Does cyber insurance cover vendor breaches?

Most standalone cyber insurance policies cover losses resulting from third-party breaches, including supply chain attacks and vendor compromises. However, coverage varies by policy. Dependent business interruption, notification costs, and forensic investigation expenses are typically included, but sub-limits may apply.

How do I assess vendor cyber risk?

Start with a vendor questionnaire covering security certifications (SOC 2, ISO 27001), incident history, data handling practices, breach notification procedures, and cyber insurance status. Follow up with contract provisions requiring timely breach notification, right to audit, and minimum security standards.

Third-Party Cyber Risk: Why Your Vendors Are Your Biggest Vulnerability

You can have perfect internal security and still get breached through a vendor. That's not theoretical — it's the dominant attack pattern of the last five years. SolarWinds, MOVEit, Kaseya: each was a supply chain compromise where the attacker never touched the victim directly. They went through the software and service providers that the victim already trusted.

For Canadian businesses, third-party cyber risk is arguably the most undermanaged threat in their risk portfolio. Here's why, and what to do about it.

The Scale of Third-Party Risk

The numbers tell the story:

SolarWinds (2020): Compromised software updates from a trusted IT vendor gave attackers access to ~18,000 organizations, including multiple Canadian government agencies. The attack was undetected for 14 months.
Kaseya VSA (2021): Ransomware pushed through a managed service provider (MSP) platform compromised up to 1,500 businesses globally. Canadian MSPs and their clients were heavily affected.
MOVEit Transfer (2023): A vulnerability in file transfer software exposed data at thousands of organizations. Canadian universities, government bodies, and financial institutions were among the victims.

The pattern is consistent: attackers target a single vendor with broad access to many clients, then ride that trusted connection into hundreds or thousands of downstream victims simultaneously. It's a force multiplier that makes every vendor relationship a potential attack vector.

Why Canadian SMEs Are Particularly Exposed

Canadian small and medium businesses face a specific set of third-party risk factors:

High MSP dependency. Canadian SMEs heavily outsource IT to managed service providers. Your MSP has administrative access to your network, email, endpoints, and often your backup systems. If they're compromised, you're compromised — and many MSPs have weaker security than the businesses they serve.
Cloud concentration. Most Canadian businesses rely on a small number of cloud platforms (Microsoft 365, Google Workspace, AWS, Azure). A breach at any of these providers affects your data, but you have no contractual ability to audit their security.
Regulatory obligation. Under PIPEDA, you're responsible for personal data even when a vendor is processing it on your behalf. A vendor breach that exposes your customers' data is your PIPEDA breach. The OPC doesn't care that it was the vendor's fault.
Limited leverage. SMEs can't negotiate enterprise-grade security terms with major vendors. You accept the standard terms of service, which typically disclaim all liability for security incidents.

Vendor Assessment: A Practical Approach

You don't need an enterprise vendor risk management program. Start with a tiered approach:

Tier 1: Critical Vendors (Full Assessment)

These are vendors with access to your customer data, financial systems, or network infrastructure. MSPs, cloud platforms, accounting software, CRM systems.

Request SOC 2 Type II reports (or SOC 1 for financial processing)
Verify ISO 27001 or equivalent security certifications
Review their breach notification procedures and timeline
Ask for proof of their own cyber insurance
Assess their data handling and retention practices

Tier 2: Important Vendors (Questionnaire)

Vendors that handle business data but not customer PII or core infrastructure. Marketing tools, project management platforms, communication tools.

Send a security questionnaire (there are free templates available)
Confirm data encryption at rest and in transit
Verify breach notification commitments

Tier 3: Low-Risk Vendors (Monitor)

Vendors with minimal data access. Single-purpose tools, public-facing services.

Confirm basic security practices on their website
Set up Google Alerts for "[vendor name] breach" — low effort, reasonable coverage

Contractual Protections

For Tier 1 vendors, your contracts should include:

Indemnification: The vendor indemnifies you for losses resulting from their security failures
Right to audit: You can request security assessments or audit reports annually
Breach notification timeline: The vendor must notify you within a defined period (typically 24-72 hours) of discovering a security incident
Cyber insurance requirement: The vendor maintains cyber insurance with minimum coverage limits
Data handling requirements: Specific provisions for how your data is stored, encrypted, and eventually destroyed

Reality check: You won't get Microsoft or Google to change their contracts. Focus contractual negotiation on your MSP, accounting provider, and any vendor that handles customer data directly. Those are the relationships where you have leverage and where the risk is highest.

How Cyber Insurance Treats Third-Party Incidents

Good news: most standalone cyber insurance policies cover third-party incidents. The key coverages include:

Dependent business interruption: Lost income when a vendor outage disrupts your operations
Breach response costs: Forensic investigation, notification, and credit monitoring when a vendor breach exposes your data
Regulatory defence: Legal costs when PIPEDA or provincial regulators investigate a vendor-related breach affecting your customers
Third-party liability: Defence and settlement if customers sue you for a breach that originated with your vendor

The catch: not all policies cover third-party incidents equally. Some impose sub-limits on dependent business interruption. Others have waiting periods before coverage kicks in. And policies with AI exclusions may not cover incidents where AI tools were used to exploit the vendor (see our Claude Mythos analysis).

Check Your Third-Party Coverage

Our free Gap Analyzer checks whether your policy covers vendor-originated incidents, supply chain attacks, and dependent business interruption.

Analyze Your Policy → Explore AI Shield

The Canadian Regulatory Angle

Canada's regulatory environment is moving toward explicit vendor risk requirements:

PIPEDA Principle 4.1.3: Organizations are responsible for personal information transferred to third parties for processing. You must use contractual means to provide comparable protection.
Quebec Loi 25: Requires documented agreements with service providers handling personal information, including confidentiality obligations and incident notification requirements.
OSFI (financial services): Federally regulated financial institutions must manage third-party risk as part of their operational risk framework. Expect this to cascade to smaller organizations through vendor requirements.

The regulatory direction is clear: you own your vendor risk. Manage it proactively, insure the residual, and document your due diligence. That's your defence when — not if — a vendor breach affects your business.