The black hole of cyber insurance: when the breach comes from outside

Imagine your company suffers a major disruption. Your customers cannot process payments on your platform, your data is exposed, and your team goes into crisis mode. But the source of the problem is not in your infrastructure: it is in one of your vendors. A payment processor, a SaaS service, a cloud platform. The breach comes from outside. And when you turn to your cyber insurance, you discover that coverage is nonexistent.

This is not a hypothetical scenario. It is exactly what happened to Ledger, the French cryptocurrency hardware wallet company, when their payment processor Global-e was compromised. Despite having cyber insurance, Ledger likely had zero coverage because the breach did not originate in their own systems.

The coverage gap nobody sees

Most cyber insurance policies were designed for a world with clear perimeters and well-defined internal risks. They cover scenarios such as compromised servers, employees falling for phishing, or misconfigured databases. These are real and relevant risks, but they represent only a fraction of the current attack surface.

The problem arises when the incident originates at a SaaS provider, a payment processor, a cloud platform, or a critical supply chain vendor. In these cases, coverage vanishes. Traditional policies simply do not contemplate these scenarios, or they explicitly exclude them in the fine print.

The numbers that should concern you

The data confirms this is not a marginal risk. According to recent studies, 45% of virtual machines on AWS are misconfigured, 63% on Google Cloud Platform, and 70% on Azure. Additionally, 28% of companies reported breaches related to cloud or SaaS services in the past year.

These percentages reveal an uncomfortable reality: the infrastructure that companies rely on to operate has significant vulnerabilities, and those vulnerabilities are outside the direct control of the organizations that depend on them.

The legal distinction that changes everything

Insurers distinguish between accidental incidents, which may be covered, and incidents stemming from negligence, which are typically excluded. If a vendor had known vulnerabilities or weak security controls, the insurer may argue that the company should have identified those risks before relying on that vendor. In that case, coverage is voided.

This distinction creates a dangerous gray area. How much due diligence is a company expected to perform on its vendors’ security? Is it reasonable to require an SME to audit the security infrastructure of every SaaS service it uses? The answers to these questions determine whether, in the event of an incident, the policy responds or not.

The digital ecosystem as an attack surface

In 2026, any company’s attack surface extends far beyond its own systems. It includes every SaaS provider, every API integration, every cloud service, and every link in the digital supply chain. And yet, most cyber insurance policies still assess risk as though the company operated in an isolated environment.

The result is a growing gap between the actual risks organizations face and the protection their policies provide. Companies pay premiums for coverage that does not respond to the most likely incident scenarios.

What your company should do

The solution is not to stop using external vendors, which is impossible in today’s digital environment. It is to adopt a comprehensive approach that combines third-party risk management with cyber insurance coverage adapted to reality.

Analyze third-party risks. Identify which vendors are critical to operations, what data they handle, and what impact a breach at each one would have.

Identify uncovered incidents. Review the current policy and map the scenarios that fall outside coverage, especially those related to vendors, cloud, and SaaS.

Adjust your policies. Negotiate coverage that explicitly includes contingent business interruption due to third-party failures, with reasonable sub-limits and waiting periods.

Integrate security controls with governance. Establish minimum security requirements for critical vendors: MFA, logging, incident notification clauses, audits, and encryption.

At Axyom, we help companies close this gap between real risk and coverage. We analyze each organization’s digital ecosystem, identify uncovered exposures, and design strategies that combine cybersecurity and cyber insurance in a coherent way.

Because in 2026, risk is no longer confined to your perimeter. And neither should your protection be.