All news with #third party risk tag

🔒 In July 2025 a ransomware attack on distributor Ingram Micro disrupted the company's logistics for about a week, impacting its U.S. headquarters and a German site. The company notified U.S. authorities that more than 42,000 people—current and former employees and job applicants—had personal data stolen, including names, contact details, dates of birth, identity document numbers and Social Security numbers. Documents from hiring processes and employee performance reviews were also exfiltrated, and the ransomware group Safepay, active since September 2024, claimed roughly 3.5 terabytes of data.

🔒 The EU Commission has proposed a legal mechanism to ban network-equipment vendors it considers high-risk, a move widely seen as targeting Chinese firms such as Huawei and ZTE though the draft does not name specific companies. The plan would let Brussels require member states to replace prohibited technology in critical infrastructure within three years. It would also strengthen ENISA with additional staff and funding to coordinate EU-wide cybersecurity and ransomware defenses.

🔐 As enterprises outsource more IT and adopt third-party SaaS, recent high-profile breaches show attackers are exploiting vendor trust pathways like help desks, OAuth tokens, and permissive integrations. CSOs should treat vendor selection as continuous risk management and demand strong attestations (e.g., SOC 2 Type II, ISO/IEC 27001), inventories of OAuth/API relationships, and evidence of actual workflow execution. The article lists 13 targeted questions covering controls, notification commitments, testing cadence, isolation measures, and insurance to reduce supply-chain risk.

🔒 Third Party Risk Management (TPRM) is a strategic program that helps organizations identify, assess, and control risks arising from external vendors and service providers. Core elements include risk identification and assessment, contract management, continuous monitoring and audits, and employee training. Compliance drivers such as SOC 2 and GDPR make robust TPRM essential to prevent legal and reputational damage. Integrating TPRM into enterprise risk frameworks and using automation improves consistency and oversight.

🔒 SpyCloud announced Supply Chain Threat Protection, a new offering that extends identity threat monitoring across an organization’s entire vendor ecosystem using recaptured darknet data from breaches, malware, and successful phishes. The solution emphasizes verified, timely evidence of compromise over static scoring and external surface indicators. It provides an Identity Threat Index, visibility into compromised applications on supplier devices, and integrated response tools to help security, vendor risk, and GRC teams act on real threats.

🔒 New 2026 analysis of 4,700 leading websites finds 64% of third-party applications access sensitive data without demonstrable business justification, rising from 51% in 2024. The report identifies recurring causes such as over-permissioned scripts, shadow deployments via tag managers, and persistent trackers. Specific tools flagged include Google Tag Manager, Shopify apps, and the Facebook Pixel, while government and education sites show marked increases in compromise. The study cautions that governance gaps and limited mitigation adoption leave organizations exposed.

🔍 Modern CISOs face growing compliance and supply-chain pressures and must verify security products rather than assume vendor claims. The AV-Comparatives TRACS study assessed 14 EPP/EDR vendors on 60+ transparency criteria — source-code review, SBOMs, audit reports, update controls, and telemetry options — and found few vendors offer comprehensive verification. Kaspersky highlights its global transparency centers, minimal telemetry, and local-processing choices as practical risk-management measures that improve predictability.

🏛️ The Parliamentary Public Bill Committee is inviting industry submissions to inform scrutiny of the Cyber Security and Resilience Bill (CSRB), the planned successor to the NIS Regulations 2018. Now at committee stage after its second reading, the bill proposes expanded scope, tighter incident-reporting, mandatory supply‑chain risk management and alignment with the NCSC Cyber Assessment Framework. The committee will hear oral evidence from 3 February and has urged prompt written responses as it may conclude early.

🛡️ Third-party risk is a growing enterprise threat underscored by recent supply-chain attacks, including the June 2024 compromise of TeamViewer by APT29. The article argues organizations often depend on hundreds or thousands of vendors with limited transparency, immature security practices, and hidden subcontractors, which makes traditional vendor assessments a weak defense. It proposes the musk oxen strategy: collective intelligence-sharing, coordinated remediation support, and joint negotiation to strengthen common weak links and reduce systemic risk.

🔐 Outsourcing critical IT and cybersecurity has shifted from a cost-saving tactic to a systemic fragility driver. The article explains how single-vendor failures — highlighted by SolarWinds and MOVEit — can cascade across industries, amplified by cloud adoption, talent shortages and subcontractor opacity. It warns that AI-driven agents, regulatory fragmentation, and geopolitical exposures turn vendor compromises into national and economic security risks. Boards, CISOs and regulators must adopt trust-by-design, stress tests and AI resilience measures.

🔒 A recent RSAC survey found a large disparity in indemnification for security leaders: 88% of Fortune 1000 CISOs report legal indemnity, versus just 53% at organizations with 500+ employees. D&O insurance is the most common vehicle, and inclusion of CISOs in such policies is rising, with >50% reporting coverage in the 2025 IANS Research report. Experts warn that indemnification agreements, distinct from D&O, are the critical legal guarantee and that midmarket CISOs face meaningful personal, financial, and career risk without them.

🔒 The UK National Cyber Security Centre (NCSC) has published a practical playbook urging businesses to embed Cyber Essentials across supply chains and to use its new Supplier Check tool to verify supplier certification (CE or CE Plus). It highlights that firms with turnover under £20m qualify for free cyber‑liability insurance and incident response support when certified. The seven-step guidance covers risk mapping, defining security profiles, setting and enforcing minimum security requirements, incentivizing CE, embedding adoption into procurement and monitoring uptake.

🔒 Procurement teams frequently chase short‑term savings, consolidating suppliers and selecting the lowest‑cost vendors, which can create systemic cyber fragility. The article warns that cost-focused procurement often overlooks vendor security posture and incident readiness, leading to outsized losses in breaches, ransomware or supply disruptions. It recommends cyber due diligence, risk-tiering, minimum baselines (e.g., MFA, encryption, patching), resilience KPIs (MTTD, MTTR, RTO) and cross-functional governance to align cost with resilience. Strategic partnerships, scenario testing and cultural change convert procurement from bargain hunters into resilience builders.

🔒 Comcast will pay $1.5 million to settle an FCC investigation after a February 2024 vendor breach at Financial Business and Consumer Solutions (FBCS) exposed the personal data of 273,703 current and former Xfinity customers. Under the consent decree Comcast must implement a compliance plan with enhanced vendor oversight, biennial risk assessments, and biannual reporting. Comcast says its network was not breached and has not conceded wrongdoing.

🔍 Amazon Quick Research now integrates specialized third-party industry datasets from S&P Global, FactSet, and IDC, alongside public patent and PubMed collections. Users with existing subscriptions can combine these authoritative sources with enterprise data and real-time web search inside a unified AI workspace. The capability compresses weeks of data discovery and analysis into minutes and helps teams move more quickly from insight to action. The integration is available in select AWS Regions.

🔒 SitusAMC, a major real-estate finance services firm that supports banks and lenders, disclosed a November data breach that compromised some client and customer information. The company says business operations remain unaffected and investigators found no evidence of encrypting ransomware. External experts have been retained, and affected clients and residential customers are being notified directly as the scope is determined.

🔒 CISA, together with US and international partners, has published a joint guide addressing bulletproof hosting (BPH) services that enable ransomware, phishing, malware delivery and other attacks. The guidance explains how BPH providers lease or resell infrastructure to criminals, enabling fast-flux operations, command-and-control activity and data extortion while evading takedowns. It recommends concrete defensive actions — including curating a high confidence list of malicious internet resources, continuous traffic analysis, automated blocklist reviews, network-edge filters, threat intelligence sharing and feedback processes — to help ISPs and network defenders reduce abuse while limiting collateral impact.

🛡️ A BlueVoyant survey finds 97% of organizations were negatively impacted by a supply chain breach, up sharply from 81% in 2024. The State of Supply Chain Defense: Annual Global Insights Report 2025, published 20 November, shows many firms are maturing TPRM programs and shifting oversight into cyber or IT teams. Despite increased maturity, respondents report persistent issues such as lack of executive buy-in, compliance-first approaches, limited integration with enterprise risk frameworks, and a trend of adding vendors faster than they add visibility or remediation capacity.

🔒 The proliferation of age and identity verification laws is forcing organizations to retain sensitive government-issued IDs, increasing breach risk. A recent Discord incident exposed ID images via a compromised third-party provider, showing how regulatory mandates can create high-value data stores. The article advises that MSPs and affected organizations adopt natively integrated platforms and a single-agent, single-console approach to reduce attack surface, simplify operations and centralize visibility to mitigate these new risks.

🔒 Britain’s major mobile carriers have agreed to upgrade networks to eliminate phone-number spoofing within a year under the new Telecoms Charter. The pact, signed by BT EE, Virgin Media O2, Vodafone Three, Tesco Mobile, TalkTalk and Sky, requires call-origin labeling for international calls, broader data sharing with police, advanced tracing and faster victim support. Operators report AI systems already block millions of scam calls and texts monthly.