The worldwide average cost of a data breach is $4.35 million, according to a report by IBM. Companies are doing business in a global industry with operations spread out to maximize profit. With wider operations comes an increased risk of cyber-attacks—but while companies will look to shore up their own cyber defenses, research shows they should also examine the security of their third-party vendors.
Third-party cyber risk is exposure to risk via any external parties in a company’s ecosystem or supply chain. Regardless of the strength of your cybersecurity systems and threat prevention measures, your third-party vendors may not have the same standards—which in turn increases your vulnerability to attacks. This type of risk is increasingly the cause of security breaches. The services companies rely on from their partners also create more weak points. How can businesses best address this vulnerability, and what should they do to protect themselves?
Why are third-party breaches a risk?
The reality is that working with third parties increases a company’s attack surface. Attackers are able to exploit vulnerabilities in third-party networks, locating the sensitive data that has been shared with third parties.
A recent example is the Okta breach, where a hacking group attacked the company’s supply chain by exploiting a support engineer’s vulnerable network. From there, they were able to control a single workstation.
The result was that the companies Okta was providing services for were also exposed. Western Union, Ally, and amalgamated Bank opened themselves up to further cyber-attacks, demonstrating the importance of third-party risk management.
Also read: A Comprehensive Cyber Insurance Overview
The severity of a third-party data breach in your organization will vary, but there are a few common outcomes:
- Operational downtime: Precious energy must be invested in shoring up defenses, managing customer complaints, or even repairing network outages. Businesses will lose valuable operational time as a result.
- Loss of revenue and sensitive information: Losing sensitive data may put the company at risk of retaliation, loss of customers, and long-term financial costs.
- Legal complications: Every company is ultimately responsible for its own digital security and, by extension, a third party’s cyber security. Therefore, if third parties are not compliant with government regulations, the organization that depends on them can also face fines and penalties.
- Damaged reputation: Cyber security breaches can result in lengthy, public legal battles and negatively impact a company’s reputation. Effective PR can mitigate these effects, but this is also a costly and potentially long-lasting challenge to overcome.
Third-party cyber risk is difficult to manage
Companies often have hundreds of third-party relationships. The increasing dependency on vendors, manufacturers, and suppliers creates an overview issue, with companies lacking the insight needed to address the network security of their third- and fourth-party partners.
This trend will only grow as companies become increasingly global, especially with the massive shift to remote working. Every company requires a diverse set of applications, cloud technologies, and programs—all with their own vendors and set of risks. There is a definitive need for a strong third-party cyber risk management plan.
What can companies do to mitigate their third-party cyber risk?
The first step is identification. Companies should investigate their business supply chains to find potential vulnerabilities in their processes and third-party vendors. While third parties are at risk of a cyber-attack, the issue might also be how companies interact with vendors.
Next is education. Stakeholders should have a thorough understanding of the supply chain process, while staff must be trained on how to handle third-party risks. Defining your own third-party risk tolerance—which allows every employee to understand how much risk is acceptable—is critical.
The final step is implementation. Companies need to:
- Create a system that continually assesses and monitors third-party cyber risk.
- Periodically test any management or incident response plans.
- Ensure third-party contracts include regulatory compliance for cybersecurity.
- Use a “Zero Trust” policy that authenticates all users before granting access to the network.
- Implement multi-factor authentication to ensure users only gain access to a company’s network by presenting two or more pieces of evidence.
- Carry cyber insurance to protect themselves against any eventuality.
Insurance is more than risk management
As third-party cyber risk increases, so does the necessity for investment in cyber insurance. Different plans cover needs based on a company’s vulnerabilities, but that’s not the only benefit.
Organizations can now use third-party data breach settlement payments to satisfy their deductibles, as was the case for T-Mobile in 2022. The tech giant’s data breach policy required it to pay a $10 million out-of-pocket deductible before its policy kicked in. When a third-party vendor suffered a data breach in 2015, T-Mobile experienced $17.3 million in losses following lawsuits and regulatory probes. The company received $10.75 million following a settlement from its third-party vendor. Courts subsequently ruled the settlement satisfied the $10 million deductible threshold, so T-Mobile’s insurance company had to provide $7.3 million in coverage.
The legal victory will help other organizations use third-party data breach settlements to satisfy their cyber insurance deductibles, alleviating the costs of cyber insurance while benefiting from the protection it provides.
The right cyber insurance plan
Picking the right cyber insurance plan can be challenging as each has unique coverage options, such as employee sabotage. Additionally, companies often define terms differently or limit coverage to specific circumstances. Companies should discuss their specific needs with a trusted broker, relying on their expertise to highlight their business liabilities.
McGowanPRO assists companies in addressing their third-party cyber risk. Our Information Security and Data Privacy Liability Insurance offers comprehensive, highly customizable coverage for emerging data security and privacy exposures facing companies today. Contact us today to learn how we can help protect your organization.