The Cyentia Institute published “Ripples Across the Risk Surface,” an in-depth study sponsored by RiskRecon that analyzes more than 800 cyber incidents and the impact on multiple downstream organizations. According to the study, multiparty loss events that impact thousands of downstream organizations, otherwise known as “ripple events,” result in 13 times larger financial loss than traditional single-party incidents.
The objective of this study is to raise market awareness on the hyper interdependencies organizations have on other organizations, and the ripple effect that grows by an order of magnitude beyond that singular data loss event.
“Media headlines continue to fixate on the number of records breached within a single organization, but they rarely tell the full story,” RiskRecon CEO/co-founder Kelly White said in a statement. “Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization. Together, Cyentia and RiskRecon are exposing an often-overlooked pattern: lacking proper third-party risk controls can contaminate the entire enterprise ecosystem where sensitive data is stored and shared.”
Cyentia Institute leveraged cyber loss database Advisen for an objective view into historical data comprised of more than 90,000 cyber events. Of those events, Cyentia found that since 2008, more than 800 cyber incidents involved at least three organizations. Of these approximately 800 multiparty incidents, a total of 5,437 downstream loss events occurred—i.e., organizations impacted by cyber incidents other than the primary victim.
Analysis into the specific industries most severely impacted by ripple events was conducted through Cyentia Institute’s adoption of the North American Industry Classification System. Based on this data, the sectors that possess the highest concentration of personal data and information (hotels, credit bureaus, banks and collection agencies) account for nearly 60 percent of all organizations generating ripple effects. It’s these same industries that also typically have large digital footprints and often maintain extensive third-party relationships.
In fact, downstream entities affected by multiparty incidents outnumber primary victims by 850 percent. To further highlight the takeaways of this analysis, based on historical insight, it is projected that multiparty incidents will continue to overall increase at an average rate of 20 percent per year.
“As an industry, we’ve waited far too long to address the interconnected nature of today’s risk landscape,” said Wade Baker, founder of Cyentia Institute. “The startling truth from the data is that complex digital ecosystems fuel the kind of cyber incidents that send dangerous ripple effects across numerous organizations. Together with RiskRecon, we hope that our study looking at the increasing rate and severity of multiparty data loss events will instill an immediate response to improving the way we manage risk across every facet of business.”