NormShield Blog

What is “Cyber Risk” in Third-Party Risk Management?

Continuing our series of third-party risk management, this blog’s topic is cyber risk. In a digital world, organizations are exposed to a range of risks resulting from cyber events like phishing, data theft, ransomware, corporate espionage, etc… What’s more, these events might happen beyond the company’s knowledge.


Within a company ecosystem, the effect of a cyber event quickly multiplies, even extending to several other victims of these intersecting circles. This is what we call Third-Party Cyber Risk.
Starting from the risk terminology, here is what you need to know about cyber risk and how NormShield can help with continuous third-party cyber risk monitoring.

What is “cyber risk”?

Cyber risk is any risk from the digital world, including damage to the reputation of the company, such as financial loss, operational disruption, data breach, and a negative event affecting the information system. The cyber risk could emerge in a variety of ways such as:

  • Breaches of security to gain unauthorized access to information systems.
  • Unintentional or accidental breaches of security.
  • IT risks due to factors such as poor configuration, poor integrity,

with the most common types being

  • Malware,
  • Phishing,
  • Spear Phishing,
  • “Man in the Middle” (MitM) attack,
  • Trojans,
  • Ransomware,
  • Denial of Service attack or Distributed Denial of Service Attack (DDoS),
  • Attacks on IoT Devices.

What is Risk in “Cyber Risk”?

According to FAIR Institue, the risk is defined as ”the probable frequency and probable magnitude of future loss” associated with a specific event. In simple terms, one can identify risk as “probable loss” in a predetermined scenario. To accurately define a risk, one needs to talk about a threat scenario, the affected asset(s), their value to the organization and the possible consequences.

If one of the elements of this tuple is missing we can’t properly talk about risk. In many conversations, even the security professionals misuse the words “risk”, “cyber risk” when referring to an event or a threat. And often, the assets’ value with regards to the company itself and to regulations, sometimes even the assets themselves are ignored in those conversations.

Why terms matter for third-party risk management

It is important that (third party) risk management professionals learn to speak about risk in the same language as it will allow them to focus their limited resources on vendors who present a high probability and/or impact risk beyond the organization’s risk appetite, instead of performing time-consuming assessments on a vendor who poses a low probability of financial loss if an adverse event were to happen or on vendors who pose a little risk overall.

The Consequences of Unmanaged Cyber Risk

Unmanaged or poorly managed cyber risks can lead up to a variety of cybercrimes, with consequences ranging from data disruption to reputation and eventually to financial loss. If this is happening in a business ecosystem, the effect of a cyber event quickly multiplies, even extending to several other victims creating a ripple effect.


Take the famous Target 2013 breach as an example. Attackers hacked into Target’s network after hacking a third party vendor providing heating, ventilation, and air conditioning services. At the end of the day, the breach affected more than 60M customers across 41 states in the US and exposure of  40M credit/debit card information. Excessive access rights granted to third-party vendors and poor configuration of the system eventually allowed hackers gaining access to the customer service database. Target agreed to compensate up to $10,000 to each customer who proved to have suffered from a breach as a result of the $10 million class-action lawsuits in 2015.

Major Third-party Breaches Revealed in June 2019

Another famous cyber event creating a ripple effect was the AMCA breach.  When AMCA, a bill-collection vendor for several health institutions, was hacked through a web payment portal, the incident affected 17 health institutions including the US biggest lab testing companies, that AMCA provided service for. 

Like in the above cases, businesses often find themselves in the middle of a public relations nightmare as they struggle to recover lost assets and prevent further theft. 

The digital age has created access to so many things that were never expected. Data breaches are simply the result of exploiting the many vulnerabilities that exist in this digital environment. Assessing the risk and its value is quickly becoming a critical need for many organizations. 

So it is time for businesses to start asking this question (if not already asked): If there were a security breach or data loss, what would it cost and how can we mitigate it? 

How can NormShield help?

NormShield Third-Party Cyber Risk Rating enables enterprises to continuously assess, prioritize, and address the third-party cyber risk of any company. Using easy-to-understand technical reports, NormShield not only provides standards-based letter grades on various risk categories along with data on how to mitigate each risk in priority order but also the first-ever automated tool to measure the potential financial loss caused by an attack on a supplier or partner based on Open FAIR model. NormShield provides the substance, scale, and speed needed to effectively assess and monitor the cyber risk posture of any company or organization.

By providing Cyber Rating (technical), Compliance Estimations (policies and processes) and Open FAIR results (the probable impact in financial numbers), NormShield’s vision is to give a 3-dimensional risk picture of a third party.

Measure Cyber Risk in Dollars & Cents

Having the capacity to use a FAIR assessment at scale for third-party risk management elevates your risk management program. This tool will help attain the goal of cost-effectively achieving and maintaining an acceptable level of loss exposure, while also clearly conveying the breadth of risk factors across the organization.

Learn more at www.normshield.com.