Threatonomics

How To Think About Third-Party Cyber Risk Management During A Recession

by Travis Wong
Published July 19, 2023

third-party cyber risk management

More than 21,000 employees were laid off in the technology sector in the first three weeks of 2023. This is up from a staggering 107,000 jobs cut mostly in the latter half of 2022 and signals danger for the larger ‘white-collar’ job market.

As companies beyond the technology sector follow suit to increase profitability by leveraging staff reductions, they will inevitably turn to third-party vendors to help manage their IT business operations. However, as breaches from Solarwinds to Home Depot have proved, third-party IT vendors almost always increase the risk of an incident by increasing an organization’s attack surface.

In fact, Resilience’s 2022 claims data show that vendor breaches accounted for 28% of the critical point of failure in incidents experienced by insureds. This was the largest cause of claims ahead of phishing and privileged access management and highlights the interconnectivity of computer systems and data privacy risk at a time when organizations are also cutting staff who would normally manage and vet these vendors.

Managing the Hidden Risks of Third-Party Vendors: Protect Your Business From Cyber Threats and Liability

Third-party IT vendors are critical to almost every business. SaaS solutions provide everything from sales and marketing software to payroll and even security operations. According to Deloitte, “Over the past five years, the use of third-party vendors has increased exponentially. And many companies even outsource core functions to derive efficiencies and savings.” This lesson is doubly true during a recession.

While these vendors are critical to many different types of business operations, Resilience’s Security Team has found that many claims arise from third-party vendors. Logically, this also makes sense as vendors expose your organization to increased cyber risk due to a lack of visibility into their data security controls. The fallout from a breach in a vendor’s systems holding your data can trace back to your business and ultimately cause the data you’ve shared with them to be compromised. This can lead to liability for your organization or even an entry into your systems for criminals like ransomware gangs.

Data from a 2021 Ponemon report showed that 54% of organizations who reported a data breach found the cause to have come from a third-party vendor. More concerningly, the report also noted that only 34% of organizations were confident that their vendors would notify them of a breach.

Even third-party vendors with a history of strong cybersecurity controls can fall victim to specific targeting by adversaries because of their clients; this is called a “supply-chain attack.” The infamous 2020 attack against SolarWinds Orion, a third-party IT monitoring software employed worldwide, brought headline-grabbing attention to the severity of “supply-chain attacks.”

Not only was SolarWinds affected by the breach, but thousands of its clients, including the US government, had their data accessed by an APT (advanced persistent threat) adversary. Resilience’s security team has also seen malicious APT actors leveraging last year’s infamous Log4Shell vulnerability as a pathway into the IT vendor supply chain, with disastrous consequences for their customers.

It’s time to think differently about cybersecurity

This potential increase in third-party vendor risk over a recession requires security leaders to think differently about their cybersecurity posture. Companies must learn to analyze cyber risk as they onboard new vendors and identify new threats they are exposing by sharing data. Keeping up with the risk from vendors and your organization’s vulnerabilities is a massive task for any staff member, company department, or organization to tackle. That’s why it’s important to transition from cybersecurity to a cyber resilience mindset.

What’s a cyber resilience mindset?

A cyber resilience mindset focuses on determining the risks that matter most to an organization by anticipating and responding to the real-time threat landscape. The strategy centers around minimizing the severity of a cyberattack by connecting an organization’s technical cybersecurity visibility, its security hygiene practices, and cyber insurance coverage.

Applying cyber resilience thinking to 3rd-party vendor management

  • Cybersecurity visibility: Identify technical connections that share data with vendors and ensure they can’t act as a vector for an attack. The SolarWinds attack used a critical system patch to deliver malware to Solarwind’s customers. While this attack is tough to stop, implementing a process that verifies data coming from vendors and limits data going out can help reduce your risk of a “supply chain” attack.
  • Security hygiene: Ask all the vendors you have identified as critical for the results of their most recent penetration testing and audits. They should be able to walk through their data handling policies and how they work to protect your data like it’s their own actively. Vendors may sometimes have more robust data security controls than your own organization. Use these results to learn about your own cyber hygiene priorities.
  • Risk transfer: You have transferred productivity (or security) to a third-party vendor; consider transferring some financial risk through tools like insurance. Rather than think about insurance as a tool for a “worst case scenario,” think about the financial outlay it buys you to free up resources for other projects. If your ransomware policy comes with incident response services, consider whether this frees up funding to invest back into your own team.

Leveraging Holistic Cyber Risk Management with Resilience

At Resilience, we have found that organizations that manage their cyber risk holistically are significantly better prepared for cyber incidents, leading to lower costs from claims and more return on investment from their security controls.

As global economic trends evolve how businesses operate, the cyber landscape will grow in complexity and increase the risk to organizations. Building a network of cyber-resilient vendors and holistically managing your own risk will allow your organization to take a digital hit without impacting its material ability to deliver value and help you evade threats altogether. That’s the goal of Resilience.

Resilience offers insurance through its licensed and appointed insurance agency, and security services through its expert security team.

Insurance products are produced by Ocrea Risk Services, LLC (NPN 19169260) and are underwritten by Homeland Insurance Company of New York or Homeland Insurance Company of Delaware, each subsidiaries of Intact Insurance Group USA LLC with their principal place of business at 605 Highway 169 N, Plymouth, Minnesota 55441. Security services are provided by Arceo Labs, Inc. d/b/a Resilience.

About the Author
Travis Wong

Travis is the VP of Customer Engagement. He has 15 years of risk management consulting experience with Fortune 250 insurance carriers. Specializing in the cyber, technology, and life sciences spaces, Travis assists clients with implementation of cybersecurity, privacy, business resiliency, and business process improvement best practices.

You might also like

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]