All news with #third party risk tag

🔒 AWS has completed the S&P Global Know Your Third Party (KY3P) assessment to validate its security posture and help customers reduce supplier due diligence. The KY3P assessment is evidence-based and evaluates operation of controls across privacy, network, access, and physical security domains. Results can be mapped to frameworks such as NIST CSF v2, PCI DSS 4.0, and ISO 27001:2022 to provide customers with standardized risk data and improved visibility into supply chain risks.

🛡️ New studies reveal that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year but still alarmingly high. Checkmarx warns that AI-augmented attackers are dramatically shortening time-to-exploit, while Verizon’s DBIR links increased initial access to vulnerability exploitation aided by AI. A QBE survey found UK firms are worried about suppliers' AI use, yet few audit third-party AI or maintain formal AI governance.

🔎 Orphaned applications silently expand shadow IT by persisting beyond team ownership, continuing to authenticate, exchange data, and consume resources without oversight. They commonly appear when departments adopt tools to meet urgent needs and those workflows, accounts, or service identities are never decommissioned. NETSCOUT Smart Data leverages packet-derived observability to reveal hidden dependencies and enrich the ServiceNow CMDB, helping teams reduce operational, security, and compliance blind spots.

🔐 A tip‑line operator that handled anonymous reports for 35,000 U.S. schools suffered a major breach after an attacker exploited an XSS flaw in a LeverTip chat box and stole a staff session cookie via social engineering. The intruder exfiltrated 91 GB (≈8.3M tip records), some dating back decades, and offered the dataset for sale. Separately, Rockstar Games experienced a third‑party compromise that exposed partial data, including internal financial figures. Both incidents underscore failures in basic web hygiene, third‑party controls, and incident transparency.

🔒 This weekly recap highlights a recurring attack pattern: compromise of trusted third-party tools and update paths to gain internal access and persist. Incidents include a Vercel breach originating from a compromised Context.ai account that led to takeover of a Google Workspace identity, hijacked download pages serving trojanized installers, malicious Chrome extensions, and plugin abuse. The report emphasizes multi-stage, in-memory payloads and attackers leveraging legitimate workflows to evade detection. Organizations should reassess trust boundaries, monitor OAuth tokens and environment variables, and prioritize patching of actively exploited CVEs.

🔍 A Taboola tracking pixel approved by a bank silently redirected authenticated users to a Temu tracking endpoint without the bank's knowledge, user consent, or any security control flagging a violation. Reflectiz discovered the chain during a February 2026 audit: an initial GET to sync.taboola.com returned a 302 to a temu.com pixel and included Access-Control-Allow-Credentials: true, enabling credentialed cross-origin requests. Conventional tools missed the behavior because they validate the declared script origin rather than runtime redirect destinations. Organizations should inspect browser runtime behavior, tighten CSPs, and consider sandboxing third-party scripts on authenticated pages.

🔒 The next major breaches are likely to originate from trusted vendors, SaaS tools, or subcontractors, expanding the enterprise perimeter beyond owned infrastructure. Cynomi's new guide argues that Third-Party Risk Management (TPRM) must evolve from an annual checkbox into a continuous, governance-grade security function driven by regulatory pressure and financial risk. With regulators like CMMC, NIS2, and DORA raising expectations, and research showing third parties factor in roughly 30% of breaches and average remediation costs near $4.91M, MSPs and MSSPs can monetize structured, tech-enabled TPRM as a repeatable, high-margin service.

🔒Over the past four years organizations have been increasingly challenged by threats that originate in third-party networks, with more than 35% of breaches tied to compromised vendors or partners. International conflict, generative AI and growing supply-chain exposure are accelerating risk and extending impact to Operational Technology (OT) and IoT environments. Leaders should elevate OT risk to the board, adopt immutable 3-2-1-1 backup strategies, and establish an AI Risk Council to enforce governance and pentesting before broad AI adoption.

🔒 Escalating threats and expanding regulation have materially increased corporate exposure to cybersecurity and privacy disputes, with 2025 showing a marked rise in class actions and litigation risk. The piece identifies key drivers for 2026: sophisticated state-sponsored actors using AI, intensified federal initiatives and enforcement, proactive state regulator actions, growing third‑party/vendor risk, and inventive litigation tactics such as qui tam and False Claims Act claims. It urges organizations to revisit fundamentals — data inventories, governance, third‑party oversight, incident response and public statements — to reduce legal and operational exposure.

🛡️ This contributed piece from The Hacker News (Mar 06, 2026) outlines how MSPs and MSSPs can adopt AI-powered risk management to scale cybersecurity services. It argues a risk-first model shifts providers from one-off, technical fixes to continuous, business-focused protection that drives recurring revenue. The article highlights six common barriers—manual assessments, missing remediation roadmaps, compliance complexity, lack of business context, talent shortages, and unmanaged third-party risk—and recommends sourcing platforms that deliver automated assessments, dynamic risk registers, and actionable remediation plans to accelerate onboarding, improve compliance mapping, and create upsell opportunities.

🛡️ Black Kite's seventh annual Third-Party Breach Report shows supplier breaches have a far larger downstream impact than commonly recognized. In 2025 analysis of verified public disclosures and external telemetry, 136 confirmed incidents averaged 5.28 publicly named downstream victims per vendor, totaling 719 corporate victims and 433 million affected individuals, with vendors also reporting an additional 26,000 unnamed corporate victims. The study highlights concentration among software services, prolonged detection and notification delays, and pervasive exposure to critical vulnerabilities and leaked credentials, concluding that traditional third-party risk management is not keeping pace.

⚠️ Amazon's Ring has canceled its partnership with surveillance analytics firm Flock, a move that underscores how toxic Flock's reputation has become and spotlights risks in third‑party surveillance integrations. The announcement signals growing reputational and operational exposure for vendors that tie consumer devices to controversial surveillance‑tech providers, including possible feature rollbacks and legal scrutiny. Commentators, notably Hamilton Nolan, have gone further and advised consumers to remove their Ring doorbells. The decision sharpens concerns about vendor due diligence, user consent, and the privacy consequences of embedded surveillance capabilities.

🔍 Citizen Lab identified indicators that Kenyan authorities used Cellebrite forensic extraction tools on the personal Samsung phone of pro-democracy activist Boniface Mwangi while it was held in police custody in July 2025. The researchers assessed with high confidence that the extraction occurred on or around July 20–21; the device was returned in September and was no longer password-protected. Such access could have enabled full extraction of messages, files, passwords and other sensitive data. The finding compounds other recent reports of commercial spyware and extraction-tool misuse against civil society.

🔒 Increasing reliance on third-party IT and software significantly expands an organization’s attack surface, and security leaders must act before incidents force their involvement. The article provides a focused checklist of 13 practical questions for CISOs covering evidence of controls (e.g., SOC 2 Type II, ISO/IEC 27001), change management, identity posture, and workflow validation. It stresses independent testing, clear contractual responsibilities, timely incident notification, and rigorous handling of OAuth and API integrations to reduce supply-chain risk.

🔓 Volvo Group North America disclosed an indirect data breach after IT systems at Conduent, a major business services provider, were compromised between October 21, 2024 and January 13, 2025. Nearly 17,000 customers and staff had personal details exposed, including full names, Social Security Numbers, dates of birth, insurance IDs and medical information. Conduent is notifying affected parties and offering at least a year of identity, credit and dark web monitoring plus identity restoration; notification recipients are also advised to consider fraud alerts or a security freeze. The incident adds to other third-party supplier breaches that have recently affected Volvo entities.

🔒 NIS2 forces organizations to treat supply chains as an integral part of cybersecurity rather than an afterthought. The directive shifts emphasis from perimeter defenses to the risks posed by external service providers and subcontractors, requiring firms to identify dependencies, set proportionate contractual security obligations, and implement continuous monitoring. It also elevates the CISO's remit to enforce cross-functional risk management.

🔐 Barry Hensley, a retired U.S. Army Colonel and former Signal Officer, now serves as CSO of Brown & Brown, leading efforts to protect client networks and sensitive data. He notes that organizational awareness of cyber risk has grown, but effective investment and calibrated risk tolerance often lag, especially under budget constraints. Hensley highlights threats such as ransomware and ideologically motivated attacks, the rising role of AI in both offense and defense, and the critical need to manage third- and fourth-party risk while retaining motivated security talent.

🔒 NIS2 pushes organizations to treat supply-chain risk as central to cybersecurity, making external dependencies part of security architecture and leadership responsibility. It requires systematic inventories, contractual security obligations, and continuous monitoring of both direct providers and downstream subcontractors. For the CISO, the role shifts from technical stewardship to cross-functional risk management and enforcement. Common failures—poor prioritization, unenforced controls and organizational silos—must be addressed with scalable, evidence-based controls.

🏥The NHS has issued an open letter (22 January) signaling more proactive engagement with suppliers to bolster cyber resilience across health and social care. The initiative builds on last year’s voluntary cybersecurity supply chain charter and responds to persistent ransomware and supply-chain threats. NHS England stresses this is not an audit but a partnership to identify risks and agree proportionate remediation. Expectations include MFA, patched systems, effective logging and immutable backups with tested recovery plans.

🔐 The European Commission has unveiled a cybersecurity package to strengthen the EU’s resilience against state and criminal cyber and hybrid threats. The proposals focus on reducing risks from high-risk suppliers outside the EU—particularly in critical infrastructure like mobile networks—using a common, risk-based framework. The plan updates the European Cybersecurity Certification Framework to speed product testing, eases compliance burdens for SMEs, and reinforces ENISA’s role in threat analysis, incident response and vulnerability management.