Table of Contents
While many companies are implementing strong security controls within their organizations, they may not necessarily be aware of the vulnerabilities resulting in breaches and cyber-attacks emanating from third-party vendors.
Numerous high-profile companies have fallen victim to breaches as a result of third-party vendors and service providers.
According to Grand View Research, the global third-party risk management market size was estimated at $7.42bn in 2023 and is expected to grow at a compound annual growth rate of 15.7% from 2024 to 2030.
These findings reflect significant anticipated growth due to the increasing complexity of business ecosystems and the rising number of cyber threats, as well as the adoption of AI and machine learning aiding cybercriminals’ efforts.
It is vital that organizations understand the nature of third party attacks, and take a strategic approach to protect themselves from such incidents.
Common Types of Third-Party Attacks
Corvus has observed an increasing trend of incidents related to third-party breaches. In early 2023, approximately 15% of claims managed by Corvus were a result of vendor breaches; by early 2024 this number had grown to about 29%.
Breaches involving third parties stem from a range of entry points and attack techniques. This includes phishing, a type of social engineering attack used to steal user data including login credentials and/or credit card numbers for financial gain.
With business email compromise (BEC), criminals use emails that appear to come from a known source making a legitimate request. However, the scheme is a veiled attempt to steal data, while at times also infiltrate a company’s network to do more damage.
Attackers can use a compromised vendor’s email account to request invoice payments or impersonate third-party HR vendor personnel and request changes to an employee’s direct deposit information to direct funds to their account.
The ransomware ecosystem continues to be impactful in regard to third-party attacks. Using data collected from ransomware leak sites, Corvus Insurance’s Cyber Threat Report identified 1257 attacks in Q3 2024 and 1248 victims in Q2 2024, which had been the highest the company recorded in any second quarter.
These numbers demonstrate that the level of ransomware activity remains high.
According to Black Kite’s fifth annual Third-Party Breach Report 2024, unauthorized network access was the leading cause of breaches, accounting for over half (53%) of third-party incidents. This was a 26% increase from 2022, when ransomware was the most common cause of breaches.
Regardless of the means of attack, when it comes to third-party breaches, there are two types of consequences policyholders should address. The first is business revenue loss and the second is data loss. Depending on the vendor services being provided, the potential disruption of services or operations could be crippling.
2024 Third-Party Incidents that Made the Headlines
Third-party breaches were felt in many industries in 2024, including healthcare, automotive and cybersecurity. These breaches demonstrate the impact third-party technologies and service providers can have on organizations, leading to business disruptions and/or failures. They remind us of the vulnerabilities all organizations face when relying on third-party vendors and providers.
In Q1 2024, healthcare technology company Change Healthcare, which manages payments and claims processing across the US was breached, impacting 100 million individuals. The ransomware attack affected the payment processing system at numerous hospitals, clinics and medical practices, disrupting billing and patient care across the country.
In Q2 2024, CDK, a software provider for automotive dealerships was the victim of a ransomware attack. The ransomware breach significantly disrupted operations across thousands of dealerships due to a third-party vulnerability, impacting their dealer management systems.
The software provider was forced to shut down its systems for a period of time, leaving car dealerships with no ability to access automated sales management, vehicle ordering and customer information.
Implementing Third Party Checks and Balances
There are a range of measures organizations should be taking to address cyber threats from third parties.
Contracts
Third-party vendor contracts are important to keep a business running smoothly. Contracts should be reviewed on a regular basis by in-house or outside counsel. Make sure clauses are included with respect to indemnification in the event of a third-party breach. This will provide the necessary legal authority to enforce clauses in the event of a cyber-attack.
Cyber Insurance Policies
One of the main benefits of having cyber insurance is that it will act quickly and potentially pay the loss before attempting to recoup the money from the culpable vendor. If a business has cyber insurance, it’s critical to understand what is in the policy. This is because the cyber insurance carrier may need to act on the company’s behalf pursuant to the terms of the policy.
If a provider needs to recover costs on a business’s behalf, having a good grasp of the contract helps the organization get immediate help. This is often critical in data breach situations.
Incident Response Plans and Manual Backups
Businesses and policyholders must take a deep look into the software and products that they rely upon to operate. For example, companies have been deeply affected when a breach led to their payroll software going down. In one case, the business went back to manual processes.
It’s important to educate your internal teams about how your company utilizes any third-party software and what steps to take if the software goes down. Employee training remains invaluable.
In addition, develop an incident response plan for each third-party vendor in the event of potential ransomware attacks or data breaches.
Businesses should use a strategic approach when it comes to third-party vendor management. This must include all necessary internal departments to ensure that the risks are understood by everyone and do not compromise the operational effectiveness, security, compliance or reputation of an organization.
