This is a conversation guide for explaining third-party cyber risk to clients who have never considered it. Breach data, insurance requirements, regulatory drivers, and real examples, organized so you can use them directly in client meetings. If your clients think vendor security is someone else’s problem, the numbers below will help you show them otherwise.
30% of all confirmed breaches now involve a third party, up from 15% the prior year. That shift happened in a single year, and it changes the risk profile for every organization that depends on vendors it has not assessed.
Third-Party Cyber Risk by the Numbers
Most SMB clients think about cybersecurity in terms of their own perimeter, such as firewalls, endpoint protection, and employee training. 46% of all cyber breaches impact businesses with fewer than 1,000 employees, and SMBs are targeted nearly 4x more frequently than large organizations. Vendor security rarely enters the conversation, because it feels like a problem that belongs to the vendor. The breach data from the past 18 months makes that assumption harder to hold.
Breach frequency
These numbers are specific, sourced, and worth leading with in client conversations because they are harder to dismiss than a general statement about the threat landscape.
- 30% of breaches involved a third party in 2024, doubled from 15% the prior year (Verizon 2025 DBIR)
- 35.5% of breaches originated from third-party compromises, up 6.5% year-over-year (SecurityScorecard 2025)
- 88% of SMB data breaches involve ransomware, and third-party access is a primary vector (Verizon 2025 DBIR)
Every SaaS tool, cloud service, and outsourced function a client adopts is another vendor relationship that could become an entry point. The doubling from 15% to 30% reflects both increased targeting and the expanding surface area of modern vendor ecosystems. Your clients added tools throughout 2024 and 2025 without a corresponding increase in their ability to assess whether those vendors handle security responsibly. The attack surface grew while vendor oversight stayed flat.
Industry exposure
Some of your clients carry disproportionate exposure based on their industry, and those differences should shape which client conversations you prioritize.
- Retail and hospitality: 52.4% of breaches originated from third parties (SecurityScorecard)
- Energy and utilities: 46.7% from third parties (SecurityScorecard)
- Healthcare: 41% of 2024 breaches from third parties, with costs averaging $9.77 million per incident (Censinet/KLAS/AHA, IBM 2024)
A retail client hearing that more than half of breaches in their industry come through vendors processes the risk differently than hearing a statistic about breaches in general. The industry-specific data makes the conversation personal rather than abstract.
For clients outside these high-exposure sectors, the general numbers still carry weight. Third-party breaches cost $4.91 million on average, above the $4.44 million global mean (IBM 2025). The cost premium reflects what makes vendor breaches harder to contain: multiple organizations involved, unclear ownership of the response, and longer detection timelines because the breach originated outside the victim’s environment. A structured vendor risk assessment process is how your clients start closing that gap.
What Third-Party Cyber Risk Looks Like in Practice
When a client needs a concrete example of what vendor failure looks like in practice, this is the one worth using. Change Healthcare processed claims for hundreds of thousands of healthcare providers. Compromised credentials without MFA gave attackers access, and the downstream impact reached every organization that depended on the platform.
- 190 million individuals affected in the largest healthcare data breach in history
- Claims processing for hundreds of thousands of providers were disrupted for weeks
- Nearly two-thirds of physicians used personal funds to cover operational costs during the outage
- Small practices were hit hardest, with some facing bankruptcy from a breach that happened inside a vendor they could not control
The reason this example works in client conversations is that the failure mode is familiar. Your clients depend on vendors the same way those providers depended on Change Healthcare. If their payroll processor, cloud host, or billing platform gets breached, the impact cascades regardless of how strong their own perimeter security is. Most clients, when asked what their plan would be in that scenario, don’t have one.
How Cyber Insurance Is Driving Vendor Risk Requirements
Your clients may not follow breach statistics, but they will notice changes to their insurance renewal. Cyber insurers have become the most effective forcing function for vendor risk management, and the requirements are getting specific enough that clients can no longer treat vendor assessments as optional.
What carriers now require
Vendor risk assessments have moved from recommended to required. Major carriers, including Coalition, Marsh, and Munich Re, now cite vendor risk management as a core underwriting factor. The trend is consistent across insurer reports: vendor risk assessments are standard requirements for policy issuance and renewal, carriers increasingly mandate annual or continuous assessments for higher-limit policies, and standardized questionnaires like SIG and CAIQ are the most common format carriers accept for documentation.
The cost connection
Third-party breaches cost $4.91 million on average, above the $4.44 million global mean (IBM 2025). Insurers are tightening requirements because claims data shows the exposure. The global cyber insurance market reached $20.56 billion in 2025, and organizations without vendor risk programs face higher premiums and increased declination risk at renewal. Claims tied to third-party incidents receive additional scrutiny, with carriers increasingly denying claims where vendor risk documentation is absent or incomplete.
For your clients, insurance renewal is now a vendor risk conversation, whether they realize it or not. If you can help them prepare vendor risk documentation before renewal, you are solving a problem they will encounter in the next 12 months.
Regulatory Pressure on Third-Party Risk Management
For clients who respond more to compliance obligations than breach statistics, the regulatory landscape has shifted meaningfully in the past year.
DORA and NIS2
The EU’s Digital Operational Resilience Act (DORA) took effect in January 2025 for financial institutions, mandating third-party risk management as a core operational requirement. NIS2 extends similar obligations across the broader supply chain, adding supply chain security policies, 24–72 hour incident reporting, and required security clauses in vendor contracts.
For clients with European operations, customers, or partners, these requirements are not optional, and the downstream effects reach organizations well beyond the EU.
The compliance cascade
The challenge extends beyond any single framework. 66% of financial institutions feel pressure to enhance their TPRM programs, with nearly half citing auditors and regulators as the primary driver. SOC 2, HIPAA, PCI DSS, and CMMC all include vendor management requirements, and 47% of organizations failed audits two to five times in the past three years. Those requirements flow downstream. Your client may not need SOC 2 themselves, but their largest customer might, and that customer is going to send them a vendor risk assessment questionnaire. Having answers ready is the difference between a smooth vendor review and a scramble that damages the relationship.
Framing Third-Party Cyber Risk for Your Clients
The data above gives you the “why.” The framing below gives you the “how” for different client situations.
At a QBR
Ask the client to list their top 10 vendors by operational dependency. For each one, ask what the impact on their business would be if that vendor had a breach tomorrow. Most clients have never been asked that question, and the exercise tends to surface risk they can feel rather than data they can dismiss.
The follow-up is practical: “We can run a structured vendor risk assessment across your critical vendors. You will know which ones have strong security practices, which ones have gaps, and where your exposure is concentrated.” The vendor risk assessment questionnaire is a natural next step from that conversation.
At insurance renewal
Pull the client’s current policy language on vendor risk requirements. Many policies now include explicit conditions about third-party oversight. If the client’s policy requires vendor risk documentation they cannot produce, flagging it before the carrier does positions your service as insurance-readiness support rather than an upsell.
The framing that works: “Your insurance carrier is going to ask about vendor risk at your next renewal. We can help you have documentation ready, or you can explain why you do not.” Clients who face a concrete deadline (renewal date) are more responsive than clients evaluating risk in the abstract.
In a proposal for a new client
Lead with the industry-specific breach data. A healthcare prospect hears that 41% of healthcare breaches come through third parties. A retail prospect hears 52%. Then ask how many vendors have access to their data and how many of those vendors they have assessed. The answer is almost always “we don’t know” and “none.” That gap between the risk and the response is your service opportunity, and the specificity of the industry data makes it difficult to deflect as a generic threat that applies to someone else.
When a client pushes back
The most common objection is “we are too small to be a target.” The data answers this directly: third-party breaches don’t target the end victim. They target the vendor, and every organization that depends on that vendor becomes collateral. Change Healthcare didn’t target individual physician practices. It targeted the platform they all depended on. Size was irrelevant because the attack vector was the vendor relationship, not the individual organization.
The second most common objection is “our vendors are reputable companies.” Reputable companies get breached. Change Healthcare was part of UnitedHealth Group, one of the largest healthcare companies in the world. The question is not whether your vendors are reputable. It is whether you have visibility into their security practices and a plan for when something goes wrong. The essential components of cyber risk management start with that visibility.
From Conversation to Engagement
Every data point in this piece maps to a specific client situation. The insurance data works for renewal discussions. The regulatory stats support compliance gap assessments. The breach costs make the ROI case for proactive monitoring. And the industry-specific numbers give you a way to personalize the conversation for the client sitting across from you, rather than talking about cybersecurity in general terms.
The conversation opens the door. What follows is a structured vendor risk assessment that identifies critical vendors, evaluates exposure, and builds a remediation roadmap your client can act on. Most MSPs find that the assessment itself becomes a service worth billing for, and the findings create natural follow-on engagements around remediation, ongoing monitoring, and business continuity planning.
For MSPs building third-party risk management into their service portfolio, platforms like Cynomi provide the automated assessment workflows and vendor risk scoring to deliver this at scale across your client base.