The fundamental truth about third-party risk is that an organization can abstract away IT complexity and outsource IT work, but it can never outsource the cyber risk.
When a third party breaches your customer data, the customer still comes to you for accountability. No matter who exposes the information, headlines still feature your company’s name when your data is breached.
Multi-party cyber incidents that affect numerous organizations that have both direct and indirect connections to the initial victim are a troubling class of incidents known as cyber ripple events. A recent study of ripple events shows that they can cause 13x the financial damage of a single-party incident.
Some dramatic recent examples that demonstrate the ripple dynamic in action include:
Computer Facilities
A third-party marketing firm working with Nedbank, one of South Africa’s biggest financial institutions, recently exposed personal data of 1.7 million customers of the bank. Nedbank used Computer Facilities to run SMS and email marketing campaigns. A compromise of the third-party’s systems led to the exposure of all the data that Nedbank had shared with it.
AMCA
A breach of systems at American Medical Collection Agency (AMCA) compromised the personal information of over 24 million individuals. This single event at this third-party collection agency caused costly downstream impact at 29 different client companies who shared patient information with it.
Rocktop Partners
More than 24 million financial and banking documents related to mortgages originated by numerous institutions including Citibank, Wells Fargo, Capital One, and the Department of Housing and Urban Development were exposed by an unsecured cloud instance run by a small fintech startup Optics ML. The company had been tasked to run a cloud database for Ascension, a data and analytics company run by the parent company Rocktop Partners, which buys distressed loans and mortgages. The incident shows how third-party ripples can run in many concentric circles.
These are no isolated incidents. Cyber ripple events with downstream impact upon other organizations are demonstrably on the rise. Recent research shows they have been increasing 20% annually since 2008.
Download our latest white paper, Why Third-Party Risk Matters, to read more about minimizing third-party risk.