Recent cyber incidents highlight the growing risks associated with third-party vendors, particularly in the technology sector. These risks have resulted in a surge of cyber insurance claims, primarily due to data breaches and increasingly, ransomware attacks. The impact of these incidents can be severe, affecting not just the vendors but also their clients, leading to significant financial losses.
In 2024, a ransomware attack on CDK Global, a software supplier, disrupted operations for thousands of automotive businesses, costing them an estimated $1 billion. Of that, $25 million went directly to the attackers. Another notable incident involved Change Healthcare, where a cyberattack caused billing delays for numerous hospitals and physician practices. Additionally, a software update error by CrowdStrike led to widespread system outages, costing insurers between $300 million and $1 billion. These examples underscore the fragility of our interconnected technology ecosystem.
The challenges of managing third-party risks are evident, especially when organizations rely heavily on a single vendor for critical functions. If that vendor faces issues, the organization may struggle to recover without a backup plan. This raises an important question: how many more incidents will it take for companies to rethink their reliance on cloud-based applications?
To address these risks, organizations need to assess their vendors’ cybersecurity measures. This involves understanding the changing landscape of third-party risks and utilizing detailed vendor risk reports. These reports provide insights into a vendor’s cybersecurity practices and highlight potential vulnerabilities, such as exposed digital assets or outdated systems.
Identifying risks is just the start. Organizations must also evaluate the potential impact of vendor disruptions. They should consider how much revenue could be lost during various disruption lengths, whether it be 24 hours, three days, or longer. This analysis helps prioritize which cybersecurity issues to tackle first.
Improving cyber resilience is crucial. While focusing on vendor risks, organizations should not overlook their internal security measures. Basic practices, such as maintaining secure data backups, implementing multifactor authentication, and providing regular employee training on security awareness, are essential.
As cyber incidents continue to rise, organizations must recognize how interconnected they have become. A problem with a third-party vendor can quickly escalate into a crisis for the organization. To mitigate this risk, a comprehensive strategy is necessary. This strategy should combine strong internal security, thorough vendor oversight, and a consistent commitment to cybersecurity best practices.