Continuing our series of third-party risk management (TPRM), this blog’s topic surrounds the cyber ecosystem and how its security matters in relation to third party risk management. In our previous blogs we dove into the TPRM terminology starting with the definitions of “third party”, “risk” and “cyber risk”.

Whether it be ERM or TPRM, we believe an effective risk management process starts with speaking the right language. Here is what you need to know about cyber ecosystems,  and how Black Kite can help with continuous third-party risk monitoring in a cyber ecosystem.


What is a “cyber ecosystem”?

While an ecosystem includes a variety of living things (plants, animals and organisms) and non-living things (earth, sun, soil, atmosphere) in a given area interacting with each other, the cyber ecosystem similarly comprises a variety of participants digitally linked to each other. The core business being at the heart, the players of a cyber ecosystem may vary from private firms, non‐profits, governments to processes, cyber devices, and even human-beings. 

We call the entities in such an ecosystem “third parties” , as you may recall from our latest blogs.

Ripple effects in a “cyber ecosystem”

The entities in a cyber ecosystem, whether they be humans, services or companies, interact in ever-changing ways much like in the natural world. Therefore, a “cyber ecosystem” creates a target-rich environment for hackers to exploit vulnerabilities with the aim of stealing personal data and identities, and even company secrets. However, it is not always the company itself, but third parties that malicious agents target.

Threat actors sneaking through the cracks hit “third parties” to harvest information, leading them to larger organizations that create a ripple effect.

When AMCA, a bill-collection vendor for several health institutions, was hacked through a web payment portal, the incident affected 23 healthcare institutions. These institutions include the biggest U.S. lab testing companies, in which AMCA provided service. The breach eventually affected about 24 million people, most of whom didn’t have a direct relationship with the AMCA.

Another juicy target for hackers is credit card data in a cyber ecosystem, just as in the case of  TicketMaster and the British Airways breach. The target hackers sought after was the British Airway’s external website application. As the customer typed their credit card details and personal information, a malicious Javascript code in the British Airway’s website was smuggling these details into the hands of cyber criminals.

According to recent research, financial loss from ripple events is 13 times larger than in single-party attacks.

How does security matter in a cyber ecosystem?

Billions of dollars are spent by corporations and government systems to

fend off cyber threats each year. Often, investments aren’t enough. Threat actors sneak through the cracks of the “third parties” to reach larger organizations.

Our latest study presents an analysis on third-party related breaches in 2019.
We analyzed 66 major data breaches of 2019 caused by third parties in search for the culprits behind a breach. Online payment software when outsourced as a third-party service had induced many attacks in 2019 becoming the frontrunner in attracting hackers. This was followed by educational software, malicious web site scripts utilized in credit card skimming and cloud services as well.

Click for a detailed study.

These external entities such as AMCA or Click2Gov or external website scripts were third parties in a cyber ecosystem. What is more dangerous is that the links with these entities are so inherent and part of everyday use that most of them are hardly accounted for as third parties in the company inventory, being overlooked from a third-party perspective. 

As a result, companies end up sharing an extensive amount of sensitive data with these third parties beyond their knowledge.

How to rate your Cyber Ecosystems?

Black Kite’s platform aims to provide full visibility into a cyber ecosystem. It enables enterprises to continuously assess third-party risks, assigns a letter grade to each vendor, correlates findings with industry standards to inform compliance requirements, and determines probable financial impact if a third-party experiences a breach. 

The Black Kite Platform’s intuitive interface and reports communicate risks in qualitative, quantitative, and easy to understand business terms for executives, and allows IT-security teams to drill down to the technical details in each risk category. 

With the alerting mechanism, the users of the platform become aware of the security vulnerabilities within a cyber ecosystem promptly and can take immediate actions.

How to make informed decisions in a Cyber Ecosystem?

Black Kite Third-Party Cyber Risk Rating enables enterprises to continuously assess, prioritize, and address the third-party cyber risk of any company. Using easy-to-understand technical reports, Black Kite not only provides standards-based letter grades on various risk categories along with data on how to mitigate each risk in priority order but also the first-ever automated tool to measure the potential financial loss caused by an attack on a supplier or partner based on the Open FAIR™ model. Black Kite provides the substance, scale, and speed needed to effectively assess and monitor the cyber risk posture of any company or organization.

By providing Cyber Rating, Compliance Estimations (policies and processes) and Open FAIR™  results (the probable impact in financial numbers), Black Kite’s vision is to give a 3-dimensional risk picture of a third party and thus help companies make informed decisions based on these three pillars.

Measure Cyber Risk in Dollars & Cents

Cybersecurity reporting has become a critical issue between the technical team and the board. Most of the security issues get “lost in translation” when reported to the management-level. Black Kite uses the Open FAIR™  model to calculate the probable financial impact in case of a data breach. Translating the ” security language” to “business language”, Financial Impact Report has been a game-changer in security-reporting.

Open FAIR™  has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk. Platform users can leverage Open FAIR™  results in prioritization of resource allocation.

Having the capacity to use a FAIR assessment for third-party risk management thus elevates the risk management program. This tool helps attain the goal of cost-effectively achieving and maintaining an acceptable level of loss exposure, while also clearly conveying the breadth of risk factors across the organization.

Learn more at