,
27/06/2024 · 4 minute read
Third-party cyber risks, also known as digital supply chain risks, impact all organisations, especially those that:
According to a recent SecurityScorecard study, at least 29% of all breaches were attributable to a third-party attack vector, meaning the core risk originated outside of the organisation. Of these, 75% involved software or other technology products and services, with the remaining 25% stemming from non-technical products or services. These statistics highlight the digital interconnectivity across the supply chain — and the risks inherent within those relationships.
As recent headlines and Marsh’s claims advocates indicate, these types of attacks are increasing, highlighting how business-critical it is for your organisation to understand, measure, and manage your third-party cyber risks.
(source: OneTrust)
In addition to implementing generally accepted cyber hygiene best practices, your organisation should consider taking the following actions to reduce the likelihood and impact of a loss from a third-party cyberattack.
These actions are not one-size-fits-all. After reviewing them, your organisation may want to modify them to match your specific requirements.
The following scenarios show some potential third-party risks that your organisation may be exposed to — and their potential impact if/when they become a reality.
Scenario: Uses technology vendors to power day-to-day operations; has technology connectivity to the vendor.
Potential risk: A technology disruption to the vendor discontinues the company’s operations.
Potential impact: Contingent business interruption, plus other extra expenses and costs.
Example: An outage at a cloud provider causes website downtime and prevents order fulfilment.
Scenario: Relies on technology vendors to power day-to-day operations; has technology connectivity to the vendor.
Potential risk: Compromising of technology company’s products/services impacts the company’s network and/or data.
Potential impact: Potential cyber incident, such as breach or ransomware attack, leading to business interruption and related costs.
Example: A software vulnerability leaves an open door for attackers, enabling them to install malicious code on the company’s network.
Scenario: Entrusts confidential information on clients and employees to a third-party vendor; is not connected to the vendor.
Potential risk: A breach of the company’s confidential information caused by the vendor.
Potential impact: Privacy incident with both first- and third-party costs.
Example: Payroll provider suffers a breach of employee information, or a technology vendor compromises client loyalty information.
Scenario: Relies on a third-party vendor for specific goods/services; does not have technology connectivity to the vendor.
Potential risk: Technology disruption to the third-party vendor halts or hinders the company’s ability to generate revenue.
Potential impact: Contingent business interruption, plus other extra expenses and costs.
Example: Network disruption impacts a company’s ability to receive its product.
Your organisation can — and should — proactively bolster yourself against third-party risks. This includes defining and understanding what makes up your vendor ecosystem, and quantifying the impact of third-party risk to understand its impact on the balance sheet and learn how to possibly transfer it.
At Marsh, our risk advisors are available to help you understand, measure, and manage your third-party risks. To start a discussion with one of our advisors, reach out to your Marsh broker or contact us below.
US and Canada Cyber Sales and Industry Leader
United States
Senior Vice President, Emerging Risks, Marsh Advisory
United States
Senior Vice President, Emerging Risks Group, Marsh Advisory, North America
United States