Cyber risk management is not limited to an organisation's perimeter; it requires explicitly considering the risks associated with third parties and critical suppliers.