Threatonomics

How To Think About Third-Party Cyber Risk Management During A Recession

by Travis Wong
Published July 19, 2023

third-party cyber risk management

More than 21,000 employees were laid off in the technology sector in the first three weeks of 2023. This is up from a staggering 107,000 jobs cut mostly in the latter half of 2022 and signals danger for the larger ‘white-collar’ job market.

As companies beyond the technology sector follow suit to increase profitability by leveraging staff reductions, they will inevitably turn to third-party vendors to help manage their IT business operations. However, as breaches from Solarwinds to Home Depot have proved, third-party IT vendors almost always increase the risk of an incident by increasing an organization’s attack surface.

In fact, Resilience’s 2022 claims data show that vendor breaches accounted for 28% of the critical point of failure in incidents experienced by insureds. This was the largest cause of claims ahead of phishing and privileged access management and highlights the interconnectivity of computer systems and data privacy risk at a time when organizations are also cutting staff who would normally manage and vet these vendors.

Managing the Hidden Risks of Third-Party Vendors: Protect Your Business From Cyber Threats and Liability

Third-party IT vendors are critical to almost every business. SaaS solutions provide everything from sales and marketing software to payroll and even security operations. According to Deloitte, “Over the past five years, the use of third-party vendors has increased exponentially. And many companies even outsource core functions to derive efficiencies and savings.” This lesson is doubly true during a recession.

While these vendors are critical to many different types of business operations, Resilience’s Security Team has found that many claims arise from third-party vendors. Logically, this also makes sense as vendors expose your organization to increased cyber risk due to a lack of visibility into their data security controls. The fallout from a breach in a vendor’s systems holding your data can trace back to your business and ultimately cause the data you’ve shared with them to be compromised. This can lead to liability for your organization or even an entry into your systems for criminals like ransomware gangs.

Data from a 2021 Ponemon report showed that 54% of organizations who reported a data breach found the cause to have come from a third-party vendor. More concerningly, the report also noted that only 34% of organizations were confident that their vendors would notify them of a breach.

Even third-party vendors with a history of strong cybersecurity controls can fall victim to specific targeting by adversaries because of their clients; this is called a “supply-chain attack.” The infamous 2020 attack against SolarWinds Orion, a third-party IT monitoring software employed worldwide, brought headline-grabbing attention to the severity of “supply-chain attacks.”

Not only was SolarWinds affected by the breach, but thousands of its clients, including the US government, had their data accessed by an APT (advanced persistent threat) adversary. Resilience’s security team has also seen malicious APT actors leveraging last year’s infamous Log4Shell vulnerability as a pathway into the IT vendor supply chain, with disastrous consequences for their customers.

It’s time to think differently about cybersecurity

This potential increase in third-party vendor risk over a recession requires security leaders to think differently about their cybersecurity posture. Companies must learn to analyze cyber risk as they onboard new vendors and identify new threats they are exposing by sharing data. Keeping up with the risk from vendors and your organization’s vulnerabilities is a massive task for any staff member, company department, or organization to tackle. That’s why it’s important to transition from cybersecurity to a cyber resilience mindset.

What’s a cyber resilience mindset?

A cyber resilience mindset focuses on determining the risks that matter most to an organization by anticipating and responding to the real-time threat landscape. The strategy centers around minimizing the severity of a cyberattack by connecting an organization’s technical cybersecurity visibility, its security hygiene practices, and cyber insurance coverage.

Applying cyber resilience thinking to 3rd-party vendor management

  • Cybersecurity visibility: Identify technical connections that share data with vendors and ensure they can’t act as a vector for an attack. The SolarWinds attack used a critical system patch to deliver malware to Solarwind’s customers. While this attack is tough to stop, implementing a process that verifies data coming from vendors and limits data going out can help reduce your risk of a “supply chain” attack.
  • Security hygiene: Ask all the vendors you have identified as critical for the results of their most recent penetration testing and audits. They should be able to walk through their data handling policies and how they work to protect your data like it’s their own actively. Vendors may sometimes have more robust data security controls than your own organization. Use these results to learn about your own cyber hygiene priorities.
  • Risk transfer: You have transferred productivity (or security) to a third-party vendor; consider transferring some financial risk through tools like insurance. Rather than think about insurance as a tool for a “worst case scenario,” think about the financial outlay it buys you to free up resources for other projects. If your ransomware policy comes with incident response services, consider whether this frees up funding to invest back into your own team.

Leveraging Holistic Cyber Risk Management with Resilience

At Resilience, we have found that organizations that manage their cyber risk holistically are significantly better prepared for cyber incidents, leading to lower costs from claims and more return on investment from their security controls.

As global economic trends evolve how businesses operate, the cyber landscape will grow in complexity and increase the risk to organizations. Building a network of cyber-resilient vendors and holistically managing your own risk will allow your organization to take a digital hit without impacting its material ability to deliver value and help you evade threats altogether. That’s the goal of Resilience.

Resilience offers insurance through its licensed and appointed insurance agency, and security services through its expert security team.

Insurance products are produced by Ocrea Risk Services, LLC (NPN 19169260) and are underwritten by Homeland Insurance Company of New York or Homeland Insurance Company of Delaware, each subsidiaries of Intact Insurance Group USA LLC with their principal place of business at 605 Highway 169 N, Plymouth, Minnesota 55441. Security services are provided by Arceo Labs, Inc. d/b/a Resilience.

About the Author
Travis Wong

Travis is the VP of Customer Engagement. He has 15 years of risk management consulting experience with Fortune 250 insurance carriers. Specializing in the cyber, technology, and life sciences spaces, Travis assists clients with implementation of cybersecurity, privacy, business resiliency, and business process improvement best practices.

You might also like

Killing legacy systems might be your smartest financial move 

Every CISO has that one system. Maybe it’s running on Windows Server 2008. Maybe it’s the manufacturing control system that predates your current CEO. Maybe it’s the ancient database that three different business-critical applications depend on, maintained by one person who’s been threatening to retire for five years. You know these systems are problems. Your […]

What your CFO actually cares about (and how to speak their language)

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift. The issue isn’t that your CFO […]

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]

Why your enterprise risk framework needs threat intelligence

Here’s a question that should make any enterprise risk management (ERM) professional uncomfortable: How can you manage a risk you don’t even know exists? In my role leading threat intelligence at Resilience, I work at the intersection of cybersecurity and business risk. And I’ve noticed a persistent gap: many ERM professionals know cyber risk belongs […]

Your 90-day roadmap to sustainable vendor risk management

We’ve covered why vendor discovery matters, how to mine data streams for comprehensive vendor identification, which vendor categories are commonly overlooked, and how to implement risk-based tiering. Now comes the critical question: how do you actually implement this in your organization and make it sustainable over time? Chuck Norton from Resilience emphasizes the resource reality: […]