< ciso
brief />
Tag Banner

All news with #third party risk tag

86 articles · page 2 of 5

Ring Ends Partnership with Controversial Flock Vendor

⚠️ Amazon's Ring has canceled its partnership with surveillance analytics firm Flock, a move that underscores how toxic Flock's reputation has become and spotlights risks in third‑party surveillance integrations. The announcement signals growing reputational and operational exposure for vendors that tie consumer devices to controversial surveillance‑tech providers, including possible feature rollbacks and legal scrutiny. Commentators, notably Hamilton Nolan, have gone further and advised consumers to remove their Ring doorbells. The decision sharpens concerns about vendor due diligence, user consent, and the privacy consequences of embedded surveillance capabilities.
read more →

Citizen Lab: Cellebrite Used on Kenyan Activist's Phone

🔍 Citizen Lab identified indicators that Kenyan authorities used Cellebrite forensic extraction tools on the personal Samsung phone of pro-democracy activist Boniface Mwangi while it was held in police custody in July 2025. The researchers assessed with high confidence that the extraction occurred on or around July 20–21; the device was returned in September and was no longer password-protected. Such access could have enabled full extraction of messages, files, passwords and other sensitive data. The finding compounds other recent reports of commercial spyware and extraction-tool misuse against civil society.
read more →

13 Questions CISOs Should Ask Third-Party Vendors Now

🔒 Increasing reliance on third-party IT and software significantly expands an organization’s attack surface, and security leaders must act before incidents force their involvement. The article provides a focused checklist of 13 practical questions for CISOs covering evidence of controls (e.g., SOC 2 Type II, ISO/IEC 27001), change management, identity posture, and workflow validation. It stresses independent testing, clear contractual responsibilities, timely incident notification, and rigorous handling of OAuth and API integrations to reduce supply-chain risk.
read more →

Conduent Breach Exposes Volvo Group North America Data

🔓 Volvo Group North America disclosed an indirect data breach after IT systems at Conduent, a major business services provider, were compromised between October 21, 2024 and January 13, 2025. Nearly 17,000 customers and staff had personal details exposed, including full names, Social Security Numbers, dates of birth, insurance IDs and medical information. Conduent is notifying affected parties and offering at least a year of identity, credit and dark web monitoring plus identity restoration; notification recipients are also advised to consider fraud alerts or a security freeze. The incident adds to other third-party supplier breaches that have recently affected Volvo entities.
read more →

NIS2 Reframes Supply Chain Risk as Core Security Duty

🔒 NIS2 forces organizations to treat supply chains as an integral part of cybersecurity rather than an afterthought. The directive shifts emphasis from perimeter defenses to the risks posed by external service providers and subcontractors, requiring firms to identify dependencies, set proportionate contractual security obligations, and implement continuous monitoring. It also elevates the CISO's remit to enforce cross-functional risk management.
read more →

Army Signal Officer to Insurance CSO: Hensley’s Cyberplan

🔐 Barry Hensley, a retired U.S. Army Colonel and former Signal Officer, now serves as CSO of Brown & Brown, leading efforts to protect client networks and sensitive data. He notes that organizational awareness of cyber risk has grown, but effective investment and calibrated risk tolerance often lag, especially under budget constraints. Hensley highlights threats such as ransomware and ideologically motivated attacks, the rising role of AI in both offense and defense, and the critical need to manage third- and fourth-party risk while retaining motivated security talent.
read more →

NIS2 Elevates Supply Chain Security to Leadership Task

🔒 NIS2 pushes organizations to treat supply-chain risk as central to cybersecurity, making external dependencies part of security architecture and leadership responsibility. It requires systematic inventories, contractual security obligations, and continuous monitoring of both direct providers and downstream subcontractors. For the CISO, the role shifts from technical stewardship to cross-functional risk management and enforcement. Common failures—poor prioritization, unenforced controls and organizational silos—must be addressed with scalable, evidence-based controls.
read more →

NHS Calls for Stronger Supplier Cybersecurity Measures

🏥The NHS has issued an open letter (22 January) signaling more proactive engagement with suppliers to bolster cyber resilience across health and social care. The initiative builds on last year’s voluntary cybersecurity supply chain charter and responds to persistent ransomware and supply-chain threats. NHS England stresses this is not an audit but a partnership to identify risks and agree proportionate remediation. Expectations include MFA, patched systems, effective logging and immutable backups with tested recovery plans.
read more →

EU Revises Cybersecurity Rules to Curb High-Risk Suppliers

🔐 The European Commission has unveiled a cybersecurity package to strengthen the EU’s resilience against state and criminal cyber and hybrid threats. The proposals focus on reducing risks from high-risk suppliers outside the EU—particularly in critical infrastructure like mobile networks—using a common, risk-based framework. The plan updates the European Cybersecurity Certification Framework to speed product testing, eases compliance burdens for SMEs, and reinforces ENISA’s role in threat analysis, incident response and vulnerability management.
read more →

Ransomware and Data Theft Hit Ingram Micro, 42K Affected

🔒 In July 2025 a ransomware attack on distributor Ingram Micro disrupted the company's logistics for about a week, impacting its U.S. headquarters and a German site. The company notified U.S. authorities that more than 42,000 people—current and former employees and job applicants—had personal data stolen, including names, contact details, dates of birth, identity document numbers and Social Security numbers. Documents from hiring processes and employee performance reviews were also exfiltrated, and the ransomware group Safepay, active since September 2024, claimed roughly 3.5 terabytes of data.
read more →

EU Commission Proposal Would Allow Bans on High-Risk Vendors

🔒 The EU Commission has proposed a legal mechanism to ban network-equipment vendors it considers high-risk, a move widely seen as targeting Chinese firms such as Huawei and ZTE though the draft does not name specific companies. The plan would let Brussels require member states to replace prohibited technology in critical infrastructure within three years. It would also strengthen ENISA with additional staff and funding to coordinate EU-wide cybersecurity and ransomware defenses.
read more →

13 Questions to Vet IT Vendors and Reduce Third-Party Risk

🔐 As enterprises outsource more IT and adopt third-party SaaS, recent high-profile breaches show attackers are exploiting vendor trust pathways like help desks, OAuth tokens, and permissive integrations. CSOs should treat vendor selection as continuous risk management and demand strong attestations (e.g., SOC 2 Type II, ISO/IEC 27001), inventories of OAuth/API relationships, and evidence of actual workflow execution. The article lists 13 targeted questions covering controls, notification commitments, testing cadence, isolation measures, and insurance to reduce supply-chain risk.
read more →

Third-Party Risk Management to Prevent Compliance Failures

🔒 Third Party Risk Management (TPRM) is a strategic program that helps organizations identify, assess, and control risks arising from external vendors and service providers. Core elements include risk identification and assessment, contract management, continuous monitoring and audits, and employee training. Compliance drivers such as SOC 2 and GDPR make robust TPRM essential to prevent legal and reputational damage. Integrating TPRM into enterprise risk frameworks and using automation improves consistency and oversight.
read more →

SpyCloud Launches Supply Chain Identity Threat Solution

🔒 SpyCloud announced Supply Chain Threat Protection, a new offering that extends identity threat monitoring across an organization’s entire vendor ecosystem using recaptured darknet data from breaches, malware, and successful phishes. The solution emphasizes verified, timely evidence of compromise over static scoring and external surface indicators. It provides an Identity Threat Index, visibility into compromised applications on supplier devices, and integrated response tools to help security, vendor risk, and GRC teams act on real threats.
read more →

64% of Third-Party Apps Access Sensitive Data in 2026

🔒 New 2026 analysis of 4,700 leading websites finds 64% of third-party applications access sensitive data without demonstrable business justification, rising from 51% in 2024. The report identifies recurring causes such as over-permissioned scripts, shadow deployments via tag managers, and persistent trackers. Specific tools flagged include Google Tag Manager, Shopify apps, and the Facebook Pixel, while government and education sites show marked increases in compromise. The study cautions that governance gaps and limited mitigation adoption leave organizations exposed.
read more →

Transparency and Accountability in Cybersecurity Vendors

🔍 Modern CISOs face growing compliance and supply-chain pressures and must verify security products rather than assume vendor claims. The AV-Comparatives TRACS study assessed 14 EPP/EDR vendors on 60+ transparency criteria — source-code review, SBOMs, audit reports, update controls, and telemetry options — and found few vendors offer comprehensive verification. Kaspersky highlights its global transparency centers, minimal telemetry, and local-processing choices as practical risk-management measures that improve predictability.
read more →

Parliament Seeks Industry Input on Cyber Security Bill

🏛️ The Parliamentary Public Bill Committee is inviting industry submissions to inform scrutiny of the Cyber Security and Resilience Bill (CSRB), the planned successor to the NIS Regulations 2018. Now at committee stage after its second reading, the bill proposes expanded scope, tighter incident-reporting, mandatory supply‑chain risk management and alignment with the NCSC Cyber Assessment Framework. The committee will hear oral evidence from 3 February and has urged prompt written responses as it may conclude early.
read more →

Applying the Musk Oxen Strategy to Third‑Party Risk

🛡️ Third-party risk is a growing enterprise threat underscored by recent supply-chain attacks, including the June 2024 compromise of TeamViewer by APT29. The article argues organizations often depend on hundreds or thousands of vendors with limited transparency, immature security practices, and hidden subcontractors, which makes traditional vendor assessments a weak defense. It proposes the musk oxen strategy: collective intelligence-sharing, coordinated remediation support, and joint negotiation to strengthen common weak links and reduce systemic risk.
read more →

Outsourced Cyber Defenses: Systemic Risks and Governance

🔐 Outsourcing critical IT and cybersecurity has shifted from a cost-saving tactic to a systemic fragility driver. The article explains how single-vendor failures — highlighted by SolarWinds and MOVEit — can cascade across industries, amplified by cloud adoption, talent shortages and subcontractor opacity. It warns that AI-driven agents, regulatory fragmentation, and geopolitical exposures turn vendor compromises into national and economic security risks. Boards, CISOs and regulators must adopt trust-by-design, stress tests and AI resilience measures.
read more →

Liability Protection for CISOs Varies with Company Size

🔒 A recent RSAC survey found a large disparity in indemnification for security leaders: 88% of Fortune 1000 CISOs report legal indemnity, versus just 53% at organizations with 500+ employees. D&O insurance is the most common vehicle, and inclusion of CISOs in such policies is rising, with >50% reporting coverage in the 2025 IANS Research report. Experts warn that indemnification agreements, distinct from D&O, are the critical legal guarantee and that midmarket CISOs face meaningful personal, financial, and career risk without them.
read more →