Quantifying Third-Party Cyber Risk: Beyond the Vendor Questionnaire

The Expensive Illusion of Vendor Questionnaires

Every year, enterprises send hundreds — sometimes thousands — of vendor security questionnaires. The responses come back, someone ticks a box, and the procurement team moves on. The board receives a reassuring slide: "87% of vendors are compliant with our security requirements."

Then SolarWinds happens. Or MOVEit. Or Okta.

And the board asks a different question — one that no questionnaire ever answered: "How much money are we exposed to through our vendor ecosystem?"

The uncomfortable truth is that vendor questionnaires are compliance theatre. They measure policy existence, not security effectiveness. They tell you whether a vendor claims to encrypt data at rest. They don't tell you what happens to your revenue, your reputation, and your regulatory standing when that vendor gets breached and the attacker pivots into your environment.

If you're a CFO or CRO, this should concern you. Third-party cyber risk is not an IT problem — it's a balance sheet problem. And you're currently managing it with a tool that produces feelings of assurance rather than financial insight.

Supply Chain Is the Number One Attack Vector

The shift isn't hypothetical. It's already happened.

SolarWinds (2020): A compromised software build process gave Russian intelligence access to 18,000 organisations, including Fortune 500 companies and US government agencies. The estimated economic impact exceeded $100 billion across the affected ecosystem.

Kaseya (2021): Attackers exploited a vulnerability in Kaseya's remote management software to deploy ransomware across 1,500 downstream businesses simultaneously. Managed service providers became the entry point for attacks on hundreds of their clients.

MOVEit (2023): A zero-day in a widely-used file transfer tool led to data theft from over 2,600 organisations and more than 77 million individuals. Victims included government agencies, financial institutions, and healthcare providers — most of whom had never heard of MOVEit but were exposed through their vendors' use of it.

Okta (2023): Attackers compromised Okta's support case management system, stealing session tokens that provided access to customer environments. The identity provider designed to protect access became the attack vector.

The pattern is consistent: attackers compromise a vendor, then use that trusted relationship to reach their actual targets. Your perimeter security is irrelevant if the attacker arrives through a trusted connection you've explicitly allowed.

Why Questionnaires Fail and What to Do Instead

Vendor questionnaires fail for three fundamental reasons:

They're point-in-time snapshots. A vendor's security posture the day they complete a questionnaire bears little relationship to their posture six months later when an attacker actually targets them.

They measure policy, not exposure. Knowing that a vendor has an incident response plan tells you nothing about whether a breach at that vendor would cost you $50,000 or $50 million.

They treat all vendors equally. The questionnaire for your office supplies provider is often the same one sent to the cloud platform hosting your customer data. The risk is orders of magnitude different, but the assessment framework can't express that.

The alternative is to model third-party risk the way you model any other financial risk: by quantifying the exposure in dollar terms, based on realistic attack scenarios.

This means building attack trees that trace the actual paths an adversary would take — from initial compromise of a vendor, through the trust relationships that connect their environment to yours, to the ultimate impact on your critical assets. And then running Monte Carlo simulations against those paths to produce probability-weighted financial exposure estimates.

Modelling Vendor Risk as Attack Paths

Quoll approaches third-party risk as a graph problem. Every vendor relationship is a potential attack path, and every attack path can be modelled, measured, and priced.

Here's how it works in practice:

Map the vendor-origin attack path. Using Quoll's graph-based attack trees, you model the chain of events: compromised vendor credentials → lateral movement through a trusted VPN connection → access to your internal databases → exfiltration of customer records. Each node in the tree represents a technique, mapped to MITRE ATT&CK, with estimated probabilities informed by real-world threat intelligence.

Quantify each path using FAIR. The Open FAIR (Factor Analysis of Information Risk) methodology decomposes risk into its constituent factors — Threat Event Frequency, Vulnerability, and Loss Magnitude. Quoll runs Monte Carlo simulations across thousands of iterations to produce probability distributions rather than single-point estimates. The output is a dollar-denominated Annual Loss Expectancy (ALE) for each vendor-origin attack scenario.

Aggregate across the vendor portfolio. Each vendor's ALE contribution rolls up into a portfolio view. You can see total third-party exposure alongside the specific vendors and attack paths that drive the majority of that exposure. This isn't a vendor risk rating — it's a financial model.

Compare against controls. For each high-exposure vendor path, Quoll models the impact of specific mitigations — network segmentation, conditional access policies, enhanced monitoring. You can see exactly how much each control investment reduces your ALE, giving you a defensible business case for every dollar spent.

Prioritising Vendor Risk by ALE Contribution

Once every vendor-origin attack path has a dollar value, prioritisation becomes straightforward arithmetic.

Most organisations discover that their third-party risk follows a steep power law: a small number of vendors — typically five to ten — account for 80% or more of the total third-party ALE. These are usually the vendors with the deepest integration into your environment: cloud infrastructure providers, identity platforms, software supply chain tools, and managed service providers.

The remaining vendors, while numerous, contribute relatively little to aggregate exposure. This insight alone transforms your vendor risk management programme. Instead of distributing effort equally across hundreds of vendors, you concentrate resources where they actually reduce financial exposure.

For each high-ALE vendor, you can then drill into the specific attack paths that drive the exposure and ask targeted questions:

• Which trust relationships between this vendor and our environment create the highest-value attack paths?
• What controls would most effectively reduce the ALE contribution from this vendor?
• Is the residual risk after controls within our risk appetite, or do we need to consider alternative vendors?

This is the conversation your board actually needs. Not "we assessed 200 vendors and 87% are compliant," but "our top five vendor exposures total $12.3 million in annual expected loss, we've invested $800,000 in controls that reduce that to $4.1 million, and here's the plan for the remaining exposure."

From Compliance Theatre to Financial Clarity

Vendor questionnaires aren't going away — regulators expect them, and they serve a basic due diligence function. But they cannot be the primary instrument for managing third-party cyber risk.

The organisations that will navigate the next SolarWinds-scale supply chain event are those that have already quantified their exposure, modelled the attack paths, and invested in controls based on financial impact rather than compliance checklists.

Quoll gives CFOs and CROs what questionnaires never could: a dollar figure for third-party cyber exposure, a clear picture of which vendors drive that exposure, and a defensible framework for deciding where to invest next.

The question isn't whether your vendors will be breached. It's whether you'll know what it costs you before the board asks.