When your cybersecurity or IT provider doesn’t authentically communicate your risk — or fails to meaningfully adhere to standards — the bill may come due after the fact. A recent case puts this in sharp relief.

ACE American Insurance (a Chubb unit) is suing two firms that provided tech and cybersecurity services to its policyholder, CoWorx Staffing Services, arguing they should be on the hook for $500,000 in ransomware damages.

Here’s what reportedly went wrong:

• Congruity, the cloud/VM provider, was responsible for securing both the virtualization layer and enforcing remote access controls like MFA (multi‑factor authentication). But ACE claims Congruity never actually enforced MFA, leaving a compromised password to gain entry.

• The attackers escalated from a guest VM to access host infrastructure—something ACE says should never have been possible if Congruity had properly segregated host and guest environments. Insurance Journal

• The cybersecurity provider (Trustwave) allegedly flagged an intrusion as a “moderate” event instead of “critical,” delaying escalation. That delay, ACE contends, deprived CoWorx of the chance to back up data before encryption.

• Ultimately, ACE paid the $500,000 ransom + associated costs, and now aims to recover those losses via litigation.

This story isn’t just about one lawsuit. It’s a warning shot about the hidden costs of vendor misalignment:

1. If your provider doesn’t genuinely own or share in your risk, they may be less incentivized to prevent major failures.
2. Failure to enforce basic controls (like MFA), implement proper network segmentation, or proactively escalate threats can turn a breach into a catastrophe.
3. Misclassification of incidents (under‑reporting severity) can kill your window to respond and recover.
4. Contracts and service agreements may limit vendor liability—but those limits may not survive scrutiny if you show negligence or breach.
5. You can pay in dollars, data loss, customer trust, or reputation.

If you’re evaluating managed service providers, cloud partners, or security firms: don’t just ask what they will do. Ask:

How will they share liability if something goes wrong?
How do they classify and escalate incidents?
What guarantees or SLAs back up security functions?
How transparent are they about their own environment and controls?
Can you test their adherence to your requirements (e.g. audits, compliance checks)?

In security, the cheapest contract today can become your most expensive regret tomorrow.

#CyberRisk #VendorManagement #SecurityAccountability #CloudSecurity #CyberLiability #DueDiligence #IncidentResponse #SupplyChainRisk #InfoSecLeadership

When your cybersecurity or IT provider doesn’t authentically communicate your risk — or fails to meaningfully adhere to standards — the bill may come due after the fact.