Commissioned by CyCognito

Published September 2021

Executive Summary

Organizations are overconfident in their ability to manage subsidiary risk, and they continue to experience attacks involving subsidiaries. This research examines how well large companies manage risk from subsidiaries, what difficulties and constraints they encounter, and the ramifications of these. The study, commissioned by CyCognito and conducted by Osterman Research, surveyed enterprises with over $1 billion in annual revenue and an average of more than 19 subsidiaries.

The research shows a perplexing disparity between what large organizations want to believe and the actual state of affairs when it comes to managing subsidiary risk. The majority of organizations reported they were doing a good job managing subsidiary risk, yet 67% of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility. Even more telling, 50% of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.

Current tools and processes for managing subsidiary risk present multiple shortfalls, including a focus on compliance at the expense of security, complex onboarding processes, infrequent and lengthy risk management processes that leave too many blind spots, an excess of manual tools, and a lag between results and remediation.