Almost one in three cyber breaches are attributable to “third-party attack vectors”, meaning the core risk originated outside the targeted organisation, according to Marsh.  

Three-quarters of these incidents involved software or other technology products and services.

“These statistics highlight the digital interconnectivity across the supply chain – and the risks inherent within those relationships,” the global broker says.  

Digital supply chain risks affect all organisations, especially those that use technology vendors, entrust confidential information on clients and employees to a third party, or rely on outside vendors for goods and services.

Attacks are increasing, Marsh says, and it advises businesses to “understand, measure and manage your third-party cyber risks”.  

The broker says 60% of organisations work with more than 1000 third parties.

Executives should, where possible, identify critical vendors and suppliers that their providers use – otherwise known as fourth-party vendors.

“Create and maintain an incident response plan well before an incident occurs,” Marsh says. “Take into consideration third-party attacks. It’s also important to test the plan against multiple scenarios.”

Marsh also recommends reviewing cyber insurance policies to understand the coverage implications of an attack against a third party in the supply chain.

“Verify that third parties have adequate cyber insurance to meet the requirements of the first-party organisation.

“This demonstrates cyber risk management hygiene, and that minimum controls are likely in place. Certain controls are often required to be considered insurable.

“Your organisation can – and should – proactively bolster ... against third-party risks. This includes defining and understanding what makes up your vendor ecosystem, and quantifying the impact of third-party risk to understand its impact on the balance sheet and learn how to possibly transfer it.”