20 August 2020
Lauren Winchester

3 reasons IT vendors are a bigger cyber risk than you think

And what your clients need to know about how to respond to a breach when their vendor is the source

The following is an adapted excerpt from a new Corvus Ultimate Guide for brokers on how they and their clients should handle a breach situation that’s due to a third-party. Click to download the full paper, free

Organizations are in the midst of a decade-old shift to deeper integration with managed service providers (MSPs), software-as-a-service tools (SaaS), and other cloud-based IT solutions. This means the security practices governing many key business functions are now outside of the IT team’s direct control.

In some cases, that may be a good thing, as the vendor may have more resources to put toward security than the organization had. But that trust shouldn’t go too far. Having worked with thousands of brokers and policyholders, we’ve observed an unspoken assumption that these vendors, with their highly advanced products, are paragons of cybersecurity. That’s a misplaced assumption for three reasons. 

  1. One, the bigger and more complex an organization, generally the harder it is to keep safe. Vendors may have excellent security teams and practices, but face a sisyphean task given their scale if they are a hosting and managing IT services for hundreds or thousands of clients. 
  2. Second is the adversarial factor, something we explored in an earlier blog post. These companies may be at greater risk because criminals see them as a rich target: if they can infiltrate the vendor, they can potentially extend their attack to hundreds or thousands of customer organizations and amplify their leverage. 
  3. Lastly, some providers have an air of invincibility about their exposure, likely for the same reason their customers instinctively trust them — that they believe they’re doing enough, technology-wise, to be secure, despite the challenges described above. A survey by Coveware shows a large disconnect between what MSPs believe to be the cost and consequences of an attack, and what they are in reality. This implies that they aren’t taking the threat as seriously as they might if they had a more realistic idea of the risk.

Some relevant data has emerged that supports these assertions. Attacks on IT managed service providers (MSPs) increased 185% in 2019 according to Crypsis, causing one writer to call MSPs a “worrying new frontier” for ransomware last year. In a survey of 600 companies, 44% reported experiencing a vendor-caused breach. And in May 2020, a ransomware attack on Blackbaud, a widely used cloud services provider for nonprofits, had broad implications for hundreds of organizations, bringing the issue to the fore once again. 

What Your Clients Need to Know about Vendor Breach Response

Naturally, these worrying trends and real-world situations have resurfaced questions among brokers and their clients about what companies should do when their vendor is targeted. 

There’s some overlap in how a breach situation is handled when it’s in-house versus from an outside source, but there are enough differences that we wanted to explore the issue in-depth. Working with Dom Paluzzi, Co-Chair of the Data Privacy and Cybersecurity practice at the law firm McDonald Hopkins, we’ve put together the Ultimate Guide to Vendor Breach Response

This guide covers everything your clients should expect if their vendor is breached, from the first steps they must take to mitigate damage, to the questions they need to ask of the vendor to get the information they need. Download today!

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video