The incident at Kaseya in July 2021 is often cited as a classic example of a digital supply chain attack. However, conversations with executives and CISOs reveal that the impact and lessons have not always been fully understood.
Kaseya is an American software company that provides management solutions to Managed Service Providers (MSPs). These MSPs, in turn, manage IT environments for hundreds to sometimes thousands of organizations, including many medium-sized companies in the Netherlands. This position in the chain made Kaseya an attractive target.
The attack was not primarily directed at Kaseya itself, but at the trust relationship between Kaseya, the MSP, and the end customer. This immediately revealed how far the digital supply chain extends, often further than executives realize. The incident demonstrates that cyber risks do not stop at one’s own firewall or IT department, but accumulate with suppliers, software developers, and service providers that are deeply integrated into business operations.
What happened technically, without resorting to jargon
The attackers exploited a vulnerability in Kaseya VSA, a management tool that allows MSPs to remotely monitor and manage customer systems. Such a tool inherently has extensive privileges, as it cannot function otherwise. The criminals managed to distribute malicious software through this vulnerability that was automatically deployed to end customer systems.
This type of attack is called ransomware: files are encrypted and only released after payment of ransom. The ransomware used came from the REvil group, at the time one of the most professional cybercriminal networks. It is important to understand that no end organization needed to do “anything wrong.” The attack used legitimate software and existing management channels. For executives, this is confronting: even well-organized organizations with proper security measures can be affected through their suppliers, without direct advance warning.
The impact: from IT disruption to business standstill
The consequences of the Kaseya incident were significant. An estimated 1,500 organizations worldwide were affected. In Europe, the temporary closure of supermarkets received considerable media attention, but production companies, accounting firms, and logistics service providers were also shut down for days.
For medium-sized organizations, this often meant more than just IT problems. Order processing stopped, invoicing was delayed, and customer trust came under pressure. In the Netherlands, we saw that companies were dependent on their MSP for recovery, while that same MSP was itself a victim. This created a sense of powerlessness among executives: they could not intervene but had to wait. The incident painfully demonstrated that continuity depends not only on internal processes, but on the resilience of the entire chain. Financial damage, reputational damage, and governance questions followed in quick succession.
Why this is a classic supply chain risk
The Kaseya incident is rightly classified as a supply chain attack because the attackers deliberately chose a link high in the chain. By compromising one supplier, they gained access to hundreds of organizations simultaneously. We know this principle from the physical supply chain: whoever hits a central distribution center shuts down multiple stores.
Digitally, it works the same way. What makes it extra complex is that many organizations do not have their digital chain fully mapped. Contracts often focus on price and availability, less on security and crisis response. Executives implicitly assume that reputable suppliers have their affairs in order. The Kaseya incident shows that reputation is no guarantee. Supply chain risks therefore require executive attention, comparable to financial or legal risks, and not exclusively technical solutions.
Executive lessons for management and CISO
An important lesson is that supply chain risks must be explicitly assigned at the executive level. This does not mean that executives must become technical experts, but they must ask the right questions. Which suppliers have deep access to our systems? What happens if they fail or are compromised? And how quickly can we continue independently?
For CISOs, the challenge lies in translating risks comprehensibly into business impact. Terms like “remote management tooling” or “zero-day vulnerability” must be explained in terms of revenue loss, downtime, and reputation. Additionally, this requires scenario thinking: not if, but when a chain partner is affected. The Kaseya incident shows that a crisis plan without a supplier perspective is incomplete.
From incident to structural improvement
Positively, the Kaseya incident has led to increased awareness in many organizations. Suppliers are increasingly assessed on their security measures, exit scenarios are discussed, and backups are disconnected from management platforms. We also see that Dutch organizations are taking a more critical look at MSP structures and contractually establishing how incidents are reported and handled. These are steps in the right direction.
Supply Chain Risk Management is not a one-time project, but an ongoing process that evolves with digitalization. The Kaseya story shows that transparency, collaboration, and executive involvement are essential. Those who take these lessons seriously not only increase their digital resilience, but also the trust of customers and partners in an increasingly complex chain.
