Summary:
Matt Cullina, Head of Global Cyber Insurance at TransUnion, recently had a conversation with David J. Chamberlin, Managing Director of Orrick’s Strategic Communications Advisory Team. He, alongside Orrick's lawyers, advises clients on reputational risk, communications strategies to address those risks, and global business operations issues. Their discussion explored current trends in data breaches — specifically Chamberlin’s assertion that when it comes to communicating about cyber events, there’s no such thing as a third-party breach.
Disclosure:
Remember that this material is intended to provide you with helpful information and is not to be relied upon to make decisions, nor is this material intended to be or construed as legal advice. You are encouraged to consult your legal counsel for advice on your specific business operations and responsibilities under applicable law. Trademarks used in this material are the property of their respective owners and no affiliation or endorsement is implied.
Customers don’t care if it’s a vendor data breach — they care it happened
Cullina: David, you’ve certainly found a provocative take. No such thing as a third‑party breach? What’s the core idea you want leaders — especially in insurance and cyber risk — to take away?
Chamberlin: After three decades in corporate communications and marketing, one truth has become clear: When customers receive an alert their personal data may be at risk, they don’t care which vendor made the mistake. They care that it happened — and did so under your brand’s watch. In our hyper-connected world, a supplier’s failure is experienced as your failure. Pointing fingers rarely works; people want reassurance, not excuses. Accountability, in the eyes of the public, simply isn’t transferable.
And the numbers bear it out. Data breaches are escalating at a pace we haven’t seen before. This isn’t a fringe problem anymore.
Cullina: Data breaches are absolutely mainstream events. TransUnion research shows US data breach volume jumped by 47% in 2025 compared to 2024, and supply chain attacks in particular — those “third-party” incidents — nearly doubled. Our insurance clients are seeing firsthand how third-party incidents carry outsized impact, even if the party responsible for exposing the information doesn’t really matter to the victims. If accountability isn’t transferable, how should carriers and brokers frame responsibility when a vendor is clearly at fault?
Chamberlin: I’ve watched legal teams reach for contracts and indemnities, hoping to shift responsibility. But reputation doesn’t work that way. To customers, regulators and the media, there’s no such thing as a “third-party breach.” There’s only the company they trusted — and a moment when that trust is tested.
When a breach hits, customers aren’t interested in which vendor missed a patch or whose controls were lacking. They want to know: Is my data safe? Is my money secure? Will my life be disrupted? And most importantly, is someone actually in charge? If they experience harm, confusion or delay, they’ll blame you — the brand they chose — not some faceless third party.
Silence and legalese sound like evasion — not a cyber incident response
Cullina: Agreed, and the public has a right to be concerned about who they entrust with their data. Last year, nearly 8 in 10 breaches exposed Social Security numbers, according to TransUnion research. That’s an all-time high. Exposure of driver’s license and bank account data is climbing, too. Since these are the kind of personal risks customers fear most, how should insurers talk about them?
Chamberlin: The thing is customers can’t manage vendor risk: That’s our job. When something goes wrong, the question is always: Why didn’t you protect me? Legal fault matters later, but in the moment, it’s irrelevant to the people who matter most — your customers.
So, what do you do? You start by mapping what customers see, feel and fear. What don’t they know? What would a reasonable person expect you to explain or resolve? Early communications and actions should answer those questions, not just cover legal bases.
Cullina: Post-incident communications are critical, which is why our incident response team focuses on helping organizations develop their comms plans. How can the industry improve those communications?
Chamberlin: Honestly? After a breach, only a small fraction of customers enrolls in credit monitoring that’s offered to them in their notification letters. That disengagement with the incident can turn into disengagement with the brand. That’s the problem. We can do better, with clear, proactive communication and meaningful protection, not just legal disclaimers.
Cullina: One effective tactic we’ve seen implemented is mobilizing a team with the expertise and empathy to help field customer questions during the incident response phase. While some organizations opt to take such extra steps, we also know within other companies, a vendor breach is simply labeled a tech issue, poor procurement or a legal headache. How are those incidents typically viewed by those outside of these organizations?
Chamberlin: It’s undoubtably seen as a failure of stewardship. The reputational impact lands squarely on your brand.
That’s why silence, deflection or legalese so often backfires. When companies hide behind phrases like “this didn’t involve our systems” or “we weren’t at fault,” stakeholders hear evasion, not reassurance. Suspicion grows just when you need trust the most.
Owning a cyber incident isn’t admitting liability; it’s showing leadership
Cullina: Okay, understood, but at the same time it’s natural for an insured’s first instinct to be to help customers in order to minimize their own risk exposure against claims. Is there a strong first statement that doesn’t admit liability? What alternative language might you suggest?
Chamberlin: I’d argue clear, timely and accountable engagement doesn’t concede liability — it shows leadership. Communicate early, share what you know, explain what you’re doing and commit to protecting your customers. That’s how you stabilize trust, even as the facts are still coming in.
The reality is the complexity of these incidents is only increasing, and third-party breaches are here to stay. Responding to them is becoming more challenging. Companies must be ready to own outcomes, not just allocate blame.
Cullina: That makes sense, and it’s why our team focuses on isolating and remediating the exposures quickly — so companies can secure their systems and communicate a proactive response. Related to this topic: I’ve heard you talk about drawing a distinction between admitting legal issues and owning operational ones. What role should insurers take in helping their business customers walk that line?
Chamberlin: Owning operations and admitting liability aren’t the same thing. Yes, you need to state the facts, including when an incident starts with a third party. But don’t suggest you’re abdicating responsibility.
Customers and regulators hold accountability for outcomes: protecting data, restoring access, and preventing it from happening again. Owning those outcomes — morally and operationally — signals seriousness and competence. It also tends to reduce regulatory friction because you’re acting like a steward, not a bystander.
The false choice between protecting the company and retaining customer trust
Cullina: There are many legal advisors who would simply advise organizations to say, “no comment.” You seem to be suggesting organizations walk a tightrope of disciplined messaging and signaling accountability.
Chamberlin: I think organizations should try to resist the false choice between protecting the company and protecting trust. Too often, legal and communications teams that aren’t working together, but in silos, tends to reinforce that false choice. Responses can balance both — precise facts, disciplined language and an unequivocal commitment to customer protection. When legal, communications, risk and operations work together from the start, you’re far better positioned to get it right.
Cullina: Totally agree. In fact, getting responses right following an incident is key. Often, the complexity of the response can create as much risk as the breach itself. And in a supply-chain event, the response can be disjointed since each organization will respond based on its own industry standards, regulatory requirements, crisis management strategies and other factors. Without a well-thought-out response plan in place, the lack of coordination can create new risks. Based on the wide range of incidents you’ve seen during your career, what do you think distinguishes strong responses from weak ones?
Chamberlin: Strong responses are customer centric. They’re fast but not reckless — and consistent across channels. They explain what happened in plain language, outline concrete steps and provide clear next updates. Their focus is on trying to fix and prevent as much as possible — not blame.
Weak responses, on the other hand, can be defensive. They often try to minimize the impact of an incident before understanding it. And they let gaps in communication get filled by rumors or regulatory concerns.
Leadership during a cyber incident is not optional
Cullina: Earlier, you noted how different operational groups need to work together to protect trust in the wake of a third-party incident. What’s the role of executives?
Chamberlin: In these moments, leadership isn’t optional. It’s actually the difference between preserving trust and losing it. And that leadership includes preparing for cybersecurity moments — by aligning legal, reputational and operational playbooks in advance. Organizations whose leadership understands this are far more resilient when something inevitably goes wrong.
In a breach, customers aren’t grading your contracts. They’re judging whether you deserve their trust tomorrow. Handled poorly, these moments erode trust; handled well, they preserve enterprise value and regulatory credibility.
