Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Third-Party Breaches: Risk in the Supply Chain

Upstream and Downstream Risk in the Supply Chain

by Si West , Director, Customer Engagement
Published

According to CrowdStrike, 84% of leaders believe that software supply chain attacks could become one of the biggest cyber threats to organizations like theirs within the next three years. Despite this, 50% of organizations find monitoring third parties draining on their resources.

Managing third-party risk requires an in-depth understanding of your vendor network and its security. A chain is only as strong as its weakest link, meaning to defend your entire attack surface, you must ensure all your vendors share your values when it comes to robustly managing cyber risk. 

Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individual’s data. To better understand the scope of third-party risk, Resilience’s Global Head of Claims, Tom Egglestone, suggests that companies can categorize potential threats as upstream and downstream. Upstream indicates when the breach comes from a third-party supplier, data transfer system, or other partners in the supply chain. Downstream indicates when you are breached, and your client network becomes at risk. 

Upstream Third-Party Breaches  

Infiltrating the systems of an upstream vendor in the supply chain with the intent of gaining broader access to client systems or data is a threat tactic that is growing more common. These third-party attacks offer access to mass amounts of data and increase the likelihood that the data exfiltrated will be valuable and provoke ransom payment. According to the 2023 Thales Cloud Security Study, 39% of organizations surveyed reported experiencing a data breach in their cloud environment in the past year, up 4% from 2022.

Because of the expansive access to secondary victims offered through third-party breaches, large data servers, Cloud services, and SaaS providers are becoming massive targets for vendor breaches. Supply chain attacks help adversaries scale their operations by taking advantage of the trusted position of vendors to turn one breach into multiple incidents. This is a particularly effective tactic in a post-pandemic world where companies have invested more and more heavily in SaaS and Cloud-based products and tools to support remote working. The MOVEit breaches of Q2 2023 saw this supply chain-style attack matched with encryption-less and multiple-extortion ransomware tactics. When the Russian-based ransomware group CL0P accessed a vulnerability in MOVEit, Progressive Software’s transfer product, they gained access to data that allowed them to impact millions of individuals and hundreds of organizations around the world. 

Resilience’s ransomware incident response partner Coveware reported a record low rate of ransomware payment at 34% over the first half of 2023. As victims of ransomware grow more resilient to making extortion payments, threat actors are shifting tactics to go after as many pockets as possible while minimizing their efforts. “Threat actor’s entire mode of operation supports quick adaptation in the face of security safeguards,” said Tom Egglestone, Global Head of Claims at Resilience. “The shift to encryption-less and third-party ransom attacks demonstrates how threat actors are always looking for new ways to bypass security controls, especially in the face of declining ransom payments.”  

Downstream Third-Party Breaches: When Your Client Network is at Risk  

Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individuals’ data. So, what happens when you are at the top of that food chain? When a supplier, manufacturer, business partner, or other upstream vendor is hit with a data breach, every client network that they interact with becomes at risk. Downstream third-party breaches can devastate the reputation of the initially impacted organization. Being at the top of a vendor breach is not only a massive financial burden but can also be disastrous for your organization’s reputation. 

Consider the MOVEit breaches again– despite the hundreds of high-profile organizations who realized millions more in financial losses, it is the MOVEIt Transfer System we remember as the culprit of the breach. Aside from the cost of making extortion payments, victims of MOVEit also experienced numerous incident response, business interruption, and data recovery costs, not to mention the very real risk of reputational damage and potential legal and regulatory repercussions. 

“Managing a cyber incident following a security breach is already a significant burden on an affected company, but this situation becomes even more complicated if your clients or partners are also impacted,” said Egglestone. “Organizations who are entrusted with large amounts of sensitive data are huge targets for threat actors and stand to incur losses to their business way beyond a potential ransom payment, be that income loss or the costs to restore affected systems.” 

Incident Best Practices

According to a report by Statista, supply chain attacks grow 235% year over year. Now more than ever, it is imperative to take the necessary steps to protect your third-party attack surface. The most important of these steps is gaining visibility into your vendors. “Vendor breach prevention relies on auditing the data stored with each vendor,” said Egglestone. “Always keep track of the access each vendor has to your systems and any vulnerabilities that may exist through that sharing of data. Consider their readiness for an event, their insurance coverage, security protocols, track record with cyber incidents, financial resources, business continuity plans, and more.” 

At Resilience, we give clients the tools to interview vendors through comprehensive risk management questionnaires that address security and insurance protocols in alignment with your unique requirements. Through our holistic cyber risk management platform, we offer a Vendor Risk Management Guide that helps our clients better manage their vendors through proposed tactics, guidelines, and more. We also offer State of Your Vendor’s Risk reports for up to fifteen key vendors that detail their most relevant threats, remediation strategies, and background on their risk posture. 

Our Vendor Risk Management tools and guides encourage collaboration across cybersecurity, insurance, and financial leadership by offering the data and analytics to coordinate strategies and resolve incidents without impacting business value. 

“Whether you’re defending your own environment to prevent a downstream incident or carefully selecting a vendor network to protect yourself from an upstream third-party breach, Resilience has the tools to gain visibility into your attack surface and contextualize what that risk means for you,” said Egglestone. “The Resilience solution is designed to holistically manage all kinds of third-party risk through advanced tools, human-in-the-loop expertise, and more.”

About the Author
Si West , Director, Customer Engagement

You might also like

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]