- It takes more than a year, 379 days, for 75% of victim companies to experience the downstream impact of a cyber incident, according to research by RiskRecon and the Cyentia Institute. Ripple cyber events, where one incident has cascading effects for other organizations, are identified as widespread third-party breaches or a supply chain breach.
- A third-party incident impacts organizations with direct ties to the initial victim company. Supply chain incidents have a "cascading" impact across customers with direct relations to the victim company and the third party's customers. The research was based on observational data of publicly reported breaches since 2008. Researchers referred to Advisen's Cyber Loss Database, which includes data on 103,000 cyber events, which in part showcases organizations impacted by a singular incident.
- Since 2008, the database included at least 2,726 common incidents that hit multiple organizations. Only 897 of the incidents are considered true ripple events, involving B2B relationships between multiple parties.
The report is based on public reporting, but researchers suspect reported ripple incidents between 2019 and 2020 will become more apparent by 2022 or 2023.
"In my former experience as a governance practitioner, a lot of this comes down to visibility. Many firms aren't aware of their connections to other companies, let alone all of the dependencies their direct vendors have upon other firms," said David Severski, senior security data scientist at Cyentia. Just because an organization has policies prohibiting the use of certain vendors, doesn't mean the policy holds for the third parties they work with, let alone those partners' relationships.
"Experiences like COVID-19 have shown us that we're all connected in surprising ways," Severski said.
There are two types of victims, according to the report: the generator of a ripple incident and the downstream recipients.
All organizations will likely fit both categories in time because of the technological reliance companies have on one another. At any given time, a company's livelihood will depend on another company's ability to recover from a cyberattack.
"It's fair to say that an organization already struggling with technology governance is going to have much larger problems when multiplied across the many firms organizations rely upon to deliver goods and services," Severski said.
For example, when Colonial Pipeline shut down its pipeline due to a ransomware attack, it was not a traditional ripple incident and the ransomware infection did not spread to other partners. However, the pipeline closure halted the businesses relying on its operation.
But holding Colonial Pipeline financially accountable for its partners' losses is difficult to execute. "Incident reporting has a lot of victim-shaming that I personally try to avoid. Identifying the source firm of these multi-party events at scale is very challenging," Severski said.
While loss of business income is only present in about 4% of ripples, typical costs following an incident can reach $36.4 million, but extreme cases can exceed $1.3 billion, the research found.
The most common component of multi-party incidents is the financial damage, with average costs of $432,000 but can exceed $163 million. More than 80% of ripple incidents have financial damage-related costs.
Ripple events have other costs though, and not every downstream victim shares the same losses. One-fifth of ripple incidents have other fines or penalties averaging $1.7 million, and 15% of ripples have about $8.3 million in response costs. Professional and financial services are the top generators and recipients of ripple events, the report found.
Ripple incidents are typically a blend of causes. "Many ripple events start as a widespread third-party breach that kicks off multiple supply chain breaches all at once," the report found. The most common types of ripples are data breach, denial or disruption of service, or privacy violations.
Surprisingly, ransomware is not categorized as a ripple incident. But this classification reflects more of a difficulty in labeling the root case of a ripple event. Thirty-four of the ripple events observed in the research had components of ransomware, but they ultimately fell into the category of data breach or DDoS, though the Kaseya ransomware attack is an example of a supply chain ripple attack.
"While saying that ransomware was ultimately the root cause wasn't a claim we could solidly make, the theme is present in many events," Severski said. "We're working on an expanded category and patterns system to bring more nuance to these classifications, helping us to answer this better in future work."