2021 Ripples Across the Risk Surface

In today’s interconnected world, security exposures at a single organization rarely stay contained; they create a ripple effect across hundreds of downstream firms. This second edition of the Ripples report analyzes multi-party breach incidents involving three or more interrelated companies to understand how these waves of impact spread across the business value stream. By tracking publicly reported breaches over a decade, we provide empirical evidence of the dangers posed by third parties and the broader Nth-party supply chain.

The data confirms that multi-party incidents are fundamentally more devastating than isolated events. A median ripple breach event causes 10 times the financial damage of a traditional single-party breach, and the worst cases can be 26 times more damaging. This report rewards the click by deconstructing “tsunami events”—outliers that impact 50 or more companies from a single triggering incident, such as the 550 organizations hit by the Blackbaud ransomware attack.

Furthermore, the duration of these events is a critical concern for risk managers. It takes 379 days—over a full year—for a typical ripple event to impact 75% of its downstream victims. The study highlights that while initial victims bear the most cost, more than one in four downstream receivers end up paying for the majority of the ripple’s impact. This research provides the actuarial baseline needed to move beyond simple vendor monitoring toward systemic resilience.

Key Findings

• The 10X Damage Multiplier: Median ripple breach events cause 10 times the financial damage of standard single-party breaches.
• Severe Tail Risk: The worst multi-party events (95th percentile) are 26 times more financially damaging than the worst single-party events, topping $391 million.
• One-Year Exposure Lag: It typically takes 379 days for a single ripple event to progress through its entire cycle and impact 75% of its downstream victims.
• Tsunami Event Surge: “Tsunami events” are outlier ripples that impact 50 or more companies; the largest recorded in this study impacted 550 unique organizations.
• Receiver Cost Burden: In more than 25% of cases, the downstream “receivers” of the ripple end up footing the bill for most or all of the incident costs.
• Industry Response Variation: Healthcare incidents ripple the fastest due to strict reporting requirements, while hospitality events can take a year for victims to feel the full effect.
• Dominant Threat Patterns: Data breaches remain the leading generator of ripples, followed closely by privacy violations such as misconfigured cloud data stores.