The spotlight on cyber risk quantification (CRQ) has raised its status to the top of the hypercycle, but with fame comes scrutiny and criticism. Security analysts and practitioners debate the validity of each model framework, along with the data used when modeling cyber risk. Despite this debate, there is a unifying consensus that knowing the possible range of the financial impact of a cyber event is far more optimal than flying blind. There is also proven consensus over certain breach vectors, such as open ports or patching, which serve as obvious security gaps detected externally.
What is omitted from the CRQ debate is the validity and usefulness of understanding the quantified cyber risk of an organization’s third and fourth parties. Although this type of analysis has been done by the Cyber Insurance industry for several years now, each organization needs to understand that cyber events not only surface through direct attacks, but most importantly, occur through a link of weak security dependencies.
There are three critical reasons why organizations should better understand the quantified cyber risk of their third parties and critical vendors.
Understanding Supply Chain impact of cyber attacks
The digital space has become a true ecosystem creating interdependencies between B2B product integrations and expanding the human access domain from B2E to not only B2B but also B2C. Unlike the logistics and supply chain of goods, however, the digital space not only creates a dependency in day-to-day operations but also introduces new cyber vulnerabilities that can be transferred from third parties and key vendors. It is critical to understand whether a key vendor is at risk of causing a business disruption due to a ransomware attack or whether a third party with access to your organization’s data is at risk for the data.
Fulfilling corporate governance requirements
As the impact of cybersecurity on business and organizational sustainability has taken center stage, each company is responsible for truly understanding who they are doing business with. This means that organizations need to have a comprehensive view of their third parties and vendors, and understand the level or risk these third parties carry to provide a check and balance across the ecosystem.
Cybersecurity is the biggest financial sustainability risk for an organization. Each organization doing business with another business, and each consumer relying on the business has the right to know the level of sustainability. In the spring of 2022, the SEC moved toward creating better cyber transparency by requiring cyber security reporting as the first step to ensuring that all businesses are being good stewards for their stakeholders. By understanding the financial sustainability of your critical vendors, not only can you avoid the risk of business disruption, but ensure the risk on your investments is minimized.
The SolarWinds cyber breach taught us how vast third- and fourth-party vulnerabilities can be. The recent global pandemic and conflict have taught us how interwoven our global supply chain is. It’s time to incorporate Third-Party CRQ in your business planning.