Threatonomics

How To Think About Third-Party Cyber Risk Management During A Recession

by Travis Wong
Published July 19, 2023

third-party cyber risk management

More than 21,000 employees were laid off in the technology sector in the first three weeks of 2023. This is up from a staggering 107,000 jobs cut mostly in the latter half of 2022 and signals danger for the larger ‘white-collar’ job market.

As companies beyond the technology sector follow suit to increase profitability by leveraging staff reductions, they will inevitably turn to third-party vendors to help manage their IT business operations. However, as breaches from Solarwinds to Home Depot have proved, third-party IT vendors almost always increase the risk of an incident by increasing an organization’s attack surface.

In fact, Resilience’s 2022 claims data show that vendor breaches accounted for 28% of the critical point of failure in incidents experienced by insureds. This was the largest cause of claims ahead of phishing and privileged access management and highlights the interconnectivity of computer systems and data privacy risk at a time when organizations are also cutting staff who would normally manage and vet these vendors.

Managing the Hidden Risks of Third-Party Vendors: Protect Your Business From Cyber Threats and Liability

Third-party IT vendors are critical to almost every business. SaaS solutions provide everything from sales and marketing software to payroll and even security operations. According to Deloitte, “Over the past five years, the use of third-party vendors has increased exponentially. And many companies even outsource core functions to derive efficiencies and savings.” This lesson is doubly true during a recession.

While these vendors are critical to many different types of business operations, Resilience’s Security Team has found that many claims arise from third-party vendors. Logically, this also makes sense as vendors expose your organization to increased cyber risk due to a lack of visibility into their data security controls. The fallout from a breach in a vendor’s systems holding your data can trace back to your business and ultimately cause the data you’ve shared with them to be compromised. This can lead to liability for your organization or even an entry into your systems for criminals like ransomware gangs.

Data from a 2021 Ponemon report showed that 54% of organizations who reported a data breach found the cause to have come from a third-party vendor. More concerningly, the report also noted that only 34% of organizations were confident that their vendors would notify them of a breach.

Even third-party vendors with a history of strong cybersecurity controls can fall victim to specific targeting by adversaries because of their clients; this is called a “supply-chain attack.” The infamous 2020 attack against SolarWinds Orion, a third-party IT monitoring software employed worldwide, brought headline-grabbing attention to the severity of “supply-chain attacks.”

Not only was SolarWinds affected by the breach, but thousands of its clients, including the US government, had their data accessed by an APT (advanced persistent threat) adversary. Resilience’s security team has also seen malicious APT actors leveraging last year’s infamous Log4Shell vulnerability as a pathway into the IT vendor supply chain, with disastrous consequences for their customers.

It’s time to think differently about cybersecurity

This potential increase in third-party vendor risk over a recession requires security leaders to think differently about their cybersecurity posture. Companies must learn to analyze cyber risk as they onboard new vendors and identify new threats they are exposing by sharing data. Keeping up with the risk from vendors and your organization’s vulnerabilities is a massive task for any staff member, company department, or organization to tackle. That’s why it’s important to transition from cybersecurity to a cyber resilience mindset.

What’s a cyber resilience mindset?

A cyber resilience mindset focuses on determining the risks that matter most to an organization by anticipating and responding to the real-time threat landscape. The strategy centers around minimizing the severity of a cyberattack by connecting an organization’s technical cybersecurity visibility, its security hygiene practices, and cyber insurance coverage.

Applying cyber resilience thinking to 3rd-party vendor management

  • Cybersecurity visibility: Identify technical connections that share data with vendors and ensure they can’t act as a vector for an attack. The SolarWinds attack used a critical system patch to deliver malware to Solarwind’s customers. While this attack is tough to stop, implementing a process that verifies data coming from vendors and limits data going out can help reduce your risk of a “supply chain” attack.
  • Security hygiene: Ask all the vendors you have identified as critical for the results of their most recent penetration testing and audits. They should be able to walk through their data handling policies and how they work to protect your data like it’s their own actively. Vendors may sometimes have more robust data security controls than your own organization. Use these results to learn about your own cyber hygiene priorities.
  • Risk transfer: You have transferred productivity (or security) to a third-party vendor; consider transferring some financial risk through tools like insurance. Rather than think about insurance as a tool for a “worst case scenario,” think about the financial outlay it buys you to free up resources for other projects. If your ransomware policy comes with incident response services, consider whether this frees up funding to invest back into your own team.

Leveraging Holistic Cyber Risk Management with Resilience

At Resilience, we have found that organizations that manage their cyber risk holistically are significantly better prepared for cyber incidents, leading to lower costs from claims and more return on investment from their security controls.

As global economic trends evolve how businesses operate, the cyber landscape will grow in complexity and increase the risk to organizations. Building a network of cyber-resilient vendors and holistically managing your own risk will allow your organization to take a digital hit without impacting its material ability to deliver value and help you evade threats altogether. That’s the goal of Resilience.

Resilience offers insurance through its licensed and appointed insurance agency, and security services through its expert security team.

Insurance products are produced by Ocrea Risk Services, LLC (NPN 19169260) and are underwritten by Homeland Insurance Company of New York or Homeland Insurance Company of Delaware, each subsidiaries of Intact Insurance Group USA LLC with their principal place of business at 605 Highway 169 N, Plymouth, Minnesota 55441. Security services are provided by Arceo Labs, Inc. d/b/a Resilience.

About the Author
Travis Wong

Travis is the VP of Customer Engagement. He has 15 years of risk management consulting experience with Fortune 250 insurance carriers. Specializing in the cyber, technology, and life sciences spaces, Travis assists clients with implementation of cybersecurity, privacy, business resiliency, and business process improvement best practices.

You might also like

How ransomware groups are changing the game with double extortion

Double extortion has become the industry standard. According to our recent analysis of Resilience cyber insurance claims, ransomware attacks now routinely involve two distinct ransom demands: one for the decryption key to unlock encrypted systems, and another to prevent stolen data from being published on leak sites or sold to competitors. This shift represents more […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]