Skip to main content
Marsh logo

Article

Third-party cyber risks impact all organizations

Learn how to understand and mitigate third-party cyber risks, which are an inherent part of an organization’s supply chain.

04/22/2025 · 4 minute read

Learn how to understand, measure, manage, and respond to third-party cyber risks

  • Use and/or rely on technology vendors to power day-to-day operations.
  • Entrust confidential information on clients and employees to a third-party vendor.
  • Rely on a third-party vendor for specific goods and services.

According to the 2025 Verizon Data Breach Investigations Report (DBIR), 30% of breaches involve third parties, meaning the core risk originated outside the organization. This figure is double that of last year, fueled by vulnerability exploitation and business interruptions This highlights the digital interconnectivity across the supply chain — and the risks inherent within those relationships.

As recent headlines and Marsh’s claims advocates indicate, these types of attacks are increasing, highlighting how business-critical it is for your organization to understand, measure, and manage your third-party cyber risks.

Manage third-party cyber risks as you would your own

Threats posed by supply chain vendors are more prevalent than ever

70%

of organizations experienced at least 1 material third-party cyber incident in the past year

88%

of organizations are concerned about supply chain cybersecurity risks

30%

of breaches are linked to third-party involvement (twice as much as last year)

< 50%

of organizations monitor cybersecurity across even 50% of their supply chain

26%

of organizations include incident response in their supply chain cybersecurity programs. 

How can your organization reduce third-party cyber risk loss?

In addition to implementing generally accepted cyber hygiene best practices, your organization should consider taking the following actions to reduce the likelihood and impact of a loss from a third-party cyberattack.

These actions are not one-size-fits-all. After reviewing them, your organization may want to modify them to match your specific requirements. 

  1. Determine which critical product and service providers are a part of your vendor ecosystem. This includes, where possible, identifying the critical vendors and suppliers the providers use, otherwise known as fourth-party vendors.
  2. Use risk quantification to define and quantify your third-party risk. This allows your organization to determine the potential impact of an attack against a third party in its supply chain and align key stakeholders on how to treat the risk.
  3. Create and maintain an incident response plan well before an incident occurs. When crafting the plan, take into consideration third-party attacks. It’s also important to test the plan against multiple scenarios. Tabletop exercises should include key stakeholders across your organization (not only information security/IT) to test the plan’s overall effectiveness.
  4. Review your existing cyber insurance policies to understand the coverage implications of an attack against a third party in the organization’s supply chain.
  5. Verify that third parties have adequate cyber insurance to meet the requirements of the first-party organization. This demonstrates cyber risk management hygiene, and that minimum controls are likely in place. Certain controls are often required to be considered insurable.

Real-life scenarios

The following scenarios show some potential third-party risks that your organization may be exposed to — and their potential impact if/when they become a reality. 

Click on the buttons below to learn more about each scenario.
selected option

Scenario: Uses technology vendors to power day-to-day operations; has technology connectivity to the vendor.

Potential risk: A technology disruption to the vendor discontinues the company’s operations.

Potential impact: Contingent business interruption, plus other extra expenses and costs.     

Example: An outage at a cloud provider causes website downtime and prevents order fulfilment.

Scenario: Relies on technology vendors to power day-to-day operations; has technology connectivity to the vendor.  

Potential risk: Compromising of technology company’s products/services impacts the company’s network and/or data.

Potential impact: Potential cyber incident, such as breach or ransomware attack, leading to business interruption and related costs.

Example: A software vulnerability leaves an open door for attackers, enabling them to install malicious code on the company’s network.

Scenario: Entrusts confidential information on clients and employees to a third-party vendor; is not connected to the vendor.

Potential risk: A breach of the company’s confidential information caused by the vendor.

Potential impact: Privacy incident with both first- and third-party costs.

Example: Payroll provider suffers a breach of employee information, or a technology vendor compromises client loyalty information.

Scenario: Relies on a third-party vendor for specific goods/services; does not have technology connectivity to the vendor.

Potential risk: Technology disruption to the third-party vendor halts or hinders the company’s ability to generate revenue.

Potential impact: Contingent business interruption, plus other extra expenses and costs.

Example: Network disruption impacts a company’s ability to receive its product.

Your organization can — and should — proactively bolster yourself against third-party risks. This includes defining and understanding what makes up your vendor ecosystem, and quantifying the impact of third-party risk to understand its impact on the balance sheet and learn how to possibly transfer it.

At Marsh, our risk advisors are available to help you understand, measure, and manage, and respond to your third-party risks. To start a discussion with one of our advisors, reach out to your Marsh broker or contact us below.

Contact us to learn how Marsh can help you pinpoint and manage the cyber risks in your supply chain.

Contact us

Our people

Tim Marlin

  • United States

Allison (Allie) Pan

  • United States

Related insights

Abstract digital map of the Middle East, concept of global network and connectivity, data transfer and cyber technology, information exchange and telecommunication

Podcast,Featured insight

Risk in Context Podcast: Strengthening resilience through effective cyber threat management

09/30/2025
AI-Artificial intelligence concept with a human hand and AI hand interaction.

Podcast

Risk in Context Podcast: Unlocking generative AI’s potential through cross-organizational strategies

09/16/2025
Manager is using a laptop computer while analyzing the company's financial statements on the screen.

Article,Featured insight

Cyber incident management checklist

09/11/2025
Cybersecurity signals: Connecting controls and incident outcome

Report,Featured insight

Cybersecurity signals: Connecting controls and incident outcomes

08/27/2025
View more