New Study Warns Hotels of Cyber Incidents with Ripple Effect

The Cyentia Institute published “Ripples Across the Risk Surface,” an in-depth study sponsored by RiskRecon that analyzes more than 800 cyber incidents and their impact on multiple downstream organizations. According to the study, multi-party loss events that impact thousands of downstream organizations, otherwise known as “ripple events,” result in 13X larger financial loss than traditional single-party incidents. The objective of this study is to raise market awareness on the hyper interdependencies organizations have on other organizations, and the ripple effect that grows by an order of magnitude beyond that singular data loss event.

Media headlines continue to fixate on the number of records breached within a single organization, but they rarely tell the full story, according to Kelly White, CEO and co-founder of RiskRecon. Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization. Together, Cyentia and RiskRecon are aiming to expose an often-overlooked pattern: lacking proper third-party risk controls can contaminate the entire enterprise ecosystem where sensitive data is stored and shared.

Cyentia Institute leveraged cyber loss database, Advisen, for an objective view into historical data comprised of more than 90,000 cyber events. Of those events, Cyentia found that since 2008, more than 800 cyber incidents involved at least three organizations. And of these approximately 800 multi-party incidents, a total of 5,437 downstream loss events occurred – i.e., organizations impacted by cyber incidents other than the primary victim. In fact, downstream entities affected by multi-party incidents outnumber primary victims by 850%. And to further highlight the takeaways of this analysis, based on historical insight, it is projected that multi-party incidents will continue to overall increase at an average rate of 20% per year.

Analysis into the specific industries most severely impacted by ripple events was conducted through Cyentia Institute’s adoption of the North American Industry Classification System (NAICS). Based on this data, the sectors that possess the highest concentration of personal data and information (credit bureaus, banks, collection agencies and hotels) account for nearly 60% of all organizations generating ripple effects. It’s these same industries that also typically have large digital footprints, and often maintain extensive third-party relationships.

“As an industry, we’ve waited far too long to address the interconnected nature of today’s risk landscape,” says Wade Baker, founder of Cyentia Institute. “The startling truth from the data is that complex digital ecosystems fuel the kind of cyber incidents that send dangerous ripple effects across numerous organizations. Together with RiskRecon, we hope that our study looking at the increasing rate and severity of multi-party data loss events will instill an immediate response to improving the way we manage risk across every facet of business.”