2019 Ripples Across the Risk Surface

In the modern digital economy, a cybersecurity incident at a single organization rarely stays contained; it spawns “ripple events” that propagate through the supply chain. This report analyzes over 800 multi-party cyber incidents to understand how security failures at one firm generate downstream losses for thousands of others. We move past causal third-party research to examine the systemic financial impact of hyper-interdependency.

The analysis establishes that multi-party incidents are fundamentally more destructive than single-party ones. The median financial loss from a ripple event is 13 times larger than a traditional breach, with extreme “tail losses” reaching $417 million. This report rewards the click by unmasking the “800% imbalance”—the number of unique downstream entities impacted by ripple events outnumbers primary victims by a factor of eight to one.

Risk is not evenly distributed among ripple receivers. SMBs bear the brunt of these events, often suffering losses from larger enterprise incidents that they are ill-equipped to manage. This study serves as a critical warning for organizations to recognize that another firm’s breach could impact them just as much as an internal compromise, requiring a new rigor in supply chain risk management.

Key Findings

• 13X Financial Impact: The median financial loss from multi-party incidents is 13 times larger than the median loss from a standard single-party breach.
• 20% Annual Growth: The frequency of multi-party ripple events has been increasing at an average annual growth rate of 20% since 2008.
• 8-to-1 Receiver Ratio: Organizations impacted downstream by ripples outnumber primary victims by over 800% (4,180 distinct downstream firms vs 512 central ones).
• Extreme Tail Risk: 95th percentile losses for ripple events reach $417 million, compared to a comparably scant $16 million for single-party incidents.
• Generator Sectors: Collection agencies, banks, credit bureaus, government offices, and IT firms generate half of all multi-party incidents.
• The One-Year Ripple: It typically takes 379 days—over a full year—for a ripple event to impact 75% of its eventually impacted downstream victims.
• Industry Pairing: Incidents among credit bureaus and collection agencies frequently propagate into the banking and credit card sector.