Threatonomics

How To Think About Third-Party Cyber Risk Management During A Recession

by Travis Wong
Published July 19, 2023

third-party cyber risk management

More than 21,000 employees were laid off in the technology sector in the first three weeks of 2023. This is up from a staggering 107,000 jobs cut mostly in the latter half of 2022 and signals danger for the larger ‘white-collar’ job market.

As companies beyond the technology sector follow suit to increase profitability by leveraging staff reductions, they will inevitably turn to third-party vendors to help manage their IT business operations. However, as breaches from Solarwinds to Home Depot have proved, third-party IT vendors almost always increase the risk of an incident by increasing an organization’s attack surface.

In fact, Resilience’s 2022 claims data show that vendor breaches accounted for 28% of the critical point of failure in incidents experienced by insureds. This was the largest cause of claims ahead of phishing and privileged access management and highlights the interconnectivity of computer systems and data privacy risk at a time when organizations are also cutting staff who would normally manage and vet these vendors.

Managing the Hidden Risks of Third-Party Vendors: Protect Your Business From Cyber Threats and Liability

Third-party IT vendors are critical to almost every business. SaaS solutions provide everything from sales and marketing software to payroll and even security operations. According to Deloitte, “Over the past five years, the use of third-party vendors has increased exponentially. And many companies even outsource core functions to derive efficiencies and savings.” This lesson is doubly true during a recession.

While these vendors are critical to many different types of business operations, Resilience’s Security Team has found that many claims arise from third-party vendors. Logically, this also makes sense as vendors expose your organization to increased cyber risk due to a lack of visibility into their data security controls. The fallout from a breach in a vendor’s systems holding your data can trace back to your business and ultimately cause the data you’ve shared with them to be compromised. This can lead to liability for your organization or even an entry into your systems for criminals like ransomware gangs.

Data from a 2021 Ponemon report showed that 54% of organizations who reported a data breach found the cause to have come from a third-party vendor. More concerningly, the report also noted that only 34% of organizations were confident that their vendors would notify them of a breach.

Even third-party vendors with a history of strong cybersecurity controls can fall victim to specific targeting by adversaries because of their clients; this is called a “supply-chain attack.” The infamous 2020 attack against SolarWinds Orion, a third-party IT monitoring software employed worldwide, brought headline-grabbing attention to the severity of “supply-chain attacks.”

Not only was SolarWinds affected by the breach, but thousands of its clients, including the US government, had their data accessed by an APT (advanced persistent threat) adversary. Resilience’s security team has also seen malicious APT actors leveraging last year’s infamous Log4Shell vulnerability as a pathway into the IT vendor supply chain, with disastrous consequences for their customers.

It’s time to think differently about cybersecurity

This potential increase in third-party vendor risk over a recession requires security leaders to think differently about their cybersecurity posture. Companies must learn to analyze cyber risk as they onboard new vendors and identify new threats they are exposing by sharing data. Keeping up with the risk from vendors and your organization’s vulnerabilities is a massive task for any staff member, company department, or organization to tackle. That’s why it’s important to transition from cybersecurity to a cyber resilience mindset.

What’s a cyber resilience mindset?

A cyber resilience mindset focuses on determining the risks that matter most to an organization by anticipating and responding to the real-time threat landscape. The strategy centers around minimizing the severity of a cyberattack by connecting an organization’s technical cybersecurity visibility, its security hygiene practices, and cyber insurance coverage.

Applying cyber resilience thinking to 3rd-party vendor management

  • Cybersecurity visibility: Identify technical connections that share data with vendors and ensure they can’t act as a vector for an attack. The SolarWinds attack used a critical system patch to deliver malware to Solarwind’s customers. While this attack is tough to stop, implementing a process that verifies data coming from vendors and limits data going out can help reduce your risk of a “supply chain” attack.
  • Security hygiene: Ask all the vendors you have identified as critical for the results of their most recent penetration testing and audits. They should be able to walk through their data handling policies and how they work to protect your data like it’s their own actively. Vendors may sometimes have more robust data security controls than your own organization. Use these results to learn about your own cyber hygiene priorities.
  • Risk transfer: You have transferred productivity (or security) to a third-party vendor; consider transferring some financial risk through tools like insurance. Rather than think about insurance as a tool for a “worst case scenario,” think about the financial outlay it buys you to free up resources for other projects. If your ransomware policy comes with incident response services, consider whether this frees up funding to invest back into your own team.

Leveraging Holistic Cyber Risk Management with Resilience

At Resilience, we have found that organizations that manage their cyber risk holistically are significantly better prepared for cyber incidents, leading to lower costs from claims and more return on investment from their security controls.

As global economic trends evolve how businesses operate, the cyber landscape will grow in complexity and increase the risk to organizations. Building a network of cyber-resilient vendors and holistically managing your own risk will allow your organization to take a digital hit without impacting its material ability to deliver value and help you evade threats altogether. That’s the goal of Resilience.

Resilience offers insurance through its licensed and appointed insurance agency, and security services through its expert security team.

Insurance products are produced by Ocrea Risk Services, LLC (NPN 19169260) and are underwritten by Homeland Insurance Company of New York or Homeland Insurance Company of Delaware, each subsidiaries of Intact Insurance Group USA LLC with their principal place of business at 605 Highway 169 N, Plymouth, Minnesota 55441. Security services are provided by Arceo Labs, Inc. d/b/a Resilience.

About the Author
Travis Wong

Travis is the VP of Customer Engagement. He has 15 years of risk management consulting experience with Fortune 250 insurance carriers. Specializing in the cyber, technology, and life sciences spaces, Travis assists clients with implementation of cybersecurity, privacy, business resiliency, and business process improvement best practices.

You might also like

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]

cyber resilience framework

AI and Misuse

Welcome to part two in our series on AI and cyber risk. Be sure to read the first installment “What you need to know: Artificial Intelligence at the Heart of Cyber,” here. Key takeaways Background In February 2024, OpenAI – in collaboration with Microsoft— tracked adversaries from Russia, North Korea, Iran, and China, leveraging their […]