Black Kite announced the release of Open FAIR-based Risk Assessments, which extends its CRQ capabilities to its AI-powered cyber assessment offering. Black Kite fully automates the calculation of probable financial impact in the event of a data breach, ransomware attack, or business disruption scenario using the Open FAIR methodology, eliminating the complexity and manual effort typically associated with CRQ analysis. The release brings CRQ directly into the cyber risk assessment workflow, enabling customers to instantly calculate financial risk during onboarding and periodic risk reviews.
As the initial provider to automate Cyber Risk Quantification (CRQ) for third-party risk management, Black Kite has long delivered real-time CRQ through its continuous monitoring offering. These insights help risk teams prioritize remediation efforts and vendor outreach, and clearly communicate risk and program success to executive and business stakeholders.
By introducing Open FAIR-based risk quantification into the assessment workflow, customers can model onboarding decisions through ‘what-if’ analysis. For example, they can simulate how sharing more or fewer records with a vendor impacts financial risk so that they can set clear vendor approval conditions. Additionally, customers are able to view real-time CRQ alongside assessment-based CRQ captured at onboarding and during periodic risk reviews to track how vendor risk is trending over time.
“While technical data will remain foundational, we see the future of third-party risk management being led by financial risk, which will become the key metric for decision making, increasingly shaped by board-level expectations,” said Chuck Schauber, chief product officer at Black Kite. “Future risk decisions, from onboarding and renewals to insurance strategy, will be led by probable financial loss. With Black Kite’s newest capability, risk quantification analysis is now automated as part of the assessment workflow, so that risk leaders can instantly weigh risk versus revenue without manual analysis.”
Customer benefits include the ability to turn risk decisions into business decisions by instantly quantifying a company’s financial risk during onboarding and annual assessments, helping inform vendor selection, renewal decisions, and even insurance underwriting. The approach also enables clearer vendor comparisons by applying a consistent financial risk framework, allowing organizations to evaluate trade-offs such as whether to accept higher levels of cyber risk in specific scenarios.
It also provides visibility into risk trends over time by tracking how a vendor’s financial risk evolves, combining point-in-time cyber risk quantification from assessments with real-time insights from continuous monitoring. This helps build a clearer picture of vendor maturity, remediation progress, and the effectiveness of outreach efforts. In addition, organizations can model scenarios with full customization, adjusting inputs to test different decision conditions, such as limiting data access, and understanding how each scenario impacts potential financial loss.
Key features of Open FAIR-based risk assessments include automated model population, which removes the need to build models from scratch by using assessment responses, uploaded documentation, and continuous monitoring data to populate FAIR factors. The platform also supports private, assessment-based modeling, enabling organizations to estimate probable financial risk at critical stages such as onboarding, renewal, or after major remediation efforts. Finally, it offers full customization, allowing teams to tailor exposure metrics and FAIR inputs across predefined or entirely custom scenarios to evaluate different risk assumptions.
Earlier this month, new data from Black Kite’s seventh annual Third-Party Breach Report showed that third-party cyber incidents reached unprecedented scale in 2025, with 136 major breaches affecting 719 named companies and an estimated 26,000 additional downstream victims that were never publicly identified. The analysis found an average of 5.28 downstream victims per breach, the highest level on record, underscoring how attackers are increasingly targeting shared platforms and high-dependency vendors and turning single compromises into cascading impacts across entire supply chains.
