Protect Your Organization From Increasing Third-Party Cyber Exposures

OCTOBER 3, 2023

In 2023, third-party breaches have become a top cyber threat as organizations increasingly turn to independent contractors for products and services. The recent hacks of MOVEit and Caesars Entertainment clearly illustrate this fact.

At Caesars, a social engineering attack on one of its IT vendors pilfered Social Security and driver's license numbers from customers. Similarly, the mass exploitation of Progress Software Corp.’s MOVEit transfer software has rapidly cemented itself as the largest hack so far this year. The critical-rated vulnerability allowed attackers to raid transfer servers and steal customers’ sensitive data. The number of known victim organizations surpassed 1,000 in August, impacting all industries, with over 60 million affected individuals.

How is Your Organization at Risk?

Vendor-related cyber threats can put your organization at risk in a number of ways, including:

  1. Supply chain vulnerabilities: Companies often rely on various vendors for products or services. If these vendors have weak cybersecurity measures, attackers might exploit their systems to gain access to the company's network through the supply chain.
  2. Third-party software: Vendors may provide software or applications that the company uses, such as MOVEit. If these tools have security vulnerabilities or back doors, they can be exploited by cybercriminals to compromise the company's data or systems.
  3. Data sharing: Vendors may require access to the company's data for legitimate purposes. However, if they mishandle or inadequately secure this data, it can be exposed and lead to data breaches.
  4. Inadequate security practices: Vendors might not have robust cybersecurity practices in place, making them easier targets for cyberattacks. If attackers compromise a vendor's systems, they can then pivot to target the company.
  5. Subcontractors: Vendors often subcontract services to other third parties. This increases the attack surface, and the company may not have visibility into the cybersecurity practices of these subcontractors.
  6. Lack of monitoring: Companies may not closely monitor or audit their vendors' security practices, assuming they are secure. This lack of oversight can leave vulnerabilities unnoticed.
  7. Dependency on cloud services: Many companies rely on cloud service providers. If these vendors experience downtime or security incidents, it can disrupt the company's operations or expose its data.

To mitigate these risks, companies should conduct thorough vendor risk assessments, establish cybersecurity standards for vendors, require vendors to adhere to security best practices, and continuously monitor vendor cybersecurity posture. Insurance underwriters across industries are delving deep into the cyber landscape of every organization, scrutinizing their exposures and loss control measures.

Let’s take a look at how various industries are impacted by vendor-related cyber exposures:

Manufacturers and distributors rely on a network of suppliers and partners. A cyberattack on a vendor can disrupt the supply chain, leading to production delays and product shortages.

An increasing reliance on technology is expanding cyber risk for manufacturers and distributors. This industry is experiencing an accelerated change in technologies, including rapid adoption of sensor technology, smart products, and Internet-of-Things (IoT) strategies. Manufacturers and distributors can use specialty technologies, such as industrial control systems (ICS) and operational technology, to drive customer service and business efficiency — and all of these make them a cyber target.

As a result of these and other developments, cyberattacks (and the cost of those attacks) against manufacturers and distributors are rising at a historic rate. Companies should identify and address network vulnerabilities to improve their cost of risk via favorable premiums, terms and policy limits. USI’s Industrial and Manufacturing team advises clients across the risk spectrum with a comprehensive suite of cyber solutions.

Cyberattacks on vendors can cause delays in construction projects by disrupting the supply chain. Ransomware attacks, for example, can encrypt vendor data, making it inaccessible until a ransom is paid.

Bidding on and winning projects requires updated and demonstrable cybersecurity risk management. Construction companies must meet complex technology and security requirements just to qualify for many projects. Additionally, they hold and may be liable for public-private partnership (PPP) data along with other trade and building secrets. USI’s cyber risk transfer solutions address the use of drones, wearables, tracking devices, and other resources designed for today’s construction companies. 

Third-party vendors often have access to sensitive patient data, and if they suffer a breach, it can lead to the exposure of patients’ personal and medical information.

An escalating regulatory environment also impacts cyber coverage and risks for healthcare companies, which are subject to strict compliance obligations like the Health Insurance Portability and Accountability Act (HIPAA). If a vendor fails to comply with these regulations, it can result in legal and financial consequences for the company.

Increasing ransomware attacks, technological complexity due to mergers and acquisitions, and medical device security concerns (IoT devices, specifically) have put pressure on cybersecurity efforts. Since the start of 2023, over 40 million patients nationwide have been affected by 327 data breaches, according to the Office for Civil Rights. A study by IBM reports that the average cyber event now costs over $10 million for U.S.-based healthcare organizations.

Healthcare facilities should work with sophisticated brokers to address the IT improvements sought by underwriters. USI assists in addressing cyber and privacy risks first, creating a “Healthcare Top 10 Cyber Risk Management Review.” We then identify the appropriate cyber insurance to cover the costs of a loss, whether it’s a ransomware event or a business email compromise that requires network and forensic assistance.

For example, when a regional clinician group was a victim of a ransomware attack, USI professionals worked with the client and insurance carrier to resolve the initial ransom demand and remediation cost, which totaled approximately $500,000 in ransom, $100,000 to secure the bitcoin, and $300,000 in forensics and other network expenses. Since the firm had USI’s PrivaSafe cyber coverage, the cost for the incident was paid minus the self-insured retention of $50,000.

Watch our on-demand cybersecurity webinar for healthcare companies, led by our cyber insurance leaders and healthcare industry specialists, on effective risk management and insurance solutions.

If a vendor handling sensitive data — such as tenant information or financial records — suffers a breach, it can expose the real estate company and its clients to data theft and privacy violations. Real estate companies are facing dramatic increases in sensitive data and expanding regulations, as well as the need for technology to address both issues. This creates a need for cyber risk management and insurance solutions. Cybercriminals know this and are ready to exploit vulnerabilities at any point in the real estate supply chain — including titles, tenants, funds transfers, and other essential business operations. Cyber risk management and cyber insurance can provide critical protection against loss and liability arising out of the use of technology in operations, assisting real estate businesses in mitigating their exposures to cyber risk and successfully recovering from cyber incidents.

Transportation companies rely on various vendors for critical components and services. A cyberattack on a vendor’s systems can disrupt the supply chain, leading to delays, increased costs, and operational challenges.

For the transportation industry, cyber and privacy risk management and insurance transfer have traditionally been secondary to addressing “traditional” transport risks that involve property and auto coverage. This means you may be more vulnerable to cyber threats — particularly wearables, trackables, and physical goods lost in business email compromise (BEC) attacks.

To mitigate risks, transportation companies should implement robust cybersecurity measures, such as endpoint detection and response (EDR), air gaps, and immutable backups. Air-gapping prevents hackers from accessing the data on your server remotely, while immutability ensures that no one can edit or delete any of your files after you've uploaded them to the cloud.

A tailored cyber risk management program can help address these specific risks and partner with underwriters to receive favorable coverage. USI works with specialized insurance carriers who are experienced in the transportation industry and tailor coverage to your specific risks.

The University of Massachusetts Chan Medical School recently revealed they are being sued as the result of a data breach. The lawsuit claims the university failed to safeguard the confidential information of 134,000 people who receive public assistance when their personal information was exposed in connection with a cyberattack on the MOVEit file-transfer app. This illustrates the critical need for effective cyber risk management and insurance coverage to protect the sensitive data and unique networks of higher education and public entities.

While robust cybersecurity measures such as firewalls, encryption and regular updates can help prevent breaches, they may not be enough to secure adequate coverage. Today, underwriters are typically requiring IT practices to address specific concerns, such as full endpoint direction and response (EDR) across your network, with 24/7 monitoring. Tailored insurance policies, specific to the cyber and privacy risks of public entities and municipalities, are available via the USI PrivaSafe solution. Cities, towns, universities, hospital districts, tax offices, and counties should seek custom solutions based on the unique needs of their organizations.  

Watch our on-demand cybersecurity webinar for public entities and higher education, led by our cyber insurance leaders and healthcare industry specialists, on effective risk management and insurance solutions.

Third-party vendors may have access to sensitive data such as crop yield information, customer data, or financial records. If these vendors suffer a data breach, the company’s data can be exposed, leading to financial losses and reputational damage. Agriculture companies also rely on a complex supply chain, which includes vendors for equipment, fertilizers and seeds. Cyberattacks on these vendors can disrupt the supply chain, affecting production and distribution.

Modern cybersecurity for agriculture companies involves protecting proprietary data, off-site network access, remote monitoring systems, and IoT-enabled machinery from cyber threats — as a start. Understanding the seasonal nature of threats, installing a regular threat update and patching cadence, and training employees must also be part of any agriculture business today. USI’s PrivaSafe insurance solutions can address potential losses from cyberattacks while seeking to tailor your insurance and risk management programs to the unique needs of your agricultural operations.

Watch our on-demand cybersecurity webinar for agriculture companies, led by our cyber insurance leaders and agriculture industry specialists, on effective risk management and insurance solutions.

How to Mitigate Third-Party Cyber Threats

Companies can take several proactive steps to protect themselves from cyber threats caused by vendors and other sources, including:

  • Vendor risk assessment: Conduct thorough assessments of vendors' cybersecurity practices before entering into any contracts. Evaluate their security policies, procedures, and compliance with industry standards.
  • Contractual agreements: Include robust cybersecurity clauses in vendor contracts. Define security responsibilities, incident response procedures, and liability for breaches.
  • Data encryption: Ensure that sensitive data exchanged with vendors is encrypted during transmission and storage to prevent unauthorized access.
  • Regular audits: Conduct periodic security audits of vendor systems to verify compliance with agreed-upon security standards.
  • Security policies: Align vendor access policies with your organization's security policies. Limit vendor access to the minimum necessary for them to fulfill their role.
  • Monitoring and logging: Implement continuous monitoring and logging of vendor activities on your network to detect any suspicious or unauthorized actions.
  • Security training: Require vendors to train their employees on security best practices and data protection, ensuring they are aware of the risks and how to mitigate them.
  • Incident response plans: Collaborate with vendors to establish incident response plans to address potential breaches promptly and effectively.
  • Third-party cyber insurance: Consider third-party cyber insurance to mitigate financial risks associated with vendor-related cyber incidents.
  • Communication: Maintain open communication channels with vendors to promptly address security concerns and vulnerabilities.
  • Stay informed: Keep up to date with evolving cybersecurity threats and trends to adapt your vendor management strategies accordingly.
  • Compliance checks: Verify that vendors comply with relevant regulations, such as HIPAA or General Data Protection Regulation (GDPR), depending on the data they handle.
  • Multi-factor authentication: Enforce multi-factor authentication for vendor access to critical systems or data.
  • Vulnerability management: Regularly assess and remediate vulnerabilities in vendor-supplied software or services.
  • Exit strategy: Develop a contingency plan for vendor transitions to ensure a seamless shift of services without compromising security.

By implementing these practices, companies can enhance their cybersecurity posture and reduce the risks associated with their vendor relationships.

How USI Can Help

USI works with clients to reduce cyber and privacy exposures through risk management, and provides cyber risk transfer via PrivaSafe insurance coverage. Our cyber experts begin by reviewing existing cyber and technology errors and omissions (E&O) policies and benchmarking current limits and retention. We then use risk profile and network scanning tools to assist clients in improving their cyber risk profile prior to marketing their insurance to secure a favorable placement.

padlock.png

Cybersecurity Webinars

Watch our on-demand cybersecurity webinars addressing the top issues in several key industries. We've brought cyber insurance leaders, industry specialists and trusted partners together to discuss mitigation and insurance solutions.

Watch Now button.png

For additional information, contact your USI representative or email us at pcinquiries@usi.com.