Does cyber liability insurance cover a vendor breach?

Cybersecurity
Written By Shayne Adler
Does cyber liability insurance cover a vendor breach?
Cyber liability insurance often pays only for incidents that originate inside the insured company's own systems. When a breach begins at a third-party vendor, many policies treat the loss as the vendor's responsibility unless vendor breach, dependent business interruption, or similar endorsements are included. Coverage can also fail if exclusions apply or if the application overstated security controls and the insurer later disputes the claim.

Your business depends on outside vendors. Your insurance policy might not cover them.

Almost every business today works with outside companies - cloud tools, payment apps, HR systems, IT helpers. These partners touch your private data every day. So when one of them gets hacked, you'd expect your cyber insurance to kick in.

For many companies, it doesn't.

On This Page

Tools & Resources

Custom Trust Plan Compliance ROI Calculator Assess My Risk Where Should I Start?

Why do vendor breaches trigger cyber insurance claim denials? - A Problem Most Businesses Don't See Coming

Vendor-originated cyber incidents are breaches that start in a third-party provider but create losses for the insured company. Many cyber liability insurance policies restrict coverage to events that begin inside the insured network, which is why the text cites that more than 40% of claims were denied in 2024 and many denials involved vendors. The outcome is a coverage gap where customer data can leak through a cloud provider breach but the insurer treats the loss as the vendor's problem.

Here's a scary number: more than 40% of cyber insurance claims were turned down in 2024. Many of those were for breaches that didn't start on the company's own systems. They started at a vendor - an outside partner.

The reason is simple. Most cyber insurance only covers problems that begin inside your own network. If your cloud provider gets hacked and your customer data leaks because of it, many policies say that's the vendor's problem - not yours.

Think of it this way: your policy covers your house, but not the flood that came from your neighbor's broken pipe.

What cyber insurance policy exclusions create a vendor blind spot? - What's Hidden in the Fine Print

Cyber insurance fine print can exclude or limit vendor losses through vendor-related carve-outs, dependent vendor outage clauses, and broad war exclusions. The section uses the Merck NotPetya dispute (a $1.4 billion claim and an early-2024 settlement) to show how exclusions can be applied, and it notes that outage coverage often requires paying for an add-on and naming the vendor in advance. The practical result is that neither the insured's policy nor the vendor's policy will pay unless the policy language explicitly extends coverage or the insured is named on the vendor policy.

Many common policy rules create gaps that most businesses don't find until they try to file a claim.

Vendor-related carve-outs are built into many policies. If a company you hired - say, a payment handler - gets breached, your policy may cut out that kind of loss. Even though the vendor was working for you, the insurer says it's not on them.

Vendor outage coverage is out there, but it's usually an add-on that costs extra. Without it, if your vendor's systems crash and your business can't run, you likely can't file a claim. Even if you have this add-on, the vendor often has to be listed by name in your policy ahead of time.

War-related carve-outs are showing up more often. In a major case, the drug company Merck filed a $1.4 billion claim after a cyberattack called NotPetya hit its systems. The insurer refused to pay, saying the attack was carried out by a foreign government - which set off a "war" clause in the policy. The case settled in early 2024, but it showed how broadly insurers can use these rules.

Here's one more thing most people miss: your vendor's own insurance likely won't help you either. A vendor's cyber policy is meant to cover the vendor's own costs - not the losses their clients face. Unless your company is named on the vendor's policy as someone who's also covered, you probably can't collect from their insurer.

How can cyber insurance applications void coverage after a breach? - Saying One Thing, Doing Another

A cyber insurance application functions like a set of warranties about security controls, and inaccurate answers can become a basis to deny coverage after a breach. The section points to Columbia Casualty Co. v. Cottage Health System as an example where a claim was denied when promised safeguards were not maintained, and it describes insurers using external scanning to compare public-facing controls against the application. The outcome is that a single missing control, such as two-step login on one system, can void coverage for the insured and can also trigger vendor disputes when vendor promises fail.

There's a second problem that may be even worse: the gap between what companies say about their security when they buy insurance and what they really do.

When you apply for cyber insurance, the insurer asks pointed questions. Do you require two-step login? How often do you patch your software? Do you have a plan if a breach happens? Your answers become part of the deal. If a breach hits and the insurer finds out you weren't doing what you said, they can refuse to pay.

This has already played out in court. In Columbia Casualty Co. v. Cottage Health System, the insurer argued it shouldn't have to pay because the hospital hadn't kept up the safety steps it promised on its form. The court agreed - and the claim was denied.

What's newer is how insurers are catching these gaps. Some now use scanning tools to check your security from the outside. They look at your public systems and compare what they see to what you wrote on your form. If you said you use two-step login everywhere but one system doesn't have it, that alone could void your coverage.

This same problem shows up with vendors. They often promise their clients they follow strong safety practices. When a breach shows those promises weren't kept, the vendor faces lawsuits - and their own insurer may refuse to cover them too.

Why are cyber insurers suing security vendors after paying claims? - Insurers Are Starting to Sue Vendors

Insurer lawsuits against vendors are a form of recovery effort where an insurer pays a cyber claim and then seeks damages from the technology or security providers it believes contributed to the loss. The section describes a September 2025 filing where Ace American paid a claim and then sued the client's security vendors, and it also describes a Lab Corp debt-collection vendor breach that exposed data on over 10 million patients and triggered customer and shareholder lawsuits. The outcome is a vendor breach that escalates into multi-party litigation, including claims from insurers, customers, regulators, and shareholders.

A new trend popped up in 2025: insurers are now suing the security vendors that were supposed to keep their clients safe.

In a case filed in September 2025, an insurer called Ace American paid a breach claim - and then sued the tech vendors its client had hired for security. The insurer said those vendors failed to do their job. This puts a new kind of legal risk on IT providers and security firms.

In another case, Lab Corp (LCA) hired a vendor to help collect past-due bills. That vendor got breached, and the health and money data of over 10 million LCA patients leaked out. LCA got hit with a lawsuit from patients - and then a second lawsuit from its own shareholders, who said the company's leaders picked a vendor with weak security.

The lesson: a vendor breach can lead to lawsuits from customers, shareholders, rule-makers, and even your own insurer.

What changes could tighten cyber insurance coverage in 2026? - What's Coming in 2026

Vendor concentration, vendor outages, and artificial intelligence (AI) tooling can widen the gap between cyber risk and cyber insurance coverage when one incident affects many insureds at once. The section uses the 2024 CrowdStrike outage (one software update disrupting hundreds of companies) to explain why insurers tighten terms after systemic events, and it notes that AI vendor services can make incident causation harder to prove during a claim. The outcome is stricter underwriting and more denial pathways, especially when new rules, such as California's January 1, 2026 security audit requirement, are not met.

The gap between cyber risk and insurance coverage is getting wider. Here's why.

One vendor can take down many companies at once. The 2024 CrowdStrike outage - caused by a single software update - knocked out systems at hundreds of major companies at the same time. When one event leads to claims from that many clients, insurers respond by making their policies tighter and harder to collect on.

AI tools are adding new risks. As businesses use AI tools from outside vendors, they're taking on risks that most policies don't cover. When AI plays a role in a breach, it's often hard to figure out what went wrong - and that makes it harder to back up a claim.

New rules are raising the bar. Starting January 1, 2026, California requires yearly security audits for companies doing business in the state. Failing to meet these rules doesn't just mean legal trouble - it could also give insurers one more reason to deny your claim.

How can businesses close the vendor gap in cyber liability insurance? - What You Can Do About It

Closing the vendor coverage gap in cyber liability insurance requires aligning policy wording, vendor contracts, and documented security controls before an incident occurs. The section recommends confirming the policy covers breaches on vendor systems, adding vendor outage coverage where needed, and requiring the company to be named on a vendor cyber policy for the contract term plus at least five years after. The outcome is fewer claim denials because the insurer sees contract language, accurate application answers, and operational records that prove controls, patching, backups, and response plans were actually in place.

The good news is that you can fix most of these gaps - if you act before a breach happens, not after.

Check your policy wording. Make sure your policy clearly says it covers breaches that happen on your vendors' systems, not just your own. This one change can make a big difference.

Get your name on your vendor's policy. Don't just ask vendors to have cyber insurance. Make sure their policy lists your company as someone who's also covered. This should last for the length of your contract plus at least five years after it ends.

Be truthful on your insurance form - and follow through. What you say about your security becomes a promise. Keep records: login steps, software patches, backup tests, response plans. These records are the proof that decides if your claim gets paid.

Make your vendor contracts stronger. Your deals with vendors should spell out what security steps they must follow, how fast they must tell you about a breach, and who pays if something goes wrong.

Don't just trust - verify. The gap between what companies say they do and what they really do is where claims fall apart. Routine checks on your own systems and your vendors' systems aren't just smart - they protect your coverage.

If your business uses outside vendors - and nearly every business does - now is the time to check your coverage, not after something goes wrong.

Frequently Asked Questions

Q: Does cyber insurance cover a vendor breach?
A: Cyber insurance often pays only for incidents that start on the insured company's own systems, not on a third-party vendor. Many policies include vendor-related carve-outs unless an endorsement extends coverage to vendor breaches or vendor outages, sometimes requiring the vendor to be listed in the policy in advance. Without that wording, a vendor hack can be denied. The key variable is the policy definition of where an incident must originate.
Q: Why do war exclusions matter for cyber insurance claims?
A: War-related exclusions can bar coverage when an insurer argues a cyberattack is attributable to a foreign government or armed conflict. The text cites Merck's $1.4 billion NotPetya claim, which the insurer initially refused to pay by invoking a "war" clause before the dispute settled in early 2024. The takeaway is that attribution debates can decide coverage. This risk grows when exclusions are drafted broadly.
Q: Can a cyber insurer deny a claim if security controls were overstated on the application?
A: Yes. Cyber insurance applications turn security statements into coverage conditions, so an insurer can deny a claim if the insured was not doing what it represented. The text cites Columbia Casualty Co. v. Cottage Health System as a denial example tied to unmet safeguards. It also describes insurers using scanning tools to spot gaps, such as missing two-step login. This makes recordkeeping part of claim readiness.
Q: Will a vendor's cyber insurance pay for your company's losses?
A: Usually not. Vendor cyber policies are designed to cover vendor costs, not the losses a client suffers when the vendor is breached. The text notes that a client typically cannot claim against the vendor's insurer unless the client is named on the vendor policy as a covered party. Otherwise, the client is left relying on contract rights and litigation. This is why "named coverage" language matters in vendor contracting.
Q: What should companies do before a vendor breach to improve claim payout odds?
A: Before a breach, companies should confirm cyber insurance language covers vendor-system breaches and vendor outages, not only incidents that start in the insured network. The text recommends being named on a vendor policy for the contract term plus at least five years after, and keeping records that prove controls, patching, backups, and response plans. These steps reduce denial risk. The goal is to make coverage defensible with documents, not assumptions.
Unlock Your Growth

Read More on This Topic

Featured
Does cyber liability insurance cover a vendor breach?

Cyber liability insurance may exclude vendor breaches unless policy wording and endorsements cover third-party systems, outages, and application accuracy.

Read More →
What are the top cybersecurity concerns for US businesses?

Ransomware, phishing, Business Email Compromise, and IP theft threaten US businesses, intensified by privacy laws and cloud risks.

Read More →
How can you accelerate cybersecurity diligence to close enterprise deals faster?

Accelerated cybersecurity diligence is an evidence-ready security review that reduces deal delays, protects valuation, and builds buyer trust.

Read More →
Shayne Adler

Shayne Adler is the co-founder and Chief Executive Officer (CEO) of Aetos Data Consulting, specializing in cybersecurity due diligence and operationalizing regulatory and compliance frameworks for startups and small and midsize businesses (SMBs). With over 25 years of experience across nonprofit operations and strategic management, Shayne holds a Juris Doctor (JD) and a Master of Business Administration (MBA) and studied at Columbia University, the University of Michigan, and the University of California. Her work focuses on building scalable compliance and security governance programs that protect market value and satisfy investor and partner scrutiny.

Connect with Shayne on LinkedIn

https://www.aetos-data.com
Next

How can teams mitigate AI risk when using sensitive data?