As many enterprises are finally starting to wrap their arms around the problem of third-party risk, they're also recognizing that the risks they incur from connections with outside organizations may creep much broader than they first realized.
That's because every vendor that a company utilizes likely has anywhere from dozens to hundreds of other vendors of its own. Those vendors have vendors, and so on. It can quickly become a chain of downstream relationships with fourth parties, fifth parties, and Nth parties introducing their risk factors to the ecosystem they're plugged into.
The scary thing for enterprises is that these Nth-party vendors represent an even greater risk than the third parties because the first party has virtually no knowledge of who those Nth parties are, let alone an understanding or an influence over their respective security postures. Even more than a lack of visibility or control is the problem of scope. We've heard large organizations explain to us that Nth party risk is an order of magnitude broader than third-party risk because when a first party has 1,000 third parties who also have 1,000 vendors themselves, the number starts multiplying quickly.
Because the connections to Nth party can be tenuous, difficult to track, and so quietly pervasive, it might seem easier to just defer the risk. But research and news headlines are starting to show that Nth party risk is increasingly rearing its head with real-world financial impacts to businesses. Recently we released a report that showed how devastating Nth party risk has been to organizations over the last few years. Based on analysis by data scientists with Cyentia Institute, our Ripples Across the Risk Surface report showed that multi-party breaches can cause costly cyber ripples across numerous downstream Nth parties. These ripple events end up causing 13x the damage of single-party events. And they're on the rise, increasing on average by 20% annually since 2008
What's more, when these kinds of breaches hit your Nth party, you may not have the same kind of liability coverage from your insurers as you would over internal or even third-party incidents. Many Nth-party breach effects exist in the gaps and gray areas of standard cyber insurance policies. These are the kind of exclusion clauses that insurance companies live for, as they're often overlooked by organizations when they have their policies written up.
Right now at RiskRecon, we see many of our larger clients currently grappling with this tough problem of Nth party risk. Everyone is trying to figure out an approach that can move the needle for them as a first-party trying to limit their risk exposure. Nobody has clear answers yet.
Stay tuned for part two of this blog as we dive into the discussions you should have with your vendors to help minimize your third-party risk.