Skip to main content


Third-party cyber risks impact all organizations

Learn how to understand and mitigate third-party cyber risks, which are an inherent part of an organization’s supply chain.

Learn how to understand, measure, and manage third-party cyber risks

Third-party cyber risks, also known as digital supply chain risks, impact all organizations, especially those that:

  • Use and/or rely on technology vendors to power day-to-day operations.
  • Entrust confidential information on clients and employees to a third-party vendor.
  • Rely on a third-party vendor for specific goods and services.

According to a recent SecurityScorecard study, at least 29% of all breaches were attributable to a third-party attack vector, meaning the core risk originated outside of the organization. Of these, 75% involved software or other technology products and services, with the remaining 25% stemming from non-technical products or services. These statistics highlight the digital interconnectivity across the supply chain — and the risks inherent within those relationships.

As recent headlines and Marsh’s claims advocates indicate, these types of attacks are increasing, highlighting how business-critical it is for your organization to understand, measure, and manage your third-party cyber risks.

Third-party risk by the numbers:

(source: OneTrust)


of organizations work with more than 1,000 third parties


of organizations report their third-party network contains more vendors than it did three years ago


of organizations have experienced significant disruption caused by a third party, whether it be a data breach or ethical violation


of organizations say their third parties have more access to organizational data assets than three years ago


of organizations report their due diligence questionnaires have expanded in recent years

How can your organization reduce third-party cyber risk loss?

In addition to implementing generally accepted cyber hygiene best practices, your organization should consider taking the following actions to reduce the likelihood and impact of a loss from a third-party cyberattack.

These actions are not one-size-fits-all. After reviewing them, your organization may want to modify them to match your specific requirements. 

  1. Determine which critical product and service providers are a part of your vendor ecosystem. This includes, where possible, identifying the critical vendors and suppliers the providers use, otherwise known as fourth-party vendors.
  2. Use risk quantification to define and quantify your third-party risk. This allows your organization to determine the potential impact of an attack against a third party in its supply chain and align key stakeholders on how to treat the risk.
  3. Create and maintain an incident response plan well before an incident occurs. When crafting the plan, take into consideration third-party attacks. It’s also important to test the plan against multiple scenarios. Tabletop exercises should include key stakeholders across your organization (not only information security/IT) to test the plan’s overall effectiveness.
  4. Review your existing cyber insurance policies to understand the coverage implications of an attack against a third party in the organization’s supply chain.
  5. Verify that third parties have adequate cyber insurance to meet the requirements of the first-party organization. This demonstrates cyber risk management hygiene, and that minimum controls are likely in place. Certain controls are often required to be considered insurable.

Real-life scenarios

The following scenarios show some potential third-party risks that your organization may be exposed to — and their potential impact if/when they become a reality. 

Click on the buttons below to learn more about each scenario.
slected option

Scenario: Uses technology vendors to power day-to-day operations; has technology connectivity to the vendor.

Potential risk: A technology disruption to the vendor discontinues the company’s operations.

Potential impact: Contingent business interruption, plus other extra expenses and costs.     

Example: An outage at a cloud provider causes website downtime and prevents order fulfilment.

Scenario: Relies on technology vendors to power day-to-day operations; has technology connectivity to the vendor.  

Potential risk: Compromising of technology company’s products/services impacts the company’s network and/or data.

Potential impact: Potential cyber incident, such as breach or ransomware attack, leading to business interruption and related costs.

Example: A software vulnerability leaves an open door for attackers, enabling them to install malicious code on the company’s network.

Scenario: Entrusts confidential information on clients and employees to a third-party vendor; is not connected to the vendor.

Potential risk: A breach of the company’s confidential information caused by the vendor.

Potential impact: Privacy incident with both first- and third-party costs.

Example: Payroll provider suffers a breach of employee information, or a technology vendor compromises client loyalty information.

Scenario: Relies on a third-party vendor for specific goods/services; does not have technology connectivity to the vendor.

Potential risk: Technology disruption to the third-party vendor halts or hinders the company’s ability to generate revenue.

Potential impact: Contingent business interruption, plus other extra expenses and costs.

Example: Network disruption impacts a company’s ability to receive its product.

Your organization can — and should — proactively bolster yourself against third-party risks. This includes defining and understanding what makes up your vendor ecosystem, and quantifying the impact of third-party risk to understand its impact on the balance sheet and learn how to possibly transfer it.

At Marsh, our risk advisors are available to help you understand, measure, and manage your third-party risks. To start a discussion with one of our advisors, reach out to your Marsh broker or contact us below.

Contact us to learn how Marsh can help you pinpoint and manage the cyber risks in your supply chain.

Our people

Tim Marlin

Tim Marlin

US and Canada Cyber Sales and Industry Leader

  • United States

Allison Pan

Allison (Allie) Pan

Senior Vice President, Emerging Risks, Marsh

Randal Waters

Randal Waters

Senior Vice President, Emerging Risks Group, Marsh Advisory, North America

  • United States