A new study has found that the financial losses caused by cyber-incidents affecting multiple parties are vastly more devastating than those that stem from any single-party incident.
According to the Ripples Across the Risk Surface study, published today by Cyentia Institute, when compared to losses triggered by a single-party incident, the ripple effect costs that occur following multi-party incidents result in a total loss that is a whopping 13 times greater.
Extreme losses, which sit above the 95th percentile, show an even larger discrepancy, with a loss of $16m for single-party incidents versus $417m for multi-party incidents.
The in-depth study, sponsored by RiskRecon, analyzed data from 813 cyber-incidents and closely examined their impact on numerous downstream organizations, described as secondary victims. A cyber-incident is defined in the study as an "event that compromises the confidentiality, integrity, or availability of an information asset."
The objective of this first-of-its-kind study was to raise market awareness of the far-reaching effects an incident such as a data breach can have as a result of the hyper-interdependencies of organizations.
Researchers plumbed historical data relating to 90,000 cyber-events from the cyber-loss database Advisen, finding that since 2008, 813 cyber-incidents had occurred in which at least three organizations were primary victims.
As a result of these multi-party cyber-incidents, a further 5,437 downstream loss events occurred in which secondary organizations were impacted. In fact, downstream entities affected by multi-party incidents outnumbered primary victims by 850%.
In one single incident examined by researchers, 131 different organizations were affected.
Researchers found that secondary organizations could be faced with losses equal to those experienced by primary victims.
"Our analysis reveals little difference between losses reported by primary and secondary victim organizations of a cyber incident. This suggests that another firm’s breach could impact your organization just as much (or worse) than a breach of your own systems," wrote researchers.
Analysis into the specific industries most severely impacted by ripple events was conducted through Cyentia Institute’s adoption of the North American Industry Classification System. Based on this data, the sectors that possess the highest concentration of personal data and information (credit bureaus, banks, collection agencies, and hotels) account for nearly 60% of all organizations generating ripple effects.
"Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization," said Kelly White, CEO and co-founder of RiskRecon.
"Lacking proper third-party risk controls can contaminate the entire enterprise ecosystem where sensitive data is stored and shared."
Researchers projected that multi-party incidents will increase at an average rate of 20% per year.