Quantify supplier incidents across downtime, data exposure, contracts. Prioritize response using weighted severity and loss. Turn vendor risk signals into faster remediation decisions today.
Purpose: Estimate the financial and operational impact of a cybersecurity incident caused by a supplier or third-party vendor.
The score supports triage and planning. It is not legal advice, insurance advice, or a replacement for formal incident response procedures.
| Scenario | Supplier | Incident | Downtime | Records | Severity | Net Impact | EAL |
|---|---|---|---|---|---|---|---|
| Payments API compromise | NorthBridge Hosting | Data Breach | 18h | 25,000 | 82.40 | $336,875.00 | $60,637.50 |
| Managed SOC outage | ShieldWatch MSSP | Service Outage | 6h | 0 | 56.00 | $78,200.00 | $10,946.00 |
| Critical package tampering | CodeSupply Registry | Supply Chain Malware | 22h | 8,000 | 88.60 | $514,120.00 | $102,824.00 |
Example values illustrate typical outputs for comparison and planning. Your real results depend on actual contract terms, customer economics, and response performance.
1) Severity Score (0-100): A weighted score combining incident type baseline, business criticality, data sensitivity, integration depth, blast radius, regulatory exposure, contract dependence, and response maturity.
Severity =
(IncidentBaseline×0.20) + (Criticality×20×0.15) + (Sensitivity×20×0.15) + (Integration×20×0.10) + (BlastRadius×20×0.15) + (Regulatory×20×0.10) + (ContractDependence×20×0.10) + ((6-ResponseMaturity)×20×0.05)
2) Direct Cost: Total immediate financial loss.
Downtime Cost + Notification Cost + Recovery Cost + SLA Penalty + Churn Cost
3) Reputation Cost: Severity-adjusted additional loss.
Direct Cost × Reputation Multiplier% × Severity Score%
4) Gross Impact: Combined direct and reputation cost.
Direct Cost + Reputation Cost
5) Residual Impact: Remaining impact after control reduction.
Gross Impact × (1 − Control Reduction%)
6) Net Impact: Residual impact after insurance.
Residual Impact − min(Coverage Limit, max(0, Residual Impact − Deductible))
7) Expected Annualized Loss (EAL): Annualized expected loss.
Net Impact × Annual Probability%
Third party incidents create overlapping losses, so the calculator converts disruption into a decision view. In the example table, a payments API compromise shows 18 hours of downtime, 25,000 records, and a net impact of $336,875. That combination is more useful than a simple high risk label. Security, procurement, and finance can compare suppliers using the same structure and escalate vendors with the greatest business consequence first.
The severity score uses weighted inputs for incident type, criticality, data sensitivity, integration depth, blast radius, regulatory exposure, contract dependence, and response maturity. This prevents teams from treating every breach the same. A supply chain malware event in the sample reaches 88.60 severity because dependencies and propagation potential are high. Weighted scoring helps justify emergency response, executive notifications, and service restrictions with transparent logic.
Direct cost combines downtime cost, notification cost, recovery cost, SLA penalties, and customer churn cost. Data quality matters because poor assumptions distort the recommendation. Revenue loss per hour should use realistic contribution values, not gross sales. Churn should be based on observed retention behavior. When these inputs are evidence based, outputs such as EAL, gross impact, and net impact become reliable for budget planning and vendor remediation prioritization.
Gross impact is reduced through control strength and then adjusted for insurance coverage and deductible values. This highlights residual exposure, which leadership funds. If net impact stays high after insurance, the organization should strengthen segmentation, backup validation, and alternate supplier readiness. The RTO gap also matters. A downtime result of 18 hours against an 8 hour target signals recovery friction and should trigger corrective actions in contracts and playbooks.
Use the calculator during onboarding, vendor reviews, and incident postmortems. Store outputs in a standard template so audit, legal, and risk teams can compare trends across suppliers. Track estimated impacts against actual losses to improve probability assumptions and reputation multipliers over time. This calibration creates better forecasts, stronger board reporting, and evidence for contract negotiations, insurance discussions, and investment decisions on supplier resilience.
It summarizes business and technical exposure on a 0 to 100 scale using weighted inputs, including incident type, criticality, data sensitivity, blast radius, and response maturity. It supports triage, not legal or regulatory determinations.
The calculator multiplies affected customers by average customer value and the expected churn rate. Use historical churn behavior after service or trust incidents to avoid inflated estimates and to improve planning accuracy.
Use the value that best reflects actual financial impact. Many teams prefer contribution margin per hour instead of gross revenue, because it better captures what the business truly loses during downtime.
Yes. Run the same input framework for each supplier and keep assumptions consistent. Comparing net impact, EAL, and RTO gap side by side helps prioritize remediation budgets and contract controls objectively.
Enter the relevant policy coverage limit and deductible for the modeled incident. The calculator applies coverage after residual impact, so results reflect realistic offsets rather than assuming insurance covers every cost component.
Review high criticality suppliers quarterly and after major incidents, contract changes, or architecture changes. Refresh churn, cost, and probability assumptions with current finance and incident response data to maintain reliable outputs.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.