Cut down on courthouse antics. Learn how legal system abuse is defined + strategies to mitigate this type of abuse with Marsh McLennan Agency. Defend your org.
CFOs know all too well the financial risks of a cybersecurity breach, especially when an attack grinds business to a halt. But it’s not just your company getting breached that you have to worry about; cyberattacks on your vendors can also prove damaging.
A rash of widespread vendor outages are a wake-up call to finance leaders that third-party cyber risks can be just as disruptive to their business as direct attacks—and companies can do a lot more to manage that risk, according to experts.
“I think we are miles away from where we need to be in organizations managing [third-party cyber risk] and insurance underwriting for it,” Alexandra Bretschneider, cyber practice leader at insurance broker Johnson, Kendall & Johnson, told CFO Brew. “And I think there’s a lot of improvement yet to come.”
“This really is not just an IT problem,” either, according to Karen Walker, CFO of cloud security platform Sysdig. “Cybersecurity has now quickly become a strategic imperative for companies,” Walker told us. “When vendors get compromised, it’s not just the data at stake. It’s revenue, it’s reputation, and it’s regulatory exposure as well.”
It’s the downtime. Resilience, a cyber insurance and risk management firm, reported that claims stemming from third-party incidents resulted in financial losses for the first time for customers in 2024. Third-party incidents made up nearly a quarter of claims with incurred losses last year, as opposed to 0% the year before. In other words, third-party losses before 2024 didn’t rise to the level that required a payout.
What made third-party incidents suddenly more expensive? Before last year, most of the impact from vendor incidents involved just a data breach, Ann Irvine, Resilience’s chief data and analytics officer, told CFO Brew.
“That wasn’t very often resulting in financial losses to our customer,” Irvine said. “The credit monitoring and notifications and all of that work would generally be covered by the vendor that suffered the data breach and their insurance providers.” But last year, these incidents started to impact customers’ operations, she said.
Perhaps the most widely publicized example was last year’s CrowdStrike outage, which affected customers across industry sectors. Delta estimated the outage cost the company a half-billion dollars.
Other major events included ransomware attacks on Change Healthcare and CDK Global. The CDK incident last summer left some car dealerships unable to sell vehicles. Those affected “quickly lost income, because folks would go down the street and buy a car from a different dealership,” Irvine said.
Lots to do. But how exactly can an organization prepare for a vendor outage? Several things, actually.
“What I think is most important for the CFOs to think about,” Bretschneider said, is adding business interruption scenarios to their set of tabletop exercises. Organizations may already do that for data breach and ransomware scenarios. But it’s not as common to practice for cases of cyber-related business interruption, she said.
Bretschneider explained that a tabletop exercise will help answer the question: “If you’re down, and it’s not from a physical peril and you’re not operable, what is the financial impact to the business?”
“This goes into your business continuity disaster recovery planning,” she said. “So you create an extension of that plan from a cyber related incident and focus entirely on the operational impact.”
Risk management experts have told us before that organizations should have backup suppliers in the event of a major supply chain disruption. That strategy doesn’t apply to software vendors. It isn’t financially prudent to pay for two core platforms just in case, and duplicating data for the second platform is in itself “a dangerous concept,” Bretschneider said.
Walker said vendor contracts should contain “clear language” spelling out what the vendors will do to protect data and what their responsibilities are during an attack or outage.
Companies can also transfer some of their third-party risk through cyber insurance. But organizations must ensure those risks are included and that they have adequate coverage, our experts cautioned.
Go team! Managing third-party cyber risk is far from a solo effort.
Chris Hennesey, enterprise strategist at AWS and former VP of finance at Capital One, recommended finance execs build a relationship with their CISO to help address third-party risk. “There’s a lot they can actually learn from each other,” he said. “So I use this as an opportunity to build a bridge for CISOs and CFOs within customers, because it’s not…an active, engaged relationship in many orgs. A lot of times in large enterprises, they operate in very different worlds inside of the organization.”
The C-suite and board need to be on the same page in understanding the cyber threat landscape and what their organization’s security posture should look like, Walker said.
“Cybersecurity can no longer be five minutes at the end of the board meeting [for] discussion,” she said. “It needs to be part of a routine update.”