Zero Trust Environment

Companies today face a catch-22: third-party vendors are essential to their business operations, but the integration with company systems necessary for them to do their work also creates new points of vulnerability for the company.

These vendors can include even those cybersecurity companies employed to minimize a client’s digital risk.

Though its definition is simple— third-party cyber risk encompasses a company’s exposures to cyber losses through its use of outside vendors— these exposures are complex and often easy to miss. One example: From 2019 to 2020, bad actors disseminated malware through IT vendor SolarWinds’ network infrastructure and system monitoring platform SolarWinds Orion. Once compromised, Orion’s direct line into customer networks and infrastructure gave the perpetrators unprecedented access to SolarWinds customers’ systems and data. Post-breach investigations found that approximately 18,000 customers were impacted, and insured losses were estimated at the time as high as $90 million.

But malicious actors need not even be involved; companies also face potential third-party losses from mere vendor error. More recently, cybersecurity company CrowdStrike unintentionally pushed a faulty update to its Falcon sensor software on July 19, 2024. The now-infamous update brought down approximately 8.5 million computer systems running on Windows globally, Microsoft estimated at the time. Airports, banks, 911 systems, hotels, trains, hospitals, restaurants, and more were paralyzed.

It didn’t stop with CrowdStrike customers—as cyber insurer Coalition explained in a 2024 postmortem, “The CrowdStrike Outage resulted not only in business interruption to its customers running on Windows but also to non-customer organizations that experienced cascading contingent business interruption as a result of the downtime of CrowdStrike’s customers. In some cases, the impacted systems were hosted in local networks, and others, in third-party cloud providers. Finally, while many of the cascading business interruption events resulted from IT systems failures, some were also caused by broader non-IT supply chain failures (e.g., the massive interruption and cancellation of flights, medical procedures, and the like).”

Global losses stemming from the outage are estimated at around $5.4 billion. Industry estimates of global insured losses from the CrowdStrike event range up to $1 billion, or about 15% of global cyber premiums at the time.

Data breaches involving third-party vendors have risen dramatically in recent years. According to Verizon’s 2025 Data Breach Investigations Report, 30% of breaches for the year ending Oct. 31, 2025, were linked to cybercriminals illicitly accessing a company’s data through its vendors, double the amount from the previous year. Likewise, according to cyber solutions company and MGA Resilience’s 2025 Midyear Cyber Risk Report, business interruption from vendor unavailability—as during CrowdStrike—was the second-highest cause of loss for insureds in the company’s portfolio by 2024, second only to ransomware.

“I wouldn’t say [third-party risk] is a new source of risk,” says John Butler, cyber product lead for E-Risk, a Nationwide company. “I think what has happened over the last, say five or so years, is that the threat actor has become more and more sophisticated, more vulnerabilities have come to light, and the number of insureds who are susceptible to those vulnerabilities has expanded as well.”

New Approaches in Ransomware

One major source of third-party risk comes from the shift in how cybercriminals use one of their favorite tools, ransomware. The hard market for cyber insurance during the COVID-19 pandemic drove insureds to develop robust incident response plans to ransomware events, which included establishing data backups and regular systems maintenance. Cybercriminals have not sat idle since then.

“Instead of encrypting and closing you out of your system, they’re now utilizing extortion with the data they may have exfiltrated from the system. And when that happens, that actually broadens the exposure,” Butler explains. Companies then face fines over failure to comply with privacy laws, especially in industries like healthcare that hold highly sensitive data. That is on top of possibly paying to recover stolen data—and stolen health data, for example, often comes at a much higher cost than other personally identifiable information, Butler says.

Third-party vendors have increasingly become vectors for these ransomware attacks, given how integrated they can be with a company’s systems. According to Resilience’s 2025 report, ransomware affecting a vendor is the fastest-growing cause of loss, coming in at 15% of incurred insured losses within its portfolio for the first half of 2025, second only to ransomware targeting a company directly (76% of incurred losses).

Coalition provides a tangible example of how third-party vendors can make a company more vulnerable to ransomware attacks in its 2025 Cyber Claims Report. Ransomware disabled a furniture manufacturer’s computer systems, resulting in a ransomware payment of $400,000 from the company; its cyber policy also paid a combined $1.7 million to cover the costs of downtime and breach response. Coalition determined that the company’s systems had been accessed through the manufacturer’s remote desktop software, provided by a third-party vendor.

The CrowdStrike outage also illustrates how ransomware affecting a vendor can cause a loss, even if the threat actor does not use the vendor as a vector to attack the client company directly. If ransomware takes down a vendor crucial to a company’s business, such as a payment processor or cloud service provider, the client could face significant downtime at huge cost to both it and its cyber policy.

A 2024 estimate from cybersecurity and cyber resilience rating firm SecurityScorecard says that, globally, 62% of the market share for third-party technology products and services belongs to only 15 companies. If any of these 15 vendors is compromised by ransomware, global business may face losses comparable to those from the CrowdStrike outage—or worse. On top of that, just 150 companies account for 90% of third-party technology products and services market share. According to an IBM study, The Cost of a Data Breach 2025: The AI Oversight Gap, breaches between March 2024 and February 2025 caused by third-party vendor and supply chain compromise took the longest to identify and fully contain, at a combined mean of 267 days.

AI Everywhere All at Once

Much like the Fortune 500, threat actors have been quick to add generative AI to their toolbox. “AI has supercharged our traditional threat vectors like phishing, like ransomware—vulnerabilities exploiting your environment,” explains Maria Long, chief underwriting officer at Resilience. “AI is being used by threat actors to just create more efficiency and scope, basically, so frequency and severity will go up.” This has quickly made it a key source of third-party risk.

One way generative AI heightens risk is by creating convincing communications, such as emails, much more efficiently than human actors. IBM, for example, found that generative AI can reduce the time necessary to create a phishing email from an average of 16 hours to five minutes. CrowdStrike’s 2025 Threat Hunting Report adds a troubling dimension to that statistic: 54% of AI-generated phishing campaigns led to a breach from July 2024 through June 2025, compared to 12% of traditional attempts.

“AI is definitely being leveraged currently when it comes to any sort of fraud,” Butler says. “They’ll also use not only deepfakes or AI-created video, but you also have the deepfakes which is an AI-created voice. The AI tools that the threat actors are using have become truly sophisticated—sophisticated enough to really mirror almost identically someone within your organization at their position, how they would respond. The tone is captured in a very real way.”

For both Long and Butler, the verisimilitude of AI-generated content is particularly dangerous because it renders much of employee training around phishing and other social engineering attacks ineffective. “All of the things you’ve told them to look out for are no longer present in these emails,” Long explains. For example, common red flags are poor grammar, bad spelling, and generic messages that arrive out of the blue. Now, though, since AI can be trained on written content, it can produce at scale personalized messages that read very much like a fellow employee—with none of the spelling or grammar mistakes that might alert the target.

Third-party AI vendors can be sources of vulnerability in this environment. The 2025 IBM report found that 13% of 600 organizations surveyed experienced a breach between March 2024 and February 2025 stemming from the third-party AI supply chain, through compromised apps, APIs, or plug-ins. Further, the report determined that of those organizations that had been compromised through artificial intelligence applications, 97% had no access controls for AI, such as restricting access to systems to the minimum necessary for employees to do their jobs or monitoring use of a tool for unusual usage patterns.

“These incidents had a ripple effect: they led to broad data compromise (60%) and operational disruption (31%). The findings suggest AI is emerging as a high-value target,” according to the IBM report.

The lack of access controls relates to another way third-party AI heightens exposure: shadow AI. This is when employees use tools such as ChatGPT or Gemini without authorization or oversight from the organization’s IT department. Think casually tapping into ChatGPT for analysis of an internal report or for assistance in preparing a presentation based on internal data.

“Now you’ve got this privacy exposure,” Long explains. “You’ve got employees disclosing sensitive information the company may not have intended them to expose.”

IBM found that 20% of organizations surveyed for its report had experienced security incidents involving shadow AI. Average breach costs increased by almost $700,000 at organizations with high levels of shadow AI. Overall, the report found that shadow AI was the third most costly breach factor in 2025, below security system complexity (No. 2) and supply chain (or third-party) breaches (No. 1), which increased breach costs by an average of $740,000 and $800,000, respectively.

Long notes that approximately 50% of litigation involving AI centers on IP and copyright infringement. A company using AI, or with high levels of shadow AI to produce public-facing content, could face significant media liability exposure, which as Long puts it, “unfortunately sits squarely within the cyber liability policy.” With companies slow to adopt AI governance policies—63% of the organizations from the IBM report that experienced breaches had no AI governance policies, and only a third of those with such policies regularly audited for shadow AI—generative AI represents a real source of risk today.

Prudence Pays

For Butler, a good way to mitigate third-party risks is promoting insured cyber resilience—first and foremost by enforcing industry-standard multifactor authentication. “MFA is a very good starting point with respect to perimeter security, especially having it available and configured for the entire enterprise,” he says. “If you’re having a vendor of yours, a third-party vendor that you contract with that you rely on for certain services, whether it’s cloud service or whether it’s a SaaS [software as a service], I truly recommend making sure MFA is configured across your enterprise for those reasons, because threat actors are utilizing access points when you have third parties able to have access to your network.”

This comes with due diligence on vendors, Butler says. That requires companies to regularly assess the cybersecurity posture of any vendor to ensure its security is on par with the client’s or at least meets standard baselines, such as MFA.

Long suggests this due diligence should also assess vendor capabilities and services, especially how critical the vendor is to the company’s daily operations. By reducing or even eliminating a vendor’s role, companies can tighten third-party risk exposures.

Additionally, Long thinks companies should audit their vendors’ AI use. “How are those vendors leveraging AI, and what does that mean for you?” she says. “How much AI are they using, and do they have processes in effect to make sure that the AI is functioning as intended and is not laden with vulnerabilities that could cause a business interruption to the company? You also need to be concerned about improper oversight and maintenance that leads to model drift. What data sets are they using, and would that result in something like discrimination? Governance, transparency, security, and maintenance are paramount.”

Insurers should focus on providing value-add services that can help insureds respond to an incident, Butler says. These services can include data analytic tools to identify areas of risk and where insureds can harden their security posture to mitigate vulnerabilities, digital forensics tools to understand when and how an intrusion occurred, and educational resources to assist insureds with developing a strong incident response plan. The industry seems to have taken value-add services to heart; cybersecurity firm Arctic Wolf estimates that about 69% of carriers offer in-house cyber risk management services, and a quarter of carriers direct insureds to specific cybersecurity vendors that often have negotiated discounts or terms in place for those insureds. Industry experts agree that one reason the CrowdStrike outage was not exponentially more damaging was the swift, effective incident response by involved parties.

Brokers also must partner with insurers to inform their clients on available value-add services, Butler says, whether those services are offered by the carrier or are risk management resources provided by outside vendors. “For a broker to be able to provide risk management expertise, that’s value to the customer at the end of the day. The more that insureds are aware of who they can call to help them, the better off they are when they’re trying to prepare for an incident that they may end up encountering. It’s not if—it’s when.”

Long also urges underwriter caution in providing coverage for these new and evolving cyber risks, something she calls “coverage creep.” This includes not just coverage expansion to include bodily injury, property damage, and pollution, but also how quickly underwriters have incorporated affirmative coverage for AI-related risks into their policies. The latter is especially concerning for her, as those risks are so new and there is so little data to inform loss models.

“We really need underwriters to remain prudent,” Long says. “We cannot race to the bottom line.”