Balancing Third-Party Risk

Organizations frequently operate under polarized assumptions regarding third-party risk—assuming either their vendors are secure by default or that they are all liabilities waiting to explode. This research shatters those assumptions by investigating the equity of over 50,000 business-to-business relationships from a cybersecurity perspective. By comparing the security ratings and finding densities of sourcing firms against their specific vendors, we move past blind assumptions into empirical knowledge.

The data reveals a stark reality: 99.5% of organizations have at least one vendor in their risk management program with a cyber risk rating of “D” or “F”. While the typical organization is larger than its vendors, nearly 30% of relationships involve a vendor with a worse security posture than the sourcing firm. This report rewards the reader by deconstructing the “contagion” effect of these relationships, showing how firms inherit exposure to a wider variety of security issues than they manage in-house.

Achieving a healthy balance in a digital ecosystem requires more than point-in-time annual questionnaires. Objective data from continuous monitoring allows teams to identify “bad apples” before they spoil the whole supply chain. This study serves as a guide for risk professionals to move from assumptions to real-time risk quantification.

Key Findings

• The Ubiquity of D/F Vendors: 99.5% of organizations monitor at least one vendor that currently has a failing security rating.
• The Remediation Chasm: High-risk vendors in this study typically have 4.5x higher critical finding density than the firms they serve.
• Imbalanced Breach Histories: 86% of business-to-business relationships involve parties where one side has a recent breach history and the other does not.
• Exposure to Novel Risks: Firms typically inherit exposure to 3x as many unique types of security issues through their partners as exist in their own internal infrastructure.
• The Compounding Effect of Choice: Blindly choosing 50 of the least secure vendors results in 30x more risk exposure than choosing 50 firms with high security standards.