While today’s business environment often demands the use of third-party vendors for both its expertise and cost and time savings, this reliance requires an equal increase in third-party risk management measures. More than half — 59% — of organizations surveyed experienced a data breach caused by one of their third parties.
These incidents have wide-reaching effects. Take the Snowflake Incident earlier this year, for example, which exposed hundreds of millions of records, including sensitive data, due to compromised credentials of a third party. Not only did this incident cost the company financially — Snowflake’s stock price fell by more than 20% when the breach was made public — but it also caused reputational damage that could last for years.
The Rise of Third-Party Breaches
New technologies and new ways of doing business open up new vulnerabilities. Organizations are adopting AI models, new third-party applications, Internet of Things devices, and SaaS applications to facilitate productivity. However, the reliance on new tools expands an organization’s attack surface.
An organization can have robust security measures in place with real-time attack surface monitoring, but if its third parties aren’t secured, cybercriminals can target those vendors as an entry point for a cyber attack. Large organizations don’t have oversights into these vendors’ security setup. It’s also common for third parties to have fewer security measures in place than big, regulated organizations.
Companies with third-party risk management software that assesses and continuously monitors its vendors greatly reduces the attack surface. ProcessBolt’s fully integrated vendor risk management platform helps organizations assess and continuously monitor their vendor network efficiently. The end-to-end platform provides real-time threat intelligence and enables organizations to extract important information from corporate documentation and attack surface data for instant verification of assessment responses.
Financial Costs of Third-Party Breaches
When data is breached, businesses are disrupted, oftentimes to a significant extent. While disruptions can vary, breaches that impact multiple systems can mean long-lasting, organization-wide shutdowns, causing a loss in revenue. IBM’s Cost of a Data Breach Report 2024 says 70% of organizations experienced a significant or very significant disruption to business resulting from a breach.
To put the disruption into dollars and cents, the report shows the average cost of a data breach in the US is $9.36 million, with the global average sitting at $4.88 million — a 10% increase from last year.
Third-party breaches, specifically breaches from compromised credentials, cost $4.81 million on average. Compromised credentials is the most frequent cause of data breaches, accounting for 16% of cases.. In fact, third-party breaches can increase a data breach’s cost by almost $250,000.
Gartner research shows that the cost of a third-party cyber breach is typically 40% higher than the cost to remediate an internal cybersecurity breach.
ncident response expenses like forensic investigation and notification add up quickly. Whether an outside expert is hired or an internal security team determines the scope and severity of the breach, it’s expensive to identify and rectify the breach.
Business disruption, like lost business and operational downtime, and post-breach response activities, like staffing customer service help desks and paying higher regulatory fines, are responsible for almost half of the projected costs. Reports show that these factors combined account for $2.8 million, a six-year high and an 11% increase over 2023.
Regulatory Costs of Third-Party Breaches
Multiple governing bodies in the US have rules and regulations that companies must comply with regarding cyber attacks of any kind. All 50 states have laws that require a company to notify victims of security breaches involving personal information, public companies must report cyber attacks to the SEC, and federal agencies have specific compliance requirements for companies in regulated industries like healthcare, legal services, and financial services.
The combination of regulatory fines and the expenses to notify customers and the mandated agencies can’t be understated when it comes to third-party security breaches. The majority of companies have to report a security breach, with most reporting it within three days of the attack. A third of businesses had to pay fines to regulatory agencies, according to the Cost of a Data Breach 2024 report.
Those fines are only increasing. Organizations paid higher regulatory fines this year, with those paying more than $50,000 rising 22.7% over last year, and those paying more than $100,000 rising 19.5%. A quarter of businesses who paid fines were required to pay $250,000.
Notifying those affected cost an estimated $370,000 in 2023, which includes the process of letting customers know their data has been leaked, communicating with regulators, and in-house liaising with external specialists.
Reputational Costs of Third-Party Breaches
Security breaches garner media attention, making it almost impossible in today’s world to keep a breach between you, your customers, and the relevant agencies involved. Not only does that impact your current customers, but future ones, as well.
A loss of customer trust can be detrimental to businesses. Data breaches, especially those that involve personal data, are one of the top reasons customers move on. The IDC states 80% of consumers in developed nations will defect from a business if their information is compromised in a security breach. Lost business, including lost customers, reputational damage, and revenue loss due to system downtime, cost companies $1.47 million in 2024, up from $1.3 in 2023.
When potential customers are looking for a new service or product, they are less likely to trust an organization with their personal information when they’ve had a previous data breach. This loss of reputation can extend for years and is hard to put a price on.
How to Reduce Third-Party Risk
A dedicated third-party risk management solution can assess vendors, identify vulnerabilities, and detect risks as they emerge. ProcessBolt’s platform provides continuous attack surface monitoring, real-time risk assessments, and automated workflows to ensure that third-party relationships are compliant with industry regulations.
Third-party risk management isn’t somewhere to cut costs. Data breaches are only getting more expensive, and their impact can never be fully known.
Contact ProcessBolt’s third-party risk experts to discuss how the latest innovations in attack surface monitoring and VRM solutions can prevent third-party breaches.
