partners, customers and investors.

HITRUST Alliance

HITRUST Alliance

HITRUST provides widely-adopted common risk and compliance management frameworks, related assessment and assurance methodologies.

DataNumen

DataNumen

The fundamental mission of DataNumen is to recover as much data from inadvertent data disasters as possible.

Gijima

Gijima

Gijima is one of SA’s leading ICT companies in Cloud & Outsourcing, Systems integration, Human Capital Management & Training, Cybersecurity, and Unified Communications.

INE

INE

INE is a premier provider of Technical Training for the IT industry.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

watchTowr

watchTowr

Continuous Attack Surface Testing, with the watchTowr Platform. The future of Attack Surface Management.

Network Contagion Research Institute (NCRI)

Network Contagion Research Institute (NCRI)

NCRI provides pioneering technology, research, and analysis to identify and forecast cyber-social threats targeting individuals, organizations, and communities.

Sev1Tech

Sev1Tech

Sev1Tech is a leading provider of IT modernization, cloud, cybersecurity, engineering, fielding, training, and program support services.

Worksent Technologies

Worksent Technologies

Worksent is a Trusted white-label offshore support partner for MSPs and MSSPs.

Cyabra

Cyabra

Cyabra is leading the fight against disinformation. Our AI shields companies and the public sector by uncovering malicious actors, bot networks, and GenAI content.

Metrodata Group

Metrodata Group

PT. Metrodata Electronics, known as Metrodata Group, is the leading information communication technology company in Indonesia.