Understanding Third-Party Vendor Risk Management

Delta Airlines lost $500 million in five days due to the July 2024 CrowdStrike outage, caused by a faulty software update. The cybersecurity firm fixed the issue in 79 minutes, but the damage to its customers—as well as its customers’ customers—was extensive and long-lasting. U.S. Fortune 500 companies are expected to lose an estimated $5.4 billion as a result. 

The CrowdStrike outage illustrates what happens when organizations from different industries rely too heavily on one provider, or too few suppliers, underscoring the risks associated with vendor concentration and the urgent need for vendor diversification. This is especially true for entities in critical industries like financial services and energy. 

Here we explore challenges posed by vendor concentration in critical industries, as well as tips on how organizations can more effectively manage third-party risk.

Third-party vendor risks by industry

Using multiple third-party suppliers can increase the risk of cyber attacks given the interconnected nature of modern business systems—a wider range of vendors increases the attack surface of an organization and industry. On the other hand, heavy reliance on a few vendors can lead to severe, sector-wide breaches, outages and more if one vendor experiences a disruption. 

Reliance on a limited number of third-party vendors is prevalent in certain industries due to the need for suppliers to possess niche expertise. Even when companies look to vary their providers, the lack of diversity available may require them to default back to the dominant industry provider. The challenge is especially acute in certain industries, as demonstrated in the following examples:

Commercial banks and credit unions

Banks and credit unions, known as depository institutions, depend on banking services providers for their core systems and ancillary services. The core services market, valued at $4.03 billion, is dominated by three large providers: Fiserv, Jack Henry and FIS. 

Together they hold over 70% of the banking market and 46% of the credit union market. 

A breach or outage experienced by any one of them could disrupt payment and processing operations, potentially cutting off customers’ access to their own money.

Travel and tourism

Digital systems that automate how airlines track and sell their inventory are known as global distribution systems. Amadeus, Sabre and Travelport control nearly 100% of the global distribution system landscape, valued at $14.4 billion, in North America and Europe. 

Cyber attacks on these vendors could cripple global travel and tourism systems, stranding travelers without flights or hotels—and worse, compromising their safety.

Hospital EHR systems

Electronic health records (EHRs) are real-time, digital patient records that securely and instantly make medical history and information available to authorized users. Three companies—Epic Systems Corporation, Oracle Cerner and MEDITECH—control 70% of the hospital EHR vendor market, which is valued at $30 billion. 

In addition to bringing health system operations to a halt, a cyber attack on one of these vendors would also expose patient data to identity theft and threaten patients’ health. 

Automotive dealership management 

The North American automotive dealership industry market is dominated by CDK Global—a software vendor that provides applications and services for nearly 15,000 dealer locations. CDK’s cyber attack in June 2024 paralyzed automotive sales, causing chaos for sellers, buyers and workers and ultimately costing businesses $944 million.

---

Dataminr in Action: CrowdStrike Outage

Dataminr notified customers of the CrowdStrike outage almost 1.5 hours ahead of mainstream media.

---

Best practices for mitigating third-party vendor risk

While vendor concentration might streamline operations and reduce costs, companies should not fall into the trap of using too few vendors, especially those that dominate a single industry. Consider the following best practices to minimize threats and protect your organization.

• Identify potential single points of failure within your vendor networks. This involves mapping out dependencies and evaluating the impact of a vendor’s disruption on overall operations.
• Diversify vendors (as able). If the option exists, engage multiple service providers to minimize reliance on any one vendor.
• Conduct regular assessment of vendor relationships. Regularly assess and audit third-parties’ performance, security measures and compliance with contractual obligations to ensure they align with your company’s requirements. This includes the evaluation of incident response plans.
• Set clear expectations from the start. During the early contract phase, engage vendors to outline cybersecurity standards and communication expectations if an event were to occur.
• Talk to industry peers. Information sharing is crucial for organizations to know how other businesses are managing their relationship with the industry-dominant vendor(s).  
• Implement early warning systems and AI-enabled alerting solutions. Ensure you receive real-time alerts on external threats to your organization and third-party vendors, allowing for timely and effective response. 

Understanding the potential dangers of vendor concentration is the first step toward building a more secure and resilient organization. By taking proactive measures and adopting effective technology, organizations can better protect their operations, data and reputation from the impacts of vendor breaches.