SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Images 12
#
Ransomware
#
Digital Transformation
#
Supply Chain

Black Kite adds Open FAIR to quantify third-party risk

Wed, 18th Mar 2026
Author image
By Karen Joy Bacudo, Finance Editor

Black Kite has added Open FAIR-based risk assessments to its cyber risk quantification offering, bringing financial impact estimates into its third-party cyber risk assessment workflow.

The update uses the Open FAIR methodology to estimate probable financial loss tied to scenarios such as data breaches, ransomware attacks, and business disruption. These calculations run automatically during onboarding and periodic reviews, alongside its monitoring-led cyber risk quantification.

Cyber risk quantification has become more prominent as boards and executives ask security and risk teams for clearer measures of exposure in monetary terms. Many organisations still rely on qualitative questionnaires and scorecards when assessing suppliers, even as regulations and customer expectations raise the stakes around vendor incidents.

Assessment workflow

Black Kite describes the release as an expansion of its third-party risk management approach, which has focused on continuous monitoring of supplier cyber posture. The new feature adds a point-in-time assessment model that produces a financial estimate at key decision points, such as onboarding and annual reviews.

The assessment workflow can incorporate questionnaire responses, uploaded documents, and signals from continuous monitoring. These inputs populate the factors used in an Open FAIR model.

The workflow also includes a private modelling option that runs assessment-specific analysis at defined moments, including renewals and after outreach campaigns. Users can compare these results with real-time figures from continuous monitoring, showing how a supplier's risk changes over time.

Scenario modelling

The release emphasises scenario analysis. Customers can run "what-if" modelling during onboarding, for example, changing the number of records shared with a supplier and seeing how that affects the estimated financial impact for a given incident scenario.

Users can also adjust exposure metrics and other model inputs across common scenarios, or build custom scenarios. This can support internal approval conditions, such as limiting a vendor's data access or narrowing the scope of connectivity.

Financial impact estimates are increasingly common in supplier risk discussions, particularly when procurement decisions involve large contracts and complex supply chains. Organisations also face pressure to justify spending on controls and remediation in business terms, rather than relying solely on technical findings.

Vendor comparisons

The assessment-based quantification is positioned as a consistent way to compare vendors-for example, weighing "$10M vs. $2M of cyber risk in a ransomware scenario" when choosing between suppliers.

Such comparisons can remain difficult across vendor categories because underlying risk drivers vary widely. Critical service providers, software vendors, and logistics partners can each introduce distinct exposures. Quantification frameworks such as Open FAIR aim to normalise comparisons through structured assumptions, though results depend on the quality of the data feeding the model and the scenario definition.

Black Kite has previously offered cyber risk quantification through continuous monitoring and describes itself as the first provider to automate cyber risk quantification for third-party risk management. It says its monitoring insights have been used for remediation prioritisation, vendor outreach, and reporting to executive stakeholders.

Chuck Schauber, Black Kite's chief product officer, said the product direction reflects board-level expectations and a shift toward financial metrics.

"While technical data will remain foundational, we see the future of third-party risk management being led by financial risk, which will become the key metric for decision making, increasingly shaped by board-level expectations," said Schauber.

He linked the approach to decisions spanning vendor onboarding, renewals, and insurance considerations.

"Future risk decisions, from onboarding and renewals to insurance strategy, will be led by probable financial loss. With Black Kite's newest capability, risk quantification analysis is now automated as part of the assessment workflow, so that risk leaders can instantly weigh risk versus revenue without manual analysis," said Schauber.

Black Kite says the platform is used by more than 3,000 customers and covers risk intelligence across more than 40 million companies. It says the product automates vendor monitoring and risk assessments and provides insights into ransomware susceptibility, regulatory gaps, and financial exposure.

The rollout adds a financial lens to assessment checkpoints that many organisations already use for supplier onboarding and periodic reviews, and signals continued movement toward measurable, scenario-based third-party cyber risk reporting.

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member