Skip to content

Third-Party & Supply-Chain Cyber Risk Quantification

Your biggest exposure often isn't in your network — it's in your vendors'. CyQuantiFi puts a dollar figure on third-party and supply-chain cyber risk, and reveals the correlated exposure that traditional registers miss: the risks that all move together the moment a shared dependency fails.


The risk register lies about your vendors

Most third-party risk programs produce a questionnaire score and a colour. Neither tells a board what a vendor failure is worth, and neither captures the real danger: correlation. When several "independent" risks quietly depend on the same supplier — a telco, a cloud provider, an identity platform, a payments processor — they don't fail one at a time. They fail together.

A live example. When a single telecommunications fault took down a major Australian network, it didn't just drop phone calls — it stopped trains, froze card payments and touched emergency services in the same morning. Three "separate" risks, one shared dependency, all firing at once. A heatmap rated them as three unrelated amber cells. The dollars told a very different story.

The Threat Tide Method: modelling shared weather

CyQuantiFi's Threat Tide Method quantifies third-party and supply-chain risk the way it actually behaves. We compose your attack graph with your vendors' — without copying their data — and simulate loss across the whole picture. Crucially, we model the shared weather: when the threat environment heats up, linked risks surge together, and the worst-case tail gets fatter. The result is an honest worst case, not an artificially calm one — and it's backed by patent-filed technology.

Shared weather
Correlation, modelled

Linked risks move together — we simulate that instead of pretending they're independent.

Fatter tail
Honest worst case

The high-loss end of the distribution reflects reality, not wishful thinking.

$ per vendor
Dollar exposure

Each supplier's contribution to your Annual Loss Expectancy, ranked.

How it works

1

Map your critical suppliers

We identify the vendors and dependencies that more than one part of your business relies on — the concentration points that create correlation.

2

Bridge the graphs

Your attack graph links to vendor threat models through a secure boundary — their exposure is referenced, not copied — so we can simulate risk across the whole supply chain.

3

Simulate the correlation

A FAIR-aligned Monte Carlo simulation runs across the composed graph with shared-weather correlation, producing a loss distribution with an honest tail.

4

Rank and act

You get each vendor's dollar contribution to your risk, the concentration points to diversify, and the control moves that reduce exposure most per dollar.

Built for CPS 234 and SOCI supply-chain obligations

APRA CPS 234 requires regulated entities to manage the information-security capability of third parties that handle their information assets. SOCI's all-hazards CIRMP framework puts supply-chain risk squarely in scope. A dollar-based, correlation-aware estimate is the cleanest evidence you can put in front of a regulator — and a far stronger board conversation than a vendor questionnaire score.

Who it's for

Risk and security leaders at APRA-regulated financial institutions, SOCI-regulated critical infrastructure operators, and any organisation with concentrated vendor dependencies who needs to move third-party risk from a questionnaire colour to a defensible dollar figure.


Frequently asked questions

What is third-party cyber risk quantification?

It's expressing the cyber risk your vendors and suppliers create for you as a dollar figure — an Annual Loss Expectancy — instead of a questionnaire score or a colour. CyQuantiFi does this by composing your attack graph with your vendors' and simulating loss across the whole supply chain.

Why does correlation matter in supply-chain risk?

Because shared dependencies mean linked risks fail together, not one at a time. If you model each vendor risk independently, you systematically understate your worst case. The Threat Tide Method models the correlation — the shared weather — so the tail of your loss distribution reflects reality.

Do you need access to our vendors' systems?

No. Vendor exposure is referenced through a secure boundary, not copied. We compose the graphs for simulation without moving your suppliers' data into your environment.

How is this different from a security ratings service?

External ratings score a vendor's posture from the outside. They don't tell you what a vendor failure would cost you, and they don't model correlation across your supply chain. CyQuantiFi produces a dollar exposure specific to your business, with the correlated worst case included.

See what your supply chain is really worth in risk

Run a Threat Tide analysis across your vendor graph and your own.

Related services

This page describes CyQuantiFi's third-party and supply-chain cyber risk quantification service. It is general information, not legal or compliance advice; regulated entities remain accountable for their own third-party risk obligations.