By Ryan Windt | Head of Growth Marketing | Updated April 2026
Supply chain attacks have become one of the defining cyber threats of the last several years. SolarWinds. Kaseya. MOVEit. Change Healthcare. In each case, attackers did not breach their ultimate targets directly. They compromised a vendor, a software provider, or a shared service platform that thousands of organizations depended on, and used that access to reach everyone downstream.
The question that follows for every business caught in the blast radius is the same: does my cyber insurance cover this?
The answer is more complicated than most policyholders expect. Coverage depends on how your policy defines a covered event, how it treats losses originating outside your own systems, and whether your specific sublimits and exclusions apply to the loss you actually suffered. This guide breaks it down.
What a Supply Chain Attack Actually Is
A supply chain attack is a cyberattack that targets an organization indirectly by compromising a vendor, software provider, managed service provider, or other third party that the target organization trusts and depends on.
The attack can take several forms:
Software supply chain attacks. An attacker compromises a software vendor’s build or update process and injects malicious code into a legitimate software update. Every customer that installs the update is compromised. This was the mechanism behind the SolarWinds attack, which affected thousands of organizations including multiple U.S. federal agencies.
Managed service provider attacks. An attacker compromises an MSP and uses that access to reach the MSP’s clients. Because MSPs typically have privileged access to client systems, a single MSP breach can cascade across dozens or hundreds of downstream businesses simultaneously. The Kaseya VSA attack in 2021 followed this pattern, deploying ransomware to hundreds of businesses through a single MSP platform vulnerability.
Shared platform attacks. An attacker exploits a vulnerability in a widely used data transfer, communication, or processing platform. The MOVEit vulnerability in 2023 affected over 2,500 organizations that used the file transfer software, exposing data across healthcare, finance, government, and education. Change Healthcare’s 2024 breach disrupted claims processing for a significant portion of the U.S. healthcare system.
Third-party data processor breaches. An attacker compromises a vendor that holds or processes your data on your behalf. You never experienced a breach of your own systems, but your customers’ data was exposed through the vendor’s environment.
In each scenario, your organization suffers real losses: business interruption, data exposure, regulatory notification obligations, client claims. But the breach did not originate in your systems. That distinction is where cyber insurance coverage gets complicated.
How Cyber Insurance Typically Treats Supply Chain Losses
Most cyber policies were originally written with a first-party breach in mind: your systems are compromised, you suffer losses, your policy responds. Supply chain attacks strain that model because the compromise occurs outside your environment entirely.
Here is how the main coverage components typically apply.
Business Interruption
Standard business interruption coverage under a cyber policy covers revenue loss and extra expenses when your own systems are unavailable due to a cyber incident. If a supply chain attack takes down software you depend on or disrupts a service your operations rely on, whether your business interruption coverage responds depends on how your policy defines the triggering event.
Some policies require that the interruption result from a failure of your own systems or network. Under that language, a supply chain attack that disrupts your operations without touching your systems may not trigger business interruption coverage at all.
The coverage you want is called contingent business interruption or dependent business interruption. It extends business interruption coverage to losses caused by a cyber incident at a third-party provider your business depends on. This coverage exists in the market but is not included in all policies, is frequently sublimited, and sometimes requires that the third party be specifically scheduled in the policy. This is one of the most important coverage questions to ask before you bind.
Data Breach and Privacy Liability
If a supply chain attack results in the exposure of your customers’ or employees’ data through a vendor’s environment, you may still have notification obligations and face privacy liability claims even though the breach was not your fault.
Most cyber policies cover breach notification costs and privacy liability regardless of where the breach originated, as long as the exposed data was yours or in your care. This is one area where supply chain coverage tends to be more straightforward, though policy language varies and should be confirmed.
Ransomware and Extortion
If a supply chain attack deploys ransomware to your systems, that typically triggers your ransomware coverage the same way a direct attack would. The attack vector, through a vendor or directly, generally does not affect coverage for the ransomware itself. See our guide to ransomware coverage and what policies actually pay.
Network Security Liability
If a supply chain attack uses your systems as a waypoint to reach your clients or partners, and those parties bring claims against you, your network security liability coverage should respond. Again, confirm this with your broker; some policies require that the failure originate in systems you control.
The Coverage Gaps That Matter Most
Contingent Business Interruption Sublimits
Even policies that include contingent business interruption coverage frequently sublimit it significantly. A policy with a $5 million aggregate limit might provide only $500,000 for business interruption losses caused by a third-party vendor incident. For a business that depends heavily on a single platform or shared service, that sublimit can be exhausted quickly.
When reviewing your policy, find the contingent business interruption provision specifically and compare the sublimit to your actual revenue exposure from a multi-day outage of your most critical vendor dependency.
Scheduled vs. Unscheduled Vendors
Some contingent business interruption provisions only apply to vendors that are explicitly listed in the policy. If your critical vendor is not on the schedule, the coverage does not apply. This creates a gap for attacks on platforms you did not think to name, which is exactly the kind of attack supply chain incidents tend to involve.
Look for policies with broad contingent business interruption language that does not require vendors to be scheduled, or work with your broker to ensure your most critical dependencies are named.
War and Nation-State Exclusions
Supply chain attacks, particularly those targeting critical infrastructure or government contractors, are frequently attributed to nation-state actors. Following Lloyd’s of London market guidance, many cyber policies now include exclusions for losses attributable to nation-state attacks. The SolarWinds attack was attributed to Russian intelligence. The attribution question is contested, technically complex, and legally unresolved in many jurisdictions.
If your business operates in a sector that is frequently targeted by state-sponsored attackers, or if you are a defense subcontractor, government vendor, or critical infrastructure operator, the nation-state exclusion language in your policy deserves careful scrutiny. Read more on how Lloyd’s nation-state exclusions affect coverage and what questions to ask your broker.
Systemic Event Exclusions
Some carriers have begun including exclusions or sublimits for systemic cyber events, meaning incidents that affect a large number of policyholders simultaneously through a shared vulnerability or platform. Supply chain attacks are, by definition, systemic: the same vulnerability affects everyone using the same software or service. Policies with broad systemic event exclusions could deny or limit coverage for exactly the kind of large-scale supply chain attack that makes headlines.
This is an emerging area of policy language that varies significantly by carrier. Ask your broker specifically whether your policy includes any systemic event exclusion or sublimit and how it is defined.
What the Major Supply Chain Attacks Revealed About Coverage
MOVEit
The 2023 MOVEit vulnerability affected over 2,500 organizations across dozens of industries. For most affected organizations, the breach occurred entirely within MOVEit’s systems: they never experienced a compromise of their own network. Coverage outcomes varied significantly depending on whether policies included third-party data processor breach coverage, how notification cost coverage was scoped, and whether privacy liability provisions required the breach to originate in systems the policyholder controlled.
Change Healthcare
The 2024 Change Healthcare breach, which disrupted claims processing across the U.S. healthcare system for weeks, was the clearest recent illustration of contingent business interruption exposure. Healthcare providers who could not submit claims or receive payments suffered significant revenue losses with no direct compromise of their own systems. Whether those losses were covered depended entirely on whether their policies included contingent business interruption coverage and how that coverage was structured.
Kaseya
The 2021 Kaseya VSA attack affected MSPs and their downstream clients simultaneously. For MSPs, the attack raised questions about both their own cyber coverage and their contractual liability to clients whose systems were compromised through the MSP’s platform. For MSP clients, coverage depended on whether their policies treated an attack delivered through their MSP’s tools as a covered cyber incident. Read more on MSP aggregation risk and cyber insurance.
How to Evaluate Your Current Policy for Supply Chain Coverage
When reviewing your existing cyber policy or evaluating a new one, work through these specific questions:
Business interruption trigger. Does your policy require the interruption to result from a failure of your own systems, or does it cover interruptions caused by third-party system failures?
Contingent business interruption. Is this coverage included? What is the sublimit? Does it require vendors to be scheduled, or does it apply broadly?
Third-party data processor coverage. Does your policy cover breach notification costs and privacy liability for data exposed through a vendor’s systems rather than your own?
Nation-state exclusion scope. How broadly is the nation-state exclusion written? What standard of attribution does it require? Is there a carve-back for businesses that are not the intended target of a state-sponsored attack?
Systemic event language. Does your policy include any exclusion or sublimit for systemic or widespread cyber events? How is that defined?
Vendor management requirements. Does your policy require you to maintain a vendor management program as a condition of coverage for third-party losses? If so, what does that program need to include?
Our guide to cyber insurance exclusions covers the full landscape of what most policies will not cover and how to identify those gaps before a claim.
Reducing Supply Chain Risk: What Underwriters Want to See
Coverage for supply chain losses is more accessible and more affordable when you can demonstrate that you take vendor risk seriously. Underwriters increasingly ask about vendor management programs, not just your own security controls.
Vendor inventory and risk tiering. A documented list of your critical vendors with an assessment of the access each has to your systems and data, and a risk tier assigned based on that assessment.
Contractual security requirements. Vendor contracts that include minimum security standards, breach notification obligations, and the right to audit.
Monitoring and oversight. Some form of ongoing visibility into the security posture of your most critical vendors, whether through questionnaires, third-party risk platforms, or certification requirements.
Incident response planning for vendor failures. A documented plan for how you would respond if a critical vendor suffered an outage or breach, including backup procedures and communication protocols.
These controls will not prevent a supply chain attack. But they demonstrate the kind of risk awareness that translates into better coverage terms, fewer exclusions, and a stronger position at claim time. See our cyber insurance requirements checklist for the full set of controls underwriters evaluate.
The Bottom Line
Cyber insurance can cover supply chain attack losses, but whether it actually does depends on your specific policy language. The gaps that most commonly leave businesses exposed are sublimited or absent contingent business interruption coverage, vendor scheduling requirements, nation-state exclusion language, and systemic event carve-outs.
If your business depends on shared platforms, managed services, or third-party data processors, and most businesses do, reviewing your policy for supply chain coverage is not a theoretical exercise. It is one of the most consequential coverage questions in the current threat environment.
SeedPod Cyber helps businesses evaluate their cyber policies for supply chain exposure, identify gaps before they become claim denials, and connect with carriers whose policy language reflects the actual threat landscape.
Get a quote from SeedPod Cyber
Frequently Asked Questions
Does cyber insurance cover losses from the MOVEit or Change Healthcare breach?
It depends entirely on your policy. Organizations with contingent business interruption coverage and broad third-party data processor breach language were generally better positioned than those with policies that required the breach to originate in their own systems. If your organization was affected by either breach and your claim was denied or limited, the policy language around third-party incidents is the place to start the review.
What is contingent business interruption coverage and do I need it?
Contingent business interruption coverage extends your business interruption coverage to losses caused by a cyber incident at a vendor or third-party provider you depend on. If your operations could be significantly disrupted by an outage at your core software platform, cloud provider, payment processor, or any other critical vendor, you need this coverage. It is not included in all policies and is frequently sublimited; ask your broker specifically whether it is in your policy and what the limit is.
Does the nation-state exclusion mean I am not covered for SolarWinds-style attacks?
Potentially, yes, depending on how your policy’s exclusion is written. Some exclusions require a formal government attribution before they apply. Others apply based on circumstantial indicators. If your business operates in a sector that is a frequent target of state-sponsored attackers, review your policy’s nation-state exclusion language carefully and ask your broker how attribution disputes would be handled at claim time.
If my MSP was breached and ransomware hit my systems through them, am I covered?
Ransomware that reaches your systems through an MSP breach typically triggers your ransomware coverage the same way a direct attack would. The more nuanced question is whether your business interruption coverage applies during the period your systems were unavailable and whether your MSP’s own liability to you is covered anywhere. If you use a managed service provider, the cyber insurance considerations for MSP clients are worth reviewing.
Should I require my vendors to carry cyber insurance?
Yes, and most risk-conscious businesses and underwriters increasingly expect it. Vendor contracts should require minimum cyber insurance limits appropriate to the sensitivity of the data or access involved, with your organization named as an additional insured where possible. This does not eliminate your own coverage need, but it creates a recovery path against the vendor in the event their breach causes you losses.
Related Resources
Cyber Insurance Exclusions: What Most Policies Won’t Cover — The gaps that produce denied claims and how to identify them before you bind.
Lloyd’s Nation-State Attack Exclusions — How the market is handling attribution risk and what it means for your coverage.
MSP Aggregation Risk and Cyber Insurance — How vendor-side breaches cascade to downstream organizations and what coverage applies.
Cyber Insurance Sublimits Explained — How sublimits work, where they create gaps, and what to look for in your policy.
Does Cyber Insurance Cover Ransomware Payments? — What ransomware coverage actually pays for and what conditions apply.
SeedPod Cyber specializes in cyber liability and Tech E&O coverage for businesses with solutions built for financial institutions, MSPs, tech companies, healthcare organizations, and all other industries.