Brylee Jaghbir
Head of Cyber, Pacific
Third-party cyberattacks occur when an attacker gains access to an organization’s data or systems through their supply chain, which can consist of vendors, subcontractors, and/or service providers. An attack against a single vendor can expose sensitive data of multiple organizations simultaneously — with far-reaching consequences that can impact the bottom line and cause reputational harm.
As recent headlines indicate, these types of attacks are increasing, highlighting how critical it is for your organization to understand the cyber hygiene of the vendor ecosystem that supports your operations. Supply chain risks can impact all organizations, especially those that have technology connectivity to or can otherwise access your organization’s data.
In addition to implementing generally accepted cyber hygiene best practices, your organization should consider taking the following actions to reduce the likelihood and impact of a third-party cyberattack.
1. Determine which critical product and service providers are a part of your vendor ecosystem. This includes, where possible, identifying the critical vendors and suppliers the providers use, otherwise known as fourth-party vendors. Every company outsources parts of its operations to multiple vendors and suppliers. Those suppliers, in turn, outsource parts of their operations to other suppliers. And the process goes on and on. The larger the ecosystem, the larger the potential cyber risk and attack surface for your organization.
2. Create and maintain an incident response plan well before an incident occurs. When crafting the plan, take into consideration third-party attacks. It’s also important to test the plan against multiple scenarios. Tabletop exercises should include key stakeholders across your organization (not only information security/IT) to test the plan’s overall effectiveness.
3. Use risk quantification to define and quantify the third-party risk. This allows your organization to determine the potential impact of an attack against a third party in its supply chain and align key stakeholders on how to treat the risk.
4. Review your existing cyber insurance policies to understand the coverage implications of an attack against a third party in the organization’s supply chain.
5. Verify that third parties have adequate cyber insurance to meet the requirements of the first-party organization. This demonstrates cyber risk management hygiene, and also that minimum controls are likely in place. Certain controls are often required to be considered insurable.
The following scenarios show some potential third-party risks that your organization may be exposed to — and their potential impact if/when they become a reality.
Organizations can — and should — proactively bolster themselves against third-party risks. This includes defining and understanding what makes up an organization’s vendor ecosystem, engaging in proactive incident preparedness and incident response testing, and quantifying the impact of third-party risk to understand its impact on the balance sheet. Finally, it is critical that any third parties meet the insurance and compliance requirements of the first-party organization — ideally minimizing impact in the event of an attack.
At Marsh, our risk advisors are available to help you evaluate and mitigate your first- and third-party risks. To start a discussion with one of our advisors, reach out to your Marsh broker or contact us below.
Head of Cyber, Pacific
Cyber Broker Leader, Pacific
Australia
Growth Leader, Cyber
Australia
LCPA 24/044