CoWorx Staffing Services did a lot of things right.

They hired a cloud services company to host their infrastructure. They hired a dedicated cybersecurity firm to monitor their network around the clock. They had detection software installed. They had contracts spelling out who was responsible for what.

And then a ransomware attack hit. CoWorx paid $500,000 in damages. Their insurer, ACE (a Chubb subsidiary), covered the claim.

Now ACE is suing both tech vendors to get that money back, arguing that failures by those vendors are what made the breach possible in the first place.

This case is a preview of where cybersecurity accountability is heading. And if you’re a smaller business owner who believes that having a cloud provider and an IT or security firm means you’re covered, this story is worth your full attention.

 

What Happened to CoWorx, and Why It Matters to Your Business

In April 2024, attackers got into CoWorx’s infrastructure through a compromised password. Here’s the catch: they only got in because multi-factor authentication (MFA) — a basic security control the cloud vendor, Congruity, was contractually responsible for — was never actually set up. Not enforced. Never enabled. Just… missing.

Multi-factor authentication (MFA) is a security method that requires more than a password to log in — like a code sent to your phone or an app approval. Congruity was explicitly contracted to provide it. They didn’t.

Once inside, the attackers escalated their access from a regular user account to the host server level — something that shouldn’t have been possible. The network had been configured incorrectly. A user on the guest network should never have been able to reach the host. They did.

Four days after the initial breach, the cybersecurity monitoring firm, Trustwave, detected activity. Their software flagged it. But they categorized the alert as “moderate” rather than “high” or “critical.” They didn’t notify CoWorx.

Five days after that, the ransomware deployed. Files were encrypted. CoWorx had no backups of those files because nobody had told them there was a problem to back up from. They paid to decrypt.

ACE covered the $500,000 claim. ACE is now suing Congruity and Trustwave for negligence, gross negligence, breach of contract, and breach of implied warranty.

 

Why Should a Smaller Business Owner Care About a Lawsuit Between Big Companies?

Because the lesson inside this lawsuit is not about corporate litigation. It’s about a set of assumptions that smaller businesses make every single day, and that this case proves can go badly wrong.

CoWorx assumed their cloud vendor was implementing the security controls they were contracted to implement. They weren’t.

CoWorx assumed their cybersecurity monitoring firm would alert them when something serious happened. They didn’t because the firm didn’t recognize it as serious.

Neither of those failures was CoWorx’s fault, technically. And yet CoWorx experienced the breach, dealt with the ransomware, and lived through the aftermath. The lawsuit may eventually recover the insurance payout. It will not recover the operational disruption, the reputational damage, or the weeks of recovery.

Vendors can fail you. Contracts are not the same as verified controls. “We hired someone for that” is not the same as “we confirmed it’s working.”

 

Does Having a Cloud Provider or IT Firm Mean You’re Secure?

Not automatically. And this case is a clean illustration of why.

Your cloud provider manages your infrastructure. Your managed service provider (MSP) keeps your systems running. Your IT firm handles your technology. These are critical, valuable services. They are also not the same thing as a comprehensive, verified cybersecurity program.

In the CoWorx case, the cloud vendor was responsible for MFA. They just never implemented it. That gap, between what a contract says and what a vendor actually does, is invisible unless someone is checking. For most smaller businesses, nobody is checking.

This is the core of what OrbitalFire calls the accountability gap. It’s not that businesses don’t care about security. It’s that they’ve distributed responsibility across vendors without maintaining centralized visibility into whether those responsibilities are being fulfilled. When something goes wrong, the gaps surface. By then, it’s too late to close them.

MSPs keep you running. Cybersecurity services companies, like OrbitalFire, keep you secure, and that includes knowing whether the controls your vendors promised are actually in place.

What Should Smaller Businesses Take Away from the CoWorx Case?

Verify, don’t assume. If a vendor is contractually responsible for a security control, whether MFA, network segmentation, patching, monitoring,  verify that it’s actually in place. Ask for evidence. Request documentation. If they can’t show you that the control is active and working, escalate or find a provider who can. “We handle that” is a starting point for the conversation, not the end of it.

Understand your monitoring and what triggers an alert. CoWorx had monitoring in place. The monitor detected the breach. The breach still wasn’t reported because the severity was categorized incorrectly. Do you know how your monitoring works? Do you know what level of event triggers a notification? Do you have a point of contact who will actually call you? These are questions your cybersecurity services partner would ask, and worth you asking before you need the answer urgently.

Know where your backups are and when they last ran. The ransomware in this case was devastating in part because CoWorx had no backups of the encrypted files. Backups are a basic cybersecurity control, and one of the most frequently overlooked. Where are your backups? How recent are they? Have you ever tested recovering from one? If the answers are vague, that’s the gap to close first.

What Does This Mean for Your Cyber Insurance?

This case is also an early signal of something the insurance industry is paying very close attention to: who is actually responsible when a vendor’s failure causes a breach?

For now, what matters most to your policy is that your stated security controls are genuinely in place,  whether you’re implementing them directly or relying on a vendor. If your application says MFA is enabled across your systems and it turns out your cloud provider never set it up, that gap is yours to own when a claim is reviewed. “Our vendor was supposed to do it” may or may not be a legitimate legal argument in a lawsuit. It’s a much harder argument to make to an underwriter during a post-claim review.

The practical implication: if you are relying on vendors to fulfill security controls, you need a way to verify those controls are working. Not take their word for it. Verify.

You Can’t Audit What You Can’t See

The hardest part of the CoWorx story isn’t the ransomware. It’s that everything looked fine until it wasn’t. Contracts were in place. Vendors were engaged. Monitoring was running. And none of it was quite what CoWorx believed it to be.

Smaller businesses don’t have the staff to audit every vendor relationship continuously. But they can work with a cybersecurity partner who does this as a core part of the job; someone who helps you understand what your vendors are actually delivering, not just what they’re billing you for.

That’s exactly what OrbitalFire does. We work exclusively with smaller businesses to make cybersecurity simpler, stronger, and smarter. We protect you from cybercrime, audits, regulations, and yourself — including the version of yourself that trusts a vendor without verifying the controls they promised.

Want to know if your vendors are actually delivering what you’re paying for? Book your Cyber Reality Check with OrbitalFire today.

 

Frequently Asked Questions

If my vendor gets breached, am I still responsible? It depends on the context, but in most cases: yes, you bear the operational and reputational consequences regardless of who is legally at fault. In the CoWorx case, ACE covered the claim but CoWorx still lived through the breach, the ransomware, and the recovery. Legal liability and business impact are different things. Your goal is to avoid the breach, not just to establish who gets sued afterward.

What is MFA and why does it matter so much? Multi-factor authentication (MFA) requires a second form of verification beyond a password to log in to a system, like a code sent to your phone or a prompt in an authentication app. It’s one of the most effective basic controls against unauthorized access because a stolen password alone isn’t enough to get in. In the CoWorx breach, the attackers got in with a single compromised password because MFA was never enabled. This is one of the most common and most preventable breach vectors in smaller businesses.

How do I know if my vendors are actually implementing the security controls they’re supposed to? Ask for documentation. Reputable vendors should be able to show you that controls like MFA, logging, and network segmentation are actively in place and functioning. If they can’t or won’t, that’s a red flag. A cybersecurity partner like OrbitalFire can also conduct Third-Party Risk vendor security reviews as part of a broader security assessment, giving you an independent view of what your vendors are, and aren’t, delivering.

What’s the difference between cybersecurity monitoring and actually being secure? Monitoring means someone is watching for problems. Being secure means the right controls are in place so problems are less likely to occur, and that when monitoring does catch something, it’s acted on appropriately. In the CoWorx case, monitoring detected the breach and still didn’t prevent the damage because the alert was miscategorized. Monitoring is a critical layer of a security program. It’s not a substitute for one.

What should I do right now if I rely on vendors for security controls? Start by listing every vendor who is responsible for a security control, including cloud hosting, MFA, monitoring, backups, patching, and more. For each one, ask: can I verify this control is active and working today? If the answer is no, or you’re not sure, that’s your starting point. A cybersecurity gap assessment will surface these blind spots quickly and give you a clear action list before they become a breach report.