Third-party cyber incidents can be costly. Here’s how to manage the risk.

The impact of Jaguar Land Rover’s crippling cyberattack went far beyond the carmaker’s own walls. Parts suppliers, “many of them small and financially fragile,” felt the sting when JLR had to temporarily halt operations in September, the Wall Street Journal reported. The Cyber Monitoring Centre, a UK-based nonprofit, estimated the incident ultimately impacted more than 5,000 companies to the tune of £1.9 billion.

It was the latest high-profile reminder that third-party cyber risk is real, and it can be disruptive and costly, as CFO Brew previously reported. We recently spoke with Mario Paez, national cyber risk leader at insurance broker Marsh McLennan Agency, about third-party risks, and what finance leaders can do to manage them.

This interview has been edited for length and clarity.

What went through your mind when you heard about the JLR incident?

There are a lot of similar types of incidents where we see an outage caused by a security event or a system failure event, such as an unintentional or unplanned outage, and the ripple effect that it has across clients, vendors, partners, [and] supply chains. Those ecosystems are very interconnected, and when there is an outage, a stoppage, that ripple effect can be quite significant.

What are some of the recurring conversations you’re having with clients regarding third-party risk management?

There are global frameworks that give various guidance and, for lack of a better term, checklists around what organizations can strive to do to better monitor different levels or tiers of critical vendors. So that’s a solid best practice.

In [the] SME [small and medium enterprises] midmarket space, organizations may not be as conscious of the readily available coverage for contingent business interruption and business income loss, extra expenses, should one of their critical IT service providers or supply chain vendors have a security incident or an unintentional or unplanned outage.

How can businesses prepare themselves when seeking that kind of coverage from an insurance carrier?

How we prepare clients to bring that exposure to the underwriting community is just making sure that we’re asking those questions around what their due diligence procedures are in vetting vendors and supply chain vendors. Do they have alternative suppliers so they don’t have all their eggs in one basket? That really speaks to overall resiliency.

How do you help clients determine what limits they should be seeking?

We do have some very solid risk intelligence analytics that, beyond benchmarking, feed into a specific organization’s risk profile responses to certain security control questions…The old adage would say, well, let’s look at the total cost of what a breached record would be. I think we’ve gotten well beyond that, from maybe 15–20 years ago to looking at it [as], you may have a ransomware event [or] you may have a systems failure—which is an unintentional, unplanned outage that has nothing necessarily to do with the security failure—and that is not captured in what a breached record would cost us. It speaks to the growth and expansion of cyber security insurance and privacy liability insurance as a whole.

How do you advise clients on best practices for mitigating the impact of an incident when it does occur?

Preparation and transparency are key, and part of the preparation process is presuming the client is purchasing cyber insurance, [and] knowing who the approved panel of incident response providers are from the carrier. That is key. The biggest reasons I’ve seen more complicated responses are because that has been skipped or [there’s] a disconnect between parties, even inside organizations where an IT information security person is not aware of the incident response panel. Maybe the CFO, risk manager, or general counsel is aware, but that has not been communicated or incorporated into the company’s incident response plan. So number one, have that incident response plan updated with your insurer’s panel [and] with your broker’s contact information, and make sure that you, when you do run a tabletop exercise, refer to that.