Vendor Risk Management Made Simple

In an article published on April 24 of 2019 by eSentire’s Chief Security Strategist, Mark Sangste, we are reminded of how vulnerable organizations are to the risks posed by their vendors, and their vendors’ vendors. eSentire commissioned a study that included the senior information security and privacy executives from 600 companies in different industries to find out what the real risk looks like and how well it is being managed. The key results are not particularly surprising to those of us that focus on this space, but they are nonetheless alarming:

44% of the companies had suffered a breach at the hands of a vendor in the previous year, contrary to the fact that most of them (81%) reported feeling confident in the security policies and procedures they were requiring of these vendors.
Of the nearly 250 companies that experienced a vendor-driven breach, 32 percent suffered a loss of PII, 29 percent payment information, and 24% experienced a loss of proprietary business information, which could be far more significant than other types of data loss (for more about how to cover this risk, please visit our sister website at
27% of these breaches resulted in disrupted operations, (52 percent) saw increased operational complexity and cost, (19 percent) reputational damage, and (26 percent) financial losses and penalties.

Vendor management has moved from an emerging trend in cyber risk to a robust everyday reality that is increasingly difficult to manage for your clients.  Several of the more recent privacy laws and/or security guidelines such as the New York Department of Financial Services (DFS) Cybersecurity Rules (NYCRR 500) requirements for third-party vendors (section 11), or the National Cyber Security Centre (NCSC) Principles of Supply Chain Security specifically lay out what an organization must do to shore up this exposure, and of course HIPAA has pushed security requirement to Business Associates holding/processing healthcare information for several years now.  But finding the balance of responsibility between a company and its vendors continues to be a major source of frustration for both parties, since vendors are desperate to cap their costs from a “systemic” issue that affects many (all?) customers at once; yet the hiring company does not want to take on the contingent business interruption losses and extra expenses associated with hundreds of vendors over whom they have little control.  

MSR VendorTech was developed to try to bridge this gap.  It is a first of its kind in the insurance market; a Cyber and Technology Errors & Omissions policy written on a contract specific basis such that the coverage only inures to the benefit of the “enterprise” which sponsors the program.  It offers small to mid-sized vendors up to $10M of coverage on a primary basis to the vendors’ other insurance and should give the enterprise comfort that the vendor will be able to stand behind it’s indemnity obligations in the event of a breach, outage, or error.  As the cyber market quickly hardens following two years of escalating claims, carriers are beginning to tighten coverage and underwriting requirements to put up terms of “contingent business interruption”, furthering the need for a solution for your clients.

MSR uses the ML based SaaS services from CyberWrite to help our underwriting team and the Enterprise call out those vendors with a higher risk rating and can benchmark the assessment results from all participating vendors, giving the Enterprise a critical tool in managing and mitigating risk. 
For more on MSR VendorTech and the services that come with it, please visit the MSR website at 

And for more information on CyberWrite, please see this recent article. 

Author: Mary Guzman, Managing Director, MSR Underwriters, Copyright 2020, all rights reserved.


Popular Posts