By Chris Gunner, vCISO, Thrive
As cyberattacks and data breaches continue to proliferate, businesses themselves are under increasing pressure to ensure their own cyber resilience and continuity planning in case of downtime. But what about the third-party vendors they work with?
Risk taken on when partnering with third-party vendors must be considered in the context of strong security posture, as the vendor can quickly become the weakest link in the system.
But it’s a threat that is going amiss among many organisations. The Cyber Security Breaches Survey 2025 in the UK shows that only just over one in ten businesses have reviewed the risks posed by their immediate suppliers (14%) and only 7% were exploring the risk to their wider supply chain.
For financial organisations in particular, the threat can be even greater. With a key focus on offering bespoke financial services, firms may lack sufficient internal resources to manage their cybersecurity and therefore complete effective due diligence on a third-party vendor.
The consequences posed by breaches to suppliers
Third-party breaches can post significant danger to buying businesses. A high-profile example was the exploitation of a vulnerability in Progress Software’s MOVEit file transfer app, utilised by numerous organisations around the world. Customer and employee data was then stolen from businesses with supply chains that utilise the app.
In the weeks after the breach, more high-profile businesses reported that sensitive data may have been stolen, including bank details. Ernst & Young, alongside numerous financial organisations, were also implicated in the attack. This high-profile incident paints a clear picture of the risk posed to financial institutions, and the need to take immediate action before bringing on any new suppliers.
Step 1: Calling on the advisors
Before new vendors are approached, financial institutions must look externally to fill their knowledge gaps. CISOs are vital within businesses, with these professionals responsible for developing the overall cybersecurity strategy of their organisations. But in specialist sectors such as finance, it might be an unaffordable role to hire for.
A Virtual Chief Information Security Officer (vCISO) is an Executive-Level cybersecurity practitioner that draws on extensive experience to help financial firms build their own customised information security program. By providing guidance on areas such as incident response planning, security policies and procedures, financial firms can access the resources to complete due diligence of third-party vendors.
Step 2: vDDQ of third-party vendors
Backed by a vCISO, financial firms can complete a Vendor Due Diligence (vDDQ) process. This involves the assessment and management of potential risks associated with external parties, such as suppliers, vendors or service providers. To evaluate the cybersecurity strength of a particular vendor, it might involve questions around current data protection measures, compliance with laws and regulations, current incident response plans and even the training and awareness being delivered to staff.
Ultimately, a vDDQ is vital to safeguarding an organisation’s data against third-party risks. It’s also an essential element of overall risk management and is often needed for compliance reasons.
Step 3: Fortify financial defences
The vDDQ process is perfect for peace-of-mind when it comes to vendor selection, but organisations must still take steps to protect their own operations in the event of a vendor being attacked and data is out in the open. That’s why business continuity planning should include a backup of sensitive data.
Many businesses do already have cloud backups with the main providers, including Amazon, Google and Microsoft. But a separate backup of cloud data with specialist third-party can provide the extra peace-of-mind should something happen to a vendor. Cloud backups today means that data restoration doesn’t have to be a lengthy process, so they need to be in place should the worst happen.
Third-party risk is business risk
Third-party risk is a major risk to organisations. As the MOVEit incident revealed, a supplier’s weakness can quickly translate to a breach at a financial firm that uses one or numerous services. Taking vendor risk seriously means deploying experienced leadership, standardising vendor due diligence and putting internal recovery capabilities in place.
The important step is the vDDQ process. If financial firms can complete their due diligence of suppliers and vendors across areas including incident response planning, key roles and security policies, they are best placed to tackle cyber threats.
