In 2023, a singular vulnerability was detected in a widely used file transfer application, triggering one of the most damaging cyber incidents in history. The now-infamous MOVEit data breach ended up compromising more than 2,000 organizations worldwide, and is estimated to have caused more than  $12 billion in financial losses, roughly matching those of 2017’s NotPetya ransomware attack. 

In neither of the cases were these dramatic consequences the result of a targeted hack against a single company. On the contrary, they were technogenic events — created by human technology — that originated from deep within a third-party software dependency that spanned across industries and geographies, exposing a fundamental weakness in how modern enterprises manage cyber risk today.

Indeed, many of the most dangerous cyber threats organizations face lie outside of the traditional perimeter, hidden within the supply chain. Nevertheless, as entities continue to expand their use of cloud platforms and engagement with software-as-a-service (SaaS) providers, they likewise expand their exposure to vulnerabilities they neither own nor, in some cases, are aware of.

For security leaders of the digital era, it has become imperative to understand and manage this subsurface class of cyber risk through cyber risk quantification (CRQ), and the ability to express it in precise, contextualized terms.

The Risk Hidden in Your Technology Stack

Technogenic risk derives from the technologies, particularly those developed or maintained by a third-party service provider, that an organization employs to carry out its operations more efficiently and securely, as opposed to those risks stemming from an internal misconfiguration or human error. Because of this dependent nature, however, organizations typically lack visibility into precisely how much risk the solution or vendor introduces. That is, until a breach occurs. 

Technogenic risk's potential for systemic impact makes it even more concerning for the market. If a malicious actor exploits a vulnerability within a service provider’s tool or network, they can easily permeate thousands of other companies relying on that same technology. With supply chain risk, traditional organizational boundaries do not apply, requiring adoption of a new mindset. Stakeholders must now assume their entire technology stack is a source of exposure requiring proactive oversight and prioritization.

In the early days of cyber risk management, cybersecurity leaders were focused on defending the perimeter. Over time, as more events originated from third-party providers, that focus changed, with stakeholders acknowledging the limits of that approach. Yet even with this progression, many strategies remain tethered to legacy assumptions, and risk assessments continue to hone in on what's directly visible or controllable.

This pervading tunnel vision obscures where the most potentially serious exposures often reside. Even as the number of identified supply chain vulnerabilities grows by 20,000 annually, many security teams continue to harness outdated workflows and generalized severity ratings, such as the common vulnerability scoring system (CVSS), which provides a static numerical score but offers little insight into how likely a vulnerability is to be exploited or its potential financial impact.

To manage technogenic risk at the level of efficacy that the current threat landscape demands, cybersecurity leaders must to adopt a wider risk management lens, one that CRQ uniquely provides. Without that added perspective, organizations remain extremely susceptible to the very vulnerabilities that are most likely to cause material loss. 

Three Drivers of Technogenic Risk 

To account for technogenic risk, businesses need a more layered approach than classic risk-scoring frameworks, which fail to consider the full business context. Three primary factors drive exploitation likelihood and business impact. 

The first factor is operation, or the function of the technology. Assets such as web servers, cloud platforms and core operating systems tend to draw more attention from adversaries due to their accessibility and salient role.

The second element is the security posture and track record of the software vendor. Providers with recurring exposure in breach data can signal elevated future risk, making vendor-specific patterns a meaningful input to threat modeling.

The third factor is the breadth of the attack surface, defined by how extensively a technology is deployed across the enterprise. While a single unpatched instance might pose limited risk, the presence of the same vulnerability across thousands of endpoints substantially increases the likelihood of detection and exploitation. Together, these three dimensions help explain why some vulnerabilities become high-impact events and others don't. 

A Forecast-Driven Approach

While more traditional third-party vulnerability scoring approaches offer a snapshot of current risk in the supply chain, technogenic exposure often stems from flaws that have yet to be reported or exploited. As such, forward-looking CRQ models are increasingly being adopted to forecast the likelihood and severity of future vulnerabilities.

Rather than ranking vulnerabilities by severity alone, these analytical tools incorporate the same key factors previously identified as drivers of technogenic risk, including exploit prediction, vendor-specific breach history, and the specific operational role and prevalence of the technology. Encompassing these variables into a single predictive CRQ framework offers organizations a more dynamic and business-relevant view of their supply chain exposure.

This context also sharpens prioritization. Instead of to responding to a high CVSS score without knowing whether the vulnerability poses a meaningful threat, teams can identify the vulnerabilities that are both exploitable and consequential. For organizations managing hundreds of third-party dependencies, this CRQ-driven approach offers a more precise and business-relevant way to reduce exposure at scale.

Strengthening Supply Chain Resilience

To be effective, a forecast-driven approach to technogenic risk must be embedded into the strategic functions that shape enterprise resilience. Among the most important applications is vendor assessment, where technology-specific risk indicators should inform decisions well before deployment. It must also extend to risk registers, which need to evolve from static inventories into living tools that reflect the dynamic nature of third-party exposure.

At the same time, security leaders must be equipped to convert model outputs into strategic insight. Senior stakeholders don’t need to be presented with technical information like CVSS or exploit prediction scoring systems (EPSS). Instead, they need to understand how supply chain events could disrupt operations, trigger compliance failures or lead to material financial loss. CRQ’s quantitative framing delivers that clarity, enabling more consistent, business-aligned communication.

The path to resilience depends not just on identifying the most contextually relevant vulnerabilities but on embedding that awareness into decision-making across security, procurement and governance domains. Forecasting models, when paired with operational structures that can act on their outputs, offer organizations a more adaptive and forward-looking means of managing supply chain cyber risk.

Managing Cyber Risk in an Interconnected World

Technogenic risk has become a defining feature of the modern supply chain threat landscape. As proven in high-profile incidents such as MOVEit and NotPetya, today’s third-party service provider vulnerabilities have the capacity to scale faster and strike more intensely, amplified by the structural interdependencies woven throughout the global market. In such an environment, reactive controls and detached severity scores are insufficient.

Organizations must not only enhance the way they assess supply chain risk, but also how they operationalize subsequent insights. Keeping pace requires building strategic foresight, grounding mitigation decisions in contextual understanding, and leveraging financial cyber risk quantification model outputs that reflect both the structure of their technology stack and the precise business consequences of failure.

The reality is that a significant portion of cyber exposure now stems as much from external technologies as from internal systems. Third-party components, often deeply embedded and difficult to monitor, can introduce systemic vulnerabilities without warning. Addressing this level of risk requires tools and processes that both track threats and, more critically, anticipate where they’re most likely to impact the business.

Management of technogenic risk will increasingly hinge on an organization’s ability to harness CRQ and forecast where and how systemic exposures could emerge. Security and risk leaders who embed these forward-looking models into procurement, governance and technology oversight functions will be better positioned to navigate and endure the next wave of supply chain disruptions.

Yakir Golan is chief executive officer and co-founder of Kovrr.