Creating a strategy for managing third-party cyber breaches

When it comes to data breaches, the biggest ones aren't always the worst. Large breaches might generate eye-catching headlines, but it's not the number of victims that matters. Rather, it's the severity of the breach — which is determined by the type of data compromised and how it can be used to devastate lives and disrupt businesses.

For cyber insurers and policyholders, increased breach severity adds layers of complexity to an already difficult risk management landscape. TransUnion's State of Omnichannel Fraud Report notes breach severity increased 34% last year — marking the greatest severity level since TransUnion began tracking in 2020.

Third-party breaches cut deeper

Third-party breaches, also known as supply-chain attacks, are chief among the causes of rising severity. These incidents can occur in multiple ways.
Threat actors may break into a targeted organization's network through vendor, supplier or contractor connections. Because vendors often have privileged access to multiple client systems and data, third-party breaches can be more severe than direct breaches.

Other times, threat actors find all they need inside the vendor's system. The target never experiences a network intrusion, yet its sensitive data is still exposed.

Healthcare and educational organizations are favorite targets for third-party breaches because of their vendor relationships and the volume of sensitive data they hold. In fact, these sectors experienced the highest number of breaches in 2024 — with healthcare topping the list for the fifth consecutive year.

The challenge of a coordinated response

Individual organizations must think about third-party risk as a double-edged threat. Most entities can be either the point of failure or a downstream victim. Any time an organization relies on another to conduct business — for payroll, recruiting, legal help, web services, etc. — it can potentially be exposed by a vendor's breach. Or it can be the cause of the breach when providing services to other companies.

Unfortunately, insurers and commercial policyholders may be underestimating the risk of third-party breaches. The initial incident itself is just one layer of exposure. Equally concerning is the complex, resource-intensive responses breaches like this require. When cyber incidents ripple through a chain of partners, they can escalate quickly, disrupting entire ecosystems.

When multiple organizations try to coordinate responses to a single incident, things quickly become complicated. Competing industry standards, regulatory frameworks, crisis management strategies, corporate cultures and brand authority can dictate how each organization responds. Naturally, this muddies decision-making across the full spectrum of incident response from cyber forensics to breach notifications. To make matters worse, every party is racing the clock, bound by a patchwork of state and federal laws requiring swift notification to regulators and victims.

Six areas to prep for third-party breaches

To better equip policyholders for the fallout from a potential third-party breach, insurers should advise them on six considerations. These insights can help organizations build a reliable playbook for navigating both sides of a cyber incident.

1. Customer impact: Because they're often the most vulnerable in the breach chain, priority must be given to end users — whether they're patients, students or consumers.
Incident response plans should include clear, consumer-centric practices, such as transparent and consistent communication, accessible support channels, and options for credit or identity monitoring services.

Organizations may also consider how they'll share and/or obtain up-to-date contact data for impacted customers. One effective mechanism is mobilizing a team to field incoming questions about customer data during the incident response phase.

2. Breach notifications: If your vendor is breached, will you permit it to notify your customers on your behalf? Or, if your organization is breached, will you offer to handle victim notifications for your partners?

These decisions can have significant legal, logistical and reputational impacts. Proactive and transparent communication between parties is essential to avoid chain-of-command issues or paralysis by analysis.
Securing buy-in prior to a potential incident can be an effective way to set expectations for when notifications will be distributed, the messages they'll contain, and what services they'll offer.

3. Brand impact: A breach can catapult a company into the spotlight for the wrong reason. Unknown vendors can become household names overnight, and secondary victims may suffer reputational damage despite not being responsible.

Involving marketing, brand and crisis communication experts in incident response planning helps anticipate these risks and shape strategies to safeguard brand reputation across both types of scenarios.

4. Regulatory obligations: It's vital to monitor evolving breach notification requirements across jurisdictions and industries, including timelines for disclosure and content expectations.

Having the right information helps ensure regulatory compliance — whether you're managing an internal breach or responding to a third-party incident. It's also important to consider certain types of attacks, such as ransomware, can heavily impact systems, making forensic evidence difficult to obtain. This can further complicate an organization's ability to meet regulatory requirements.

5. Legal representation: Third-party breaches often trigger multi-jurisdictional challenges that span industries, geographies and organizations.

General counsel may be well-versed in many areas, but data breaches raise unique issues involving tort liability, as well as regulatory and contractual obligations. Having the right legal guidance early on can mean the difference between a manageable incident and a prolonged litigation process.

To mitigate exposure and ensure a defensible response, the insureds need access to legal counsel with deep, current knowledge of data privacy laws, cybersecurity case law and breach notification statutes.

6. Cyber insurance: Given the complexity and often extensive cost of responding to third-party breaches, cyber insurance can help cover unavoidable losses.

Beyond protecting against the financial impact of legal fees, restoration efforts and business interruption, many policies also include subrogation clauses which enable insurers to recover costs from liable third parties. This legal recourse can be especially important in supply-chain attacks where fault may be contested.

Another benefit of securing a cyber insurance policy is that some underwriters conduct risk assessments before issuing coverage. These pre-coverage reviews identify potential vulnerabilities, helping policyholders improve their security postures before an incident occurs. Taking such a proactive approach may also promote insurability in an increasingly litigious cyber landscape.

Proactive prep across the supply chain
As the threat of third-party breaches becomes harder to contain, the legal implications for insurers and their policyholders are only growing more complex. Addressing these risks requires more than strong coverage. It demands legal foresight and clear, coordinated planning in concert with each of an organization's vendor and supplier stakeholders. With the right strategies in place, insurers can help policyholders respond in ways that foster resiliency through an otherwise chaotic situation.

For more insights into the unique cyber challenges facing insurers and policyholders, read the 2025 Cyber Protection Challenges and Opportunities eBook.