SAFE RESEARCH PRESENTS

Risk Radar

EDITION 1 - FEBRUARY 2025

Actionable Cyber Risk Insights for CISOs

AUTHORS

Erica Eager - Pankaj Goyal - Vidit Baxi

01 Third-Party Cyber Risk

02 Materiality

03 Regulatory Reporting

04 CISO Actions

Third-Party Cyber Risk:

What 2024 Taught Us

We analyzed more than 1000 Third-Party Attacks

Most Active Threat Actors: Cyber Criminals

Most Common Attack Outcome: Data Exfiltration

Most Exploited Third-Party Controls & ATT&CK Techniques

Materiality:

What 2024 Taught Us

We launched howmaterialisthathack.org, to forecast the financial losses from cyberattacks in 2024.
What did we learn?

High Profile Cyberattacks Selected for Analyses

Cyber Attack Losses

Losses as a % of quarterly revenue of the company

The median losses were 1.2% and the average losses were 4.1% of the quarterly revenue

Two-Thirds of the Costs were Business Interruption Related

Regulatory Reporting:

What 2024 Taught Us

So what has been the effect of the SEC rule on reporting in 2024?
We analyzed 210 8-Ks filed for 206 unique cybersecurity incidents.

Actions for the CISO:

What 2024 Taught Us

  • Small third parties can be high business risk for you. Reprioritize your Third Party list based on business risk.
  • Focus on the 10 most exploited controls in your third party evaluations. Focus your TPCRM team on what matters.
  • As the costs of cyber attacks increase, define realistic risk thresholds set up correctly with your internal compliance and risk teams.
  • Two-thirds of the losses are Business interruption related. Re-evaluate if you are investing enough in your business resilience (internal and third-party facing) - the ROI is high.