Skip to main content


Uncovering first- and third-party cyber risks

Learn how to understand and mitigate third-party cyber risks, which are an inherent part of an organization’s supply chain.

Third-party cyberattacks occur when an attacker gains access to an organization’s data or systems through their supply chain, which can consist of vendors, subcontractors, and/or service providers. An attack against a single vendor can expose sensitive data of multiple organizations simultaneously — with far-reaching consequences that can impact the bottom line and cause reputational harm.

As recent headlines indicate, these types of attacks are increasing, highlighting how critical it is for your organization to understand the cyber hygiene of the vendor ecosystem that supports your operations. Supply chain risks can impact all organizations, especially those that have technology connectivity to or can otherwise access your organization’s data.

Third-party attacks by the numbers:


of organizations have been affected by software supply chain attacks.


of organizations are not satisfied with their visibility into risks across their supplier base.


of businesses are increasing their investments in vendor management.


of system intrusions in 2021 were attributed to supply chains.


organizations were affected by supply chain attacks last year.

How can your organization reduce third-party cyber risk?

In addition to implementing generally accepted cyber hygiene best practices, your organization should consider taking the following actions to reduce the likelihood and impact of a third-party cyberattack.

1. Determine which critical product and service providers are a part of your vendor ecosystem. This includes, where possible, identifying the critical vendors and suppliers the providers use, otherwise known as fourth-party vendors. Every company outsources parts of its operations to multiple vendors and suppliers. Those suppliers, in turn, outsource parts of their operations to other suppliers. And the process goes on and on. The larger the ecosystem, the larger the potential cyber risk and attack surface for your organization. 

2. Create and maintain an incident response plan well before an incident occurs. When crafting the plan, take into consideration third-party attacks. It’s also important to test the plan against multiple scenarios. Tabletop exercises should include key stakeholders across your organization (not only information security/IT) to test the plan’s overall effectiveness.

3. Use risk quantification to define and quantify the third-party risk. This allows your organization to determine the potential impact of an attack against a third party in its supply chain and align key stakeholders on how to treat the risk.

4. Review your existing cyber insurance policies to understand the coverage implications of an attack against a third party in the organization’s supply chain.

5. Verify that third parties have adequate cyber insurance to meet the requirements of the first-party organization. This demonstrates cyber risk management hygiene, and also that minimum controls are likely in place. Certain controls are often required to be considered insurable.

Real-life scenarios

The following scenarios show some potential third-party risks that your organization may be exposed to — and their potential impact if/when they become a reality. 

Organizations can — and should — proactively bolster themselves against third-party risks. This includes defining and understanding what makes up an organization’s vendor ecosystem, engaging in proactive incident preparedness and incident response testing, and quantifying the impact of third-party risk to understand its impact on the balance sheet. Finally, it is critical that any third parties meet the insurance and compliance requirements of the first-party organization — ideally minimizing impact in the event of an attack.

At Marsh, our risk advisors are available to help you evaluate and mitigate your first- and third-party risks. To start a discussion with one of our advisors, reach out to your Marsh broker or contact us below.

Contact us to learn how Marsh can help you pinpoint and manage the cyber risks in your supply chain.

Our people

Brylee Jaghbir

Brylee Jaghbir

Head of Cyber, Pacific

Placeholder Image

Kristine Salgado

Cyber Broker Leader, Pacific

  • Australia

Placeholder Image

Hannah Morgans

Growth Leader, Cyber

  • Australia

LCPA 24/044

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”