For some years now security experts have rung the alarm bells over the risk of third-party breaches. Enterprises are starting to understand that the security weaknesses at third parties with whom they share data or technical connections can directly impact their own internal risk surface.

Now, the question for the security industry is how many of these third-party breaches impact far more than one other party with some kind of financial loss? And what's the typical total collateral damage that ripples across different organizations in a multi-party cyber incident?

Those are the questions that RiskRecon brought to bear together with the data science experts at Cyentia Institute in the latest installment of our series of exploration around enterprise risk surfaces: Ripples Across the Risk Surface.

The report examines the particulars around what we call cyber ripple events.

Ripple events are multi-party cyber incidents that affect numerous organizations that have both direct and indirect connections to the initial victim.  

Ripple events typically involve the compromise of a central victim that then generates downstream data loss events at various other third-parties. Often the impact also jumps across degrees of separation, with loss events generated at other fourth-, fifth-, and n-th parties as well.

According to this seminal piece of research, we found:

  • Financial loss from ripple events is 13x larger than single-party incidents
  • The average ripple event impacts 10 firms beyond the original victim
  • The most severe ripple events impacted 131 firms beyond the original victim
  • Ripple events are growing more common, increasing 20% annually since 2008
  • Companies in finance, administrative, and information sectors tend to both cause and receive the most impact from ripple events

This research lines up with the reality that technical relationships are rarely just one-to-one these days. In the age of digital transformation, data aggregation, and platform integration, the most crucial sets of sensitive data travel through many sets of hands over the course of their lifecycles. Enterprises frequently connect with a host of collaborators to build out digital ecosystems, including vendors, partners, and even competitors. 

The data provided in Ripples Across the Risk Surface offers CISOs, risk officers, and digital strategists some of the first concrete evidence of the widespread risks that accompany this kind of expanding digital footprint. These details can help technology and business leaders make informed decisions about why and how they need to address their third-party risks to meet these demands.

The data scientists from The Cyentia Institute created an interactive chart based on the findings from the report to showcase how the interconnected nature of third-party risk among industries.  Check it out below:

To the right you will find an interactive chart based on data from the Ripples Across the Risk Surface report. We suggest reading the report for the full context, but we'll briefly describe the gist of what you're looking at here. At a high level, the chart reveals the highly inter-connected nature of third-party risk among industries. The connecting ribbons trace the "ripple effects" from cybersecurity incidents generated by certain industries to those on the receiving end of downstream loss events from those incidents. 
For example, placing your cursor over “Finance Generated" shows that the Finance sector generated 934 loss events that impacted the other sectors highlighted in varying degrees. The thickness of the ribbon reflects the proportion of Finance-generated loss events observed over the last decade for each downstream sector. Highlighting the "Finance Received" section shows the opposite perspective - sectors that most commonly generate events impacting financial firms.
We realize the chart is dense and rather difficult to interpret…but that's actually precisely the point. Third-party risk is inherently complex and the effects when things go wrong even more so. We hope this chart, along with the comprehensive analysis found in the full report, offer valuable insights to organizations seeking to better understand and manage those risks.