“More Money, More Problems:” Supply Chain Cyber Risk in the Forbes Global 2000
SecurityScorecard and its partner Cyentia recently released our joint case study of third-party cyber risk in the Forbes Global 2000 group of the world’s financially largest companies. On one hand, large companies have the advantage of greater financial and human resources to invest in security programs. Security costs money, and other SecurityScorecard research has established a correlation between cyber security hygiene on one hand and financial means on the other. On the other hand, greater size means that larger companies have more attack surface to protect and greater third-party risk exposure through their typically larger number of vendors and other third parties, as SecurityScorecard also found in an analysis of large technology companies. This paper delves further into the heightened risk exposure that comes with operating at a larger scale.
Sources and Methods
SecurityScorecard continuously scans the Internet for vulnerable and misconfigured digital assets. Additionally, SecurityScorecard monitors signals across the Internet, relying on a global network of sensors spanning the Americas, Asia, and Europe. The company operates one of the world’s largest networks of sinkholes and honeypots to capture malicious signals and enriches its data set with commercial and open-source intelligence feeds. In total, SecurityScorecard continuously monitors the security posture of over 12 million organizations worldwide.
The data on third-party relationships comes from SecurityScorecard’s Automatic Vendor Detection (AVD) capability. AVD identifies vendors and their products that constitute the cyber supply chain for businesses worldwide. The breach data also comes from SecurityScorecard’s intelligence operations and covers a period starting from Q4 2022 through Q1 2024. A total of 331 confirmed security breaches were detected across the Forbes 2000 during this period.
Good but Not Great
More than 70% of the Forbes 2000 had either strong “A” or respectable “B” cyber security ratings. The remaining 30% had subpar “C,” “D,” or “F” ratings. According to our ratings methodology, a “B” rating indicates a 2.9x greater likelihood of a breach than an “A”; a “C” rating indicates a 5.4x greater likelihood of a breach; a “D” rating indicates a 9.2x greater likelihood of a breach; and a “F” rating indicates a 13.8x greater likelihood of a breach.
The proportion of favorable A and B ratings in this sample is notably lower than that of other samples of companies that we have analyzed recently. The S&P 500, for example, had 88% of its companies in that range. Other industries, such as the global aviation industry and technology, had 77% of their respective samples in the A-B range. Even the U.S. healthcare industry had a significantly higher percentage of A and B ratings (86%). So while this distribution of scores is respectable, it is also clear that there is significant room for improvement. It is thus not surprising that 12% of the Forbes 2000 have experienced breaches in the past 15 months, as we found.
“The Bigger They Are, The Harder They Fall”
The estimated monetary impact of cyber security incidents at larger companies is accordingly larger – perhaps disproportionately so. We found that the losses stemming from a breach at a Forbes Global 2000 are typically 10 times as much as those stemming from breaches at smaller businesses, and in extreme cases as much as 77 times higher. Indeed, the amount of the estimated total losses within the Forbes Global 2000 from the past 15 months of breaches is large enough that, if it were the value of a company, that company would have a top 10 ranking on that list.
“It’s So Hard to Find Good Help These Days”
Larger companies tend to have larger supply chains, including the number of vendors that they use. Each additional vendor is another potential point of failure that increases third-party cyber risk. Furthermore, a company’s security is only as good as its weakest link – including the security of its vendors. We found that, in 69% of the customer-vendor relationships in the Forbes 2000, the vendor has a lower cyber security rating than the customer. This discrepancy means that, more than two-thirds of the time, vendors are creating more cyber risk that they pass on to their customers, who suffer from breaches at those vendors. Indeed, we found that 20% of the Forbes 2000 are using vendors that have had breaches in the past 15 months.
“Putting All Your Eggs in One Basket”
This cyber risk landscape becomes even riskier when one accounts for the relatively small number of vendors that have a disproportionately large market share or footprint. We highlighted this “concentration risk” in our analysis of top technology vendors, and the recent outages for Crowdstrike customers further illustrated this point, even though it was not a security issue per se. We found a similar pattern of concentration in the vendor pool of the Forbes 2000. Indeed, we identified 8 vendors whose customer base covers 80% of the Forbes 2000. This high concentration is more troubling in light of another finding: that 4 of those 8 vendors have had breaches recently. The potential impact of third-party incidents affecting multiple customers in such a densely concentrated environment is accordingly high. We found that the total cost of such incidents is as much as 17 times higher than those affecting only one organization.
What To Do About It
A robust third-party risk management (TPRM) program is key to mitigating these challenges. SecurityScorecard’s platform can serve as the centerpiece of a program, and our new MAX service can reduce the burden of such a program by outsourcing it to our team of professionals.