Manage Vendor Risk in a Few Practical Steps
Risk tolerance, exposure visibility, board oversight — handling third-party risk is complicated but achievable with disciplined, precise governance.
Third-party risk concerns cybersecurity weaknesses in vendors and service providers that can expose connected organizations to breaches, outages, or data loss.
Search across headline titles and summaries.
Background for this topic.
Third-party risk is the security exposure created when an organization relies on external suppliers, contractors, cloud services, software providers, or business partners. These parties may process sensitive information, connect to internal systems, or supply software and services whose security the organization does not fully control. The tag generally covers cyber, privacy, and operational risks arising from those relationships, including dependencies on a provider’s own suppliers.
Security-relevant concerns include excessive or poorly governed third-party access, vulnerabilities in supplied software or services, and inadequate protection of shared personal or business data. Useful controls include assessing a provider’s security before onboarding, limiting and reviewing access, requiring vulnerability and incident-notification practices in contracts, monitoring material changes, and promptly removing access when a relationship ends. During an incident, organizations may need provider logs, evidence, and coordinated response actions; clear ownership and communication paths are therefore important.
Weekly headline count for the current query.
Risk tolerance, exposure visibility, board oversight — handling third-party risk is complicated but achievable with disciplined, precise governance.
The next major breach hitting your clients probably won't come from inside their walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for it
Keyrock CISO David Cass on Managing Agentic AI Risk in Financial ServicesAs financial institutions accelerate AI adoption, traditional governance models are falling short. David Cass, CISO at Keyrock, explains why organizations must rethink accountability, asset visibility and identity controls to manage emerging risks from LLMs and agentic AI systems.
For the U.S. healthcare ecosystem, the 2024 ransomware attack on Change Healthcare proved to be a supply-chain earthquake in showcasing critical third-party risk that entities now must carefully and urgently consider, said Erik Decker, CISO of Intermountain Health and a federal cyber adviser.
Despite a growing maturity of third-party risk management programs, supply chain attacks impacted more organizations in 2025 than in previous years
Claroty's Sean Tufts on Security Issues Facing Critical Infrastructure ProvidersThird-party risks are creating new challenges for critical infrastructure providers, and that could lead to new regulations for securing cyber-physical systems, said Sean Tufts, field CTO at Claroty. Claroty's recent survey shows that cyber professionals are facing an uncertain regulatory landscape.
European Startup Acquisition Aims to Unify Technical and Financial Cyber InsightsThe acquisition of Intangic enhances Searchlight Cyber's ability to quantify and price cyber risk by leveraging AI and dark web intelligence. The combined platform will offer actionable third-party risk data for CISOs, CFOs and insurance providers to better understand and manage cyber exposure.
HITRUST's Tom Kellermann on Third-Party Risk, Defending Against Persistent AccessIsland hopping, AI poisoning and access mining are reshaping cyber risk. Tom Kellermann of HITRUST says organizations must modernize third-party risk management practices and assess AI environments to stop attackers from using trusted infrastructure as a launch pad for broader campaigns.
Guide Helps Teams Prioritize, Recognizing Not All Vendors Pose Same Level of RiskThird-party security risk is among the most complicated challenges facing the healthcare sector because of the wide variety of vendors involved and the critical products and services they provide. A new Health Sector Coordinating Council toolkit aims to help entities navigate those difficulties.
Experts at a Gartner event highlighted areas of focus in identity, processes and third-party risk management to tackle the novel tactics employed by Scattered Spider
HyperComply's AI Automation Reduces Vendor RFP Questionnaire Work by 92%SecurityScorecard is acquiring HyperComply to streamline third-party risk assessments with AI that automates most security questionnaire responses. The deal supports SecurityScorecard’s shift from ratings-only to a full solutions platform for mitigating supply chain risk.
Lytical Ventures' Taylor Margot on Autonomous Agents and New AI DefensesAs AI shifts toward autonomous agents, organizations face growing exposure from third-party systems. Strong permissioning, data orchestration and new defenses are essential to protect against opaque and potentially costly security risks, said Taylor Margot, partner at Lytical Ventures.
Experts Call for Continuous Assessments of Vendor Risk - Not Just at OnboardingAs vendor ecosystems grow in complexity, many organizations still view third-party risk management as a static assessment of vendors as they're onboarded. But organizations often focus too heavily on upfront vetting of vendors and fail to track how their risk profiles may change over time.
Data collected by cyber-insurers show that ransomware accounts for the majority of insurance claims, but that much of the losses stem from third-party breaches affecting policyholders.
Orange Cyberdefense found that over half of UK financial firms suffered at least one third-party attack in 2024, linked to significant gaps in risk management strategies
Managing third-party risk in the SaaS era demands a proactive, data-driven approach beyond checkbox compliance.
What do identity risks, data security risks and third-party risks all have in common? They are all made much worse by SaaS sprawl. Every new SaaS account adds a new identity to secure, a new place where sensitive data can end up, and a new source of third party risk. Learn how you can protect this sprawling attack surface in 2025
Secure by Demand offers a starting point for third-party risk management teams, but they need to take the essential step of using a mature software supply chain security solution to ensure they're not blindly trusting a provider's software.