---
id: "concept-extraorganizational-risk"
type: "concept"
source_timestamps: ["§ What boards should do:"]
tags: ["supply-chain-risk", "third-party-risk"]
related: ["action-probe-high-risk-partners"]
definition: "Cybersecurity vulnerabilities and threats that originate from interconnected external systems, partners, and supply chains rather than internal infrastructure."
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# Extraorganizational Cyber Risk

## Definition

Cybersecurity vulnerabilities and threats that originate from interconnected external systems, partners, and supply chains rather than from an organization's own internal infrastructure.

## Detail

Cyber vulnerabilities do not stop at the perimeter of a single organization. **Extraorganizational risk** refers to the exposures that exist across interconnected systems, supply chains, and sector partnerships. Because a breach in a partner's system can have dramatic consequences for the primary organization, boards must treat this category as a **strategic priority**.

The concrete board mandate is [[action-probe-high-risk-partners]]: probing high-risk partners, ensuring external threats are integrated into business-continuity plans, and verifying that appropriate redundancies exist for critical functions that depend on third parties.

## Enrichment validation

**Strongly supported.** Incidents such as **SolarWinds**, **Kaseya**, and **MOVEit** demonstrate that compromise of a single software or service provider can cascade to hundreds or thousands of downstream organizations. Modern frameworks (NIST CSF, NIST SP 800-161 Supply Chain Risk Management, ISO 27001, SEC cyber rules, EU NIS2) now explicitly require management of third-party and supply-chain risk as a core control area.


## Related across articles
- [[action-vet-vendors]]
