The Cyber Insurance Blind Spot: Why Your Policy Probably Won't Pay When Your Vendor Gets Hacked

Written By Shayne Adler

Your business depends on outside vendors. Your insurance policy might not cover them.

Almost every business today works with outside companies — cloud tools, payment apps, HR systems, IT helpers. These partners touch your private data every day. So when one of them gets hacked, you'd expect your cyber insurance to kick in.

For many companies, it doesn't.

A Problem Most Businesses Don't See Coming

Here's a scary number: more than 40% of cyber insurance claims were turned down in 2024. Many of those were for breaches that didn't start on the company's own systems. They started at a vendor — an outside partner.

The reason is simple. Most cyber insurance only covers problems that begin inside your own network. If your cloud provider gets hacked and your customer data leaks because of it, many policies say that's the vendor's problem — not yours.

Think of it this way: your policy covers your house, but not the flood that came from your neighbor's broken pipe.

What's Hidden in the Fine Print

Many common policy rules create gaps that most businesses don't find until they try to file a claim.

Vendor-related carve-outs are built into many policies. If a company you hired — say, a payment handler — gets breached, your policy may cut out that kind of loss. Even though the vendor was working for you, the insurer says it's not on them.

Vendor outage coverage is out there, but it's usually an add-on that costs extra. Without it, if your vendor's systems crash and your business can't run, you likely can't file a claim. Even if you have this add-on, the vendor often has to be listed by name in your policy ahead of time.

War-related carve-outs are showing up more often. In a major case, the drug company Merck filed a $1.4 billion claim after a cyberattack called NotPetya hit its systems. The insurer refused to pay, saying the attack was carried out by a foreign government — which set off a "war" clause in the policy. The case settled in early 2024, but it showed how broadly insurers can use these rules.

Here's one more thing most people miss: your vendor's own insurance likely won't help you either. A vendor's cyber policy is meant to cover the vendor's own costs — not the losses their clients face. Unless your company is named on the vendor's policy as someone who's also covered, you probably can't collect from their insurer.

Saying One Thing, Doing Another

There's a second problem that may be even worse: the gap between what companies say about their security when they buy insurance and what they really do.

When you apply for cyber insurance, the insurer asks pointed questions. Do you require two-step login? How often do you patch your software? Do you have a plan if a breach happens? Your answers become part of the deal. If a breach hits and the insurer finds out you weren't doing what you said, they can refuse to pay.

This has already played out in court. In Columbia Casualty Co. v. Cottage Health System, the insurer argued it shouldn't have to pay because the hospital hadn't kept up the safety steps it promised on its form. The court agreed — and the claim was denied.

What's newer is how insurers are catching these gaps. Some now use scanning tools to check your security from the outside. They look at your public systems and compare what they see to what you wrote on your form. If you said you use two-step login everywhere but one system doesn't have it, that alone could void your coverage.

This same problem shows up with vendors. They often promise their clients they follow strong safety practices. When a breach shows those promises weren't kept, the vendor faces lawsuits — and their own insurer may refuse to cover them too.

Insurers Are Starting to Sue Vendors

A new trend popped up in 2025: insurers are now suing the security vendors that were supposed to keep their clients safe.

In a case filed in September 2025, an insurer called Ace American paid a breach claim — and then sued the tech vendors its client had hired for security. The insurer said those vendors failed to do their job. This puts a new kind of legal risk on IT providers and security firms.

In another case, Lab Corp (LCA) hired a vendor to help collect past-due bills. That vendor got breached, and the health and money data of over 10 million LCA patients leaked out. LCA got hit with a lawsuit from patients — and then a second lawsuit from its own shareholders, who said the company's leaders picked a vendor with weak security.

The lesson: a vendor breach can lead to lawsuits from customers, shareholders, rule-makers, and even your own insurer.

What's Coming in 2026

The gap between cyber risk and insurance coverage is getting wider. Here's why.

One vendor can take down many companies at once. The 2024 CrowdStrike outage — caused by a single software update — knocked out systems at hundreds of major companies at the same time. When one event leads to claims from that many clients, insurers respond by making their policies tighter and harder to collect on.

AI tools are adding new risks. As businesses use AI tools from outside vendors, they're taking on risks that most policies don't cover. When AI plays a role in a breach, it's often hard to figure out what went wrong — and that makes it harder to back up a claim.

New rules are raising the bar. Starting January 1, 2026, California requires yearly security audits for companies doing business in the state. Failing to meet these rules doesn't just mean legal trouble — it could also give insurers one more reason to deny your claim.

What You Can Do About It

The good news is that you can fix most of these gaps — if you act before a breach happens, not after.

Check your policy wording. Make sure your policy clearly says it covers breaches that happen on your vendors' systems, not just your own. This one change can make a big difference.

Get your name on your vendor's policy. Don't just ask vendors to have cyber insurance. Make sure their policy lists your company as someone who's also covered. This should last for the length of your contract plus at least five years after it ends.

Be truthful on your insurance form — and follow through. What you say about your security becomes a promise. Keep records: login steps, software patches, backup tests, response plans. These records are the proof that decides if your claim gets paid.

Make your vendor contracts stronger. Your deals with vendors should spell out what security steps they must follow, how fast they must tell you about a breach, and who pays if something goes wrong.

Don't just trust — verify. The gap between what companies say they do and what they really do is where claims fall apart. Routine checks on your own systems and your vendors' systems aren't just smart — they protect your coverage.

If your business uses outside vendors — and nearly every business does — now is the time to check your coverage, not after something goes wrong.

Not sure your cyber insurance covers your real risks? Our team helps businesses find gaps in their coverage, build stronger vendor deals, and set up the records that insurers want to see. Contact us for a private look at your cyber insurance setup.

Shayne Adler

Shayne Adler is the co-founder and Chief Executive Officer (CEO) of Aetos Data Consulting, specializing in cybersecurity due diligence and operationalizing regulatory and compliance frameworks for startups and small and midsize businesses (SMBs). With over 25 years of experience across nonprofit operations and strategic management, Shayne holds a Juris Doctor (JD) and a Master of Business Administration (MBA) and studied at Columbia University, the University of Michigan, and the University of California. Her work focuses on building scalable compliance and security governance programs that protect market value and satisfy investor and partner scrutiny.

Connect with Shayne on LinkedIn

https://www.aetos-data.com
Next

How can teams mitigate AI risk when using sensitive data?