Growing reliance on third-party services, such as cloud computing, is believed to increase client firms’ exposure to third-party induced cyber incidents. However, we lack empirical research on the prevalence and scale of third-party induced cyber incidents. Moreover, we do not know who pays more of the price for experiencing these incidents—the client firm and/or the third-party provider firm. We study these questions using a sample of 1397 cyber incidents in public firms between 2000 and 2020 of which 246 are third-party induced incidents. Our findings offer several novel insights. Third-party induced cyber incidents are not growing in prevalence any faster than other incidents, but they do compromise greater volumes of confidential data per incident. As to the price paid for third-party induced incidents, the picture is more nuanced. Client (first-party) firms suffer drops in equity returns that are comparable to those for homegrown incidents, while small third-party provider firms suffer significantly larger drops in equity returns and large third-party provider firms do not suffer a discernible drop in equity returns. We discuss implications of these findings for client firms and service providers.

中文翻译：

---

第三方引发的网络事件——无事生非？

人们认为，对云计算等第三方服务的日益依赖会增加客户公司对第三方引发的网络事件的风险。然而，我们缺乏对第三方引发的网络事件的普遍性和规模的实证研究。此外，我们不知道谁为经历这些事件付出了更多的代价——客户公司和/或第三方供应商公司。我们使用 2000 年至 2020 年间上市公司发生的 1397 起网络事件样本来研究这些问题，其中 246 起是第三方引发的事件。我们的研究结果提供了一些新颖的见解。第三方引发的网络事件的流行率并没有比其他事件更快，但它们确实会在每次事件中危及更多的机密数据。至于为第三方引发的事件付出的代价，情况就更加微妙了。客户（第一方）公司的股本回报率下降与本土事件相当，而小型第三方供应商公司的股本回报率下降幅度更大，而大型第三方供应商公司的股本回报率没有明显下降返回。我们讨论了这些发现对客户公司和服务提供商的影响。