MSSP, MSP, Risk Assessments/Management, Enterprise, Security Management

Black Kite Adds Financial Risk Modeling to Third-Party Cyber Risk Assessments

Organizations often struggle to explain cyber risk in language that business leaders understand. Security teams can describe vulnerabilities, misconfigurations, or threat activity in detail, but boardrooms typically want a simpler answer: how much financial risk does a particular decision create?

Black Kite’s latest update aims to close that gap. The company has introduced Open FAIR-based risk assessments within its cyber risk quantification (CRQ) capabilities, allowing organizations to estimate the probable financial impact of cyber incidents directly within their third-party risk assessment process.

The release integrates financial risk modeling into the same workflow organizations already use to evaluate vendors. During onboarding or periodic reviews, security teams can automatically estimate the potential financial impact of scenarios such as data breaches, ransomware attacks, or business disruptions.

The capability relies on the Open FAIR methodology, a framework widely used to quantify cyber risk in monetary terms. Traditionally, applying FAIR has required manual modeling and specialized expertise, which limited how often organizations used it. By automating the process, Black Kite is trying to make financial risk modeling part of routine vendor evaluations rather than a separate analysis.

Financial Risk Is Becoming Central to Third-Party Security Decisions

Third-party risk management has expanded quickly as companies rely more heavily on suppliers, SaaS providers, and technology partners. Each vendor relationship introduces potential exposure, particularly when sensitive data or operational systems are involved.

Historically, vendor risk assessments focused on technical indicators such as security controls, compliance checklists, or vulnerability scores. While those signals remain important, they often fail to translate clearly into business impact.

Financial quantification provides a different lens. Instead of asking whether a vendor has a specific control in place, organizations can evaluate the estimated cost if that vendor becomes the entry point for a breach or disruption. That approach allows security teams to frame vendor decisions in terms executives already use when evaluating other business risks.

Jason McLarney, Director of Product Management at Black Kite, told MSSP Alert that the company’s focus has been on making established standards practical for everyday use inside risk programs.

“Using trusted industry standards is a core part of Black Kite’s approach. Security leaders already rely on frameworks like Open FAIR™, and our advantage comes from embedding those standards directly into automated TPCRM workflows so organizations can operationalize them without manual overhead,” McLarney said.

“Jack Jones, the creator of OpenFAIR™, is also a strategic advisor to Black Kite, giving us unique access to the latest advancements and developments to the model.”

Bringing Financial Modeling Into the Assessment Workflow

Black Kite’s update embeds cyber risk quantification directly into vendor assessments. When organizations evaluate a supplier, the platform can calculate probable financial loss based on assessment responses, documentation, and external risk intelligence gathered through continuous monitoring.

The platform automatically populates key Open FAIR modeling inputs using this data. Security teams can then adjust variables or test different scenarios to understand how specific decisions affect financial exposure.

McLarney said the goal is to remove the complexity that often prevents organizations from applying cyber risk quantification in day-to-day operations.

“CRQ can be challenging to implement, and many teams struggle with where to start,” McLarney said. “We remove that barrier by automating the process — pre-populating model inputs with continuous monitoring data and control evidence, so organizations can quickly understand potential financial exposure and focus only on the few business-specific factors they need to adjust.”

Those factors often include the number and sensitivity of records shared with a vendor or how critical that supplier is to operations.

“For example, the number and sensitivity of records shared with a vendor or how critical that vendor is to operations,” McLarney said. “If a vendor is a sole provider of a key service, the model reflects higher disruption impact.”

How the Risk Model Is Calibrated

Automated financial modeling depends heavily on the quality of the data feeding the system. Black Kite’s implementation combines baseline assumptions with continuously updated intelligence to refine risk estimates.

“The Open FAIR™ model is designed to produce an estimate out of the box using baseline assumptions derived from company demographics such as size, industry, and geography,” McLarney said. “Those factors are fine-tuned each year based on newly released confirmed data breach and ransomware incidents.”

Those baseline factors are then supplemented by telemetry gathered from thousands of intelligence sources.

“To further enhance the accuracy of model outputs, Black Kite marries those baseline assumptions with our own intelligence and telemetry collected from thousands of data sources,” McLarney said. “Our OSINT vulnerabilities intelligence and breach history automatically update the FAIR model with each vendor scan so you can see how FAIR has trended over time.”

Additional calibration comes from documentation and control evidence collected during assessments.

“Vendor documentation and control evidence provided by customers with our Cyber Assessments module further calibrates the compliance side of the FAIR model, mapping documentation to defense-side controls of the FAIR model, all automated by the Cyber Assessment capability,” McLarney said.

The final layer of context comes from the customer itself.

“The final piece comes from the customer, who adds the business context only they can provide,” McLarney said. “That includes factors like the number and sensitivity of records shared with the vendor, the level of connectivity to internal networks and systems, and the amount of revenue or operational dependency tied to that supplier.”

Even with those inputs, McLarney noted that cyber risk quantification should be treated as a probabilistic estimate rather than an exact prediction.

“Ultimately, like any risk model, the output should be viewed as a probable range of financial impact rather than a precise figure.”

Comparing Vendors Using a Financial Risk Lens

One practical outcome of this approach is clearer vendor comparison. When multiple vendors offer similar services, organizations often struggle to determine which option presents less risk.

Financial modeling allows teams to evaluate vendors based on estimated loss exposure under different incident scenarios. This creates a consistent framework for comparing suppliers and aligning risk decisions with business tolerance levels.

Security teams can also track how vendor risk changes over time. The platform combines point-in-time assessments with real-time monitoring data, allowing organizations to see whether a vendor’s financial risk profile is improving, worsening, or remaining stable.

Financial Risk Moves Into Boardroom Conversations

Cyber risk quantification has gained attention in recent years as boards and executives ask for clearer explanations of security exposure.

McLarney said the shift is already visible in several sectors.

“We are already seeing organizations begin to incorporate financial risk into decision-making,” McLarney said. “In the insurance industry, underwriters already use cyber risk quantification to estimate policy risk and exposure when underwriting cyber insurance.”

The growing impact of supply chain attacks is also pushing vendor risk into executive-level discussions.

“We are seeing supply-chain and third-party cyber risk moving firmly into the boardroom agenda,” McLarney said. “Recent high-profile incidents have shown how a single vendor failure can trigger widespread operational disruption and reputational damage across an entire ecosystem.”

According to McLarney, financial modeling helps bridge the communication gap between technical teams and business leadership.

“As a result, boards are increasingly viewing supply-chain resilience as a core business risk rather than just a technical issue. Financial quantification helps bridge the communication gap between security teams and business leadership.”

What It Means for MSSPs and Risk Service Providers

The update also has implications for managed security service providers that manage vendor risk programs for clients. Many MSSPs already use cyber risk quantification within monitoring services to help prioritize remediation work and communicate risk levels to customers. Integrating financial modeling into vendor assessments expands how those providers can package and deliver risk services.

“Many of our MSSP partners are already using CRQ and incorporating it into the services they deliver to clients as part of continuous monitoring,” McLarney said. “It helps them prioritize remediation efforts and communicate risk and security priorities more effectively to their clients.”

Extending quantification into vendor assessments could allow MSSPs to demonstrate measurable outcomes from their work.

“MSSPs are particularly excited about expanding this capability into the assessment offering,” McLarney said. “This will allow them to apply financial risk insights to inform vendor selection decisions.”

It also provides a clearer way to show the impact of security improvements.

“They can show how remediation campaigns or vendor outreach efforts they’ve initiated have reduced financial exposure across a client’s vendor ecosystem, turning security improvements into measurable business impact,” McLarney said.

Cyber risk quantification helps translate technical security issues into financial impact. The difficulty has been using it consistently across large vendor ecosystems. By automating financial risk modeling inside vendor assessments, organizations can make this process easier to apply. Instead of running occasional analyses, teams can estimate financial risk as part of their normal vendor onboarding and review process. For security leaders, this also changes how risk is discussed internally. Financial estimates give security teams, procurement leaders, and executives a common way to evaluate vendor relationships and operational dependencies.

Suparna Chawla Bhasin

Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.

You can skip this ad in 5 seconds