Third-party induced cyber incidents - Much ado about nothing?

Research output: Contribution to journalArticlepeer-review

1 Scopus citations


Growing reliance on third-party services, such as cloud computing, is believed to increase client firms' exposure to third-party induced cyber incidents. However, we lack empirical research on the prevalence and scale of third-party induced cyber incidents. Moreover, we do not know who pays more of the price for experiencing these incidents - the client firm and/or the third-party provider firm. We study these questions using a sample of 1397 cyber incidents in public firms between 2000 and 2020 of which 246 are third-party induced incidents. Our findings offer several novel insights. Third-party induced cyber incidents are not growing in prevalence any faster than other incidents, but they do compromise greater volumes of confidential data per incident. As to the price paid for third-party induced incidents, the picture is more nuanced. Client (first-party) firms suffer drops in equity returns that are comparable to those for homegrown incidents, while small third-party provider firms suffer significantly larger drops in equity returns and large third-party provider firms do not suffer a discernible drop in equity returns. We discuss implications of these findings for client firms and service providers.

Original languageEnglish (US)
Article numbertyab020
JournalJournal of Cybersecurity
Issue number1
StatePublished - 2021
Externally publishedYes


  • client firm
  • cyber incident
  • event study
  • service provider firm
  • survival analysis
  • third-party induced cyber incident

ASJC Scopus subject areas

  • Software
  • Computer Science (miscellaneous)
  • Social Psychology
  • Information Systems
  • Safety, Risk, Reliability and Quality
  • Safety Research
  • Hardware and Architecture
  • Political Science and International Relations
  • Computer Science Applications
  • Computer Networks and Communications
  • Law


Dive into the research topics of 'Third-party induced cyber incidents - Much ado about nothing?'. Together they form a unique fingerprint.

Cite this