RiskRecon, a Mastercard company, and the Cyentia Institute released a study on Tuesday showing that some multi-party data breaches cause 26-times the financial damage of the worst single-party breach.
The organizations used Advisen's Cyber Loss Database to examine incidents since 2008. Almost 900 multi-party breach incidents have been observed since 2008, and 147 newly uncovered ripples were observed across the entire data set, with 108 occurring in the last three years.
The Advisen Cyber Loss Database has over 103,000 cyber events collected from publicly verifiable sources and was used extensively for the report. Since 2008, more than 2,726 incidents in the Advisen database involve more than one organization. Still, only a subset of those are what the researchers called "ripple events" -- which involve some form of B2B relationships between multiple parties.
Using that as a filter, the incident base totaled 897 incidents from 2008 to 2020. More than half of the newly identified ripples were in 2019 and 2020, and the report postulated that there is a two-year delay between when an incident takes place and when the ripple effects fully unfold, with some taking as long as five years.
A median multi-party breach causes 10 times the financial damage of a traditional single-party breach. In comparison, the worst of the multi-party breach events causes 26 times the financial damage of the worst single-party breach.
It typically takes 379 days for a ripple event to impact 75% of its downstream victims, and the median number of organizations impacted by ripple events across the data set was 4.
"While a stable number for multi-party breaches in 2020 is not likely, our analysis has already dug up 37 ripple events that swept up victims across a range of industries and scenarios last year," the report said. "The triggering events are often different, the business relationships vary, the scope of impact can vary wildly, and the depth of downstream reach is changeable. The one unifying factor is the technical integration or data sharing -- direct and indirect -- that spiderwebs across the generating organization and the recipients of downstream loss events."
The report lists a number of notable multi-party breaches, including incidents involving SolarWinds, Accellion -- which affected the Washington State Auditor's Office, New Zealand's central bank, and the high-profile law firm Jones Day -- Advanced Computer Software, which exposed hundreds of law firms, the cloud computing provider Blackbaud and more.
In each incident, the personal data of millions was exposed, and the researchers found that financial and business support organizations dominate the top two slots in terms of ripple-generating victims and recipients of downstream loss events. The professional and financial sectors together are the source of over 47% of all ripples.
"Many companies are, at some point, both the generator of one ripple event and the downstream recipient of others generated by different organizations. This is a testament to the tight technical ties that bind suppliers, customers, and partners in today's digitally dominated business environment," the report explained.
"Among those ripple events for which we have cost information, 80% involve some sort of direct financial damage. One out of five of the ripples involved ends up incurring fines and penalties, and one in 10 of them incurs response costs. While only a small fraction of ripples cause a loss of business income, such losses are particularly devastating. In those cases, the loss of income makes up 78% of costs."
The researchers found that when a ripple event triggers a loss of income, it leads to a loss of $36 million per event. Parsing through a subset of 154 ripples, the report found that most costs are borne by the initial victims of a multi-party breach.
"From the data presented in this report, one thing should be crystal clear -- no organization is safe from a multi-party ripple event. As firms of all shapes and sizes continue to allow companies to access their data, client information, employee details, etc., they also open up more paths for security incidents that can harm their business," the report's authors explained.
"The reality is while you can't protect yourself from every third-party threat, you can take control over the risks that will impact your business the most. The interconnectivity of different third- and fourth-party relationships is often hard to visualize and address."
There was a significant drop in the amount of time for ripples to disperse through third-party networks in 2012 and 2013 to less than 200 days, while the number dropped to 50 days in 2018.
The report also looked at the duration of ripples from another angle, examining the intervals of time it took for some, half, and most of the downstream recipients to feel the impact of a multi-party incident.
"Overall, 25% of firms are involved within 32 days after the initial event, 50% by 151 days, and 75% by just over a year at 379 days. This shows that the fastest impacts rippled out from incidents within healthcare, likely due to the strong reporting requirements in that space. Meantime, the hospitality and information industries take approximately a year before most downstream victims fully feel a ripple," the report found.