The rise of nth party risk: What you need to know

For many years, the hacks that made headlines involved vast breaches from a single company — devastating to the people whose data was exposed, but containable events. Those are fast becoming quaint.

Increasingly, hacks are spreading malware across hundreds or even thousands of organizations by exploiting the security updates for widely-used tools. This shows that companies up and down the enterprise IT supply chain face considerable risk, not just from the vendors, suppliers and partners that companies work with directly — what is called third-party risk — but also from attacks at many degrees of separation. And some businesses may not even be aware that they are vulnerable to this “nth-party risk” — and the consequences may be devastating.

How did we get here?

Companies are eager to integrate the latest enterprise technology into their own IT stacks for ease and operating efficiency. At the same time, they're also embracing the Internet of Things — often without taking adequate cybersecurity precautions. And nearly all businesses these days have subcontractors. For example, a large bank may have 7,000 companies in its supply chain, and those 7,000 may utilize an additional 13,000. And so on. This potent combo exposes entire IT supply chains if even one company in a chain isn't properly protecting itself from cybersecurity vulnerabilities. 

How big are the potential losses in supply chain attacks?

The financial damages can dwarf those of single-party attacks. According to RiskRecon, a Mastercard company that helps organizations proactively manage cyber-risks, losses from multiparty attacks can be 13 times larger than single-party incidents, and in extreme cases may be far worse — $16 million on average in single-party incidents vs. $417 million for multiparty hacks. The number of these "ripple events" has increased 20% annually since 2008, RiskRecon found. They impact on average 10 companies beyond the initial target, but in the worst cases, their reach may be far wider — up to as many as 131 downstream firms in the most severe instances.

Who are hit the hardest?

The infiltrated supplier takes the greatest reputational blow, but often it’s small businesses who suffer the most. "Small businesses have very complex supply chain systems that they often don't even understand," says Mastercard’s Johan Gerber, executive vice president of security and cyber innovation. "They may think they're just buying from a single vendor and simply don't understand the nth-party risk above and below them.” Most businesses may have little or no insurance coverage for damage sustained from a downstream attack. That's because, Gerber says, insurance companies only underwrite what they can see; it’s difficult to underwrite what's far beyond their vision.

How is risk currently evaluated?

Typically, enterprises have evaluated risk by sending potential partners, vendors or suppliers questionnaires about their cybersecurity practices. But those are inherently flawed, as there's no way to know if the answers are accurate, or if things change over time. The problem is that companies generally lack "a consistent yardstick" to measure risk throughout their IT supply chain, Gerber says.

“We’re doing the work with our own suppliers,” Gerber continues. “If we’re not secure, how can we keep you safe? We understand who we’re doing business with and the expectations of their activities in addition to shoring up our internal defenses.”

What can businesses do to better protect themselves from nth-party risk?

Companies must learn to be diligent when it comes to measuring that risk. They must find and utilize that consistent yardstick that can produce a cyber risk rating for firms up and down their IT supply chain, giving them insight in whether any of the companies in it were impacted if an attack happens, and helping them act with the speed they need to evaluate their exposure. These sorts of risk mitigation steps also create business incentives for suppliers. If they know their competitors do a good job of evaluating and being transparent about their potential risk, they'll have to do so themselves if they want to land new contracts.

Understanding the risk third parties may pose, even beyond the cybersphere, will only become more important. Identifying all the players and providers that touch on a business, no matter how tangentially, can create efficiencies, improve service, and most critically, fortify trust. 

Ultimately, companies will have little choice but to rethink how they protect themselves, and how they work with vendors, in order to ensure better resilience against attacks. The costs of delaying are just too high.