Lessons from the Adidas third-party data breach

“One of the biggest misconceptions is that companies do not have a cybersecurity exposure because they are outsourcing certain services,” says Taras Shalay, associate managing director of Burns & Wilcox in Farmington Hills, Mich. “I try to explain that the risk extends not just to them but also to their business partners.”

Companies should be aware of these potential vulnerabilities and ensure that they have appropriate and comprehensive cyber liability insurance coverage, which can help offset the cost of data breach response and recovery. Third-party vendor partners should also carry this coverage.

“These cyber events happen all too often,” says Phillip Hawes, a professional liability broker with Burns & Wilcox in Chicago. “Depending on the business and how many records are affected, the claims can be extremely expensive.”

Hackers now target vendors

Adidas is being sued by a customer over the recent data breach — part of a growing trend of litigation that attempts to hold companies accountable for third-party vendor data breaches, according to the National Law Review. The University of Chicago Medical Center faces a similar lawsuit after a third-party breach that exposed sensitive data, with both lawsuits alleging that the organizations should have done more to protect customers.

Around 30% of data breaches in 2024 involved third parties such as suppliers, vendors, hosting partners or IT support providers, according to Verizon data reported by Tech.co. While large companies often have more robust cybersecurity safeguards in place, smaller third-party vendors may be easier for cyber criminals to exploit.

“Cyber criminals may target somebody who is a little bit weaker in the supply chain. This is definitely becoming more prevalent,” Hawes says. “A hacker might not be able to breach Walmart directly, for example, but if they go after a small shipper of bananas or oranges, that creates a potential opening. Claims are more likely to come from someone along the supply chain than from a Fortune 500 company.”

When a data breach is first identified, a company’s cyber liability insurance will typically respond “to determine what damage has been done and how it occurred,” Shalay says. “Through that process, the policy is going to make the insured whole, and then at the end of that process the insurance carrier will have the ability to subrogate and file a claim against whatever third parties may have been at fault.”
If a compromised company did not carry its own cyber insurance, it could face an uninsured loss.

“The third-party vendor may not have enough insurance to go around,” Shalay says. “If the vendor is an IT company with 500 customers and millions of records, a $1 million cyber policy likely will not be enough to extend to all of their clients… They would be left without any protection, and that can be really damaging.”

Never too much liability coverage

The average cost of a data breach globally is about $4.4 million, while the average U.S. data breach costs about $10.22 million, according to IBM’s 2025 Cost of a Data Breach Report. Costs related to data breaches can include regulatory penalties, consumer notification, monitoring services, business interruption, and defending against lawsuits.

These can be covered by cyber liability insurance, and additional protection can come through excess liability insurance.
For companies without insurance, a single data breach “could take them out of business,” Hawes says.

“It can be devastating, especially for small business owners,” he adds. “You can never have enough coverage.”

Cyber liability insurance policies can vary significantly as different insurance carriers having their own endorsements and exclusions. Key add-ons may include coverage for wrongful collection and theft of physical goods.

“You definitely want to get multiple quotes and have an experienced broker provide coverage analysis so you can make the right decision,” Shalay says. “The policy is really meant to hold the insured’s hand through the whole process and minimize the cost from the first second of a breach.”

Directors & officers (D&O) insurance can provide additional layer of loss protection as it covers company leaders if they are personally sued over decisions made on behalf of the organization, Shalay says.

Building cyber resilience

To reduce exposure to data breaches occurring through third-party vendors, organizations can require specific cybersecurity best practices in their contracts with outside partners, assess vendors’ history of previous cyber incidents, and conduct ongoing security reviews. Insurers are increasingly asking these risk management questions during the underwriting process, Shalay says.

Companies that rely on third-party vendors to handle sensitive customer data should be particularly cautious when selecting partners, Hawes says.

“You always have to be careful — almost overcautious,” he says. “The world has become inherently riskier, but [cyber insurnace] is cheaper than it has been in five-plus years. It is not a matter of if a data breach will occur, but when. No company is too small or too big.”

This article first published on the Burns & Wilcox website and is reproduced here with permission.

See also:

• Global business snarled by recent third-party cyberattacks
• Farmers data breach impacts more than 1 million
• Allianz Life breach demonstrates the danger of social engineering