February 2025 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of February 27

A third-party data breach impacted more than 3 million people, a healthcare third-party breach compromised patient data, and experts recommended prioritizing third-party risk management for better resilience and compliance. We’ve summarized the top third-party risk management headlines for the week. Read it below:

More than 3 million impacted in data breach on background check and drug test third-party firm: DISA Global Solutions, a U.S. background screening and drug test firm, experienced a data breach impacting 3.3 million people. DISA is a third party that services more than 55,000 customers and companies. Compromised data includes names, Social Security numbers, driver’s license numbers, and government ID numbers.  

Prioritize third-party risk management and digital resilience as technology dependencies and geopolitical attacks increase: As organizations continue to digitize, they’re also becoming more interconnected, creating risks and vulnerabilities for cybercriminals to exploit. This growing technological dependency can cause more systemic incidents like the CrowdStrike outage last year. Geopolitical tensions have also brought an increase in state-backed cyberattacks. As more personal data is stored online, geopolitical attacks will continue to rise. Operational stability is key in 2025. Digital resilience programs, mature third-party risk management, and crisis preparation are important focus areas.

Third-party data breach at nursing and rehabilitation center compromises patient data: A third-party data breach impacted patients at the Phoenix Rehabilitation and Nursing Center. Compromised sensitive customer data includes names, medical information, and Social Security numbers.  

Third-party call center representative improperly accesses sensitive data: A third-party call center representative improperly accessed data at Inspira Financial Trust related to at least 2,300 retirement plan participants. Personal information accessed included Social Security numbers, dates of birth, Inspira account numbers, and mailing addresses.  

Bank to improve third-party risk monitoring in OCC compliance agreement: The Office of the Comptroller of the Currency (OCC) required a Connecticut bank to improve several of its banking practices, including enhancing third-party risk monitoring in BSA/AML compliance. As part of a formal agreement, the bank must submit a report detailing process on the corrective actions.  

Monitoring third-party and supplier human rights abuses in the global supply chain: Monitoring the supply chain for human rights abuses and violations is a critical activity for global organizations. Several regulations require thorough third-party due diligence and ongoing monitoring, including the European Union’s Corporate Sustainability Due Diligence Directive (CSDDD) and Corporate Sustainability Reporting Directive (CSRD). Germany, the United Kingdom, Canada, France, and California also have specific third-party and supplier requirements. Risk rate or tier supplier and third parties to identify who’s high risk. Consider the supplier’s region and country risk and the supplier’s industry. In-person audits, supplier questionnaires, and due diligence assessments identify where supplier risks may exist.  

More governance and spending needed to monitor third-party and AI risks in healthcare: The healthcare industry needs greater investment and governance in third-party risk management, threat management, and artificial intelligence (AI), a new study revealed. Without governance, AI and third-party risks remain unchecked. Although healthcare organizations increased cybersecurity budget spends, researchers said it’s still not enough to bridge the gaps.

Compliance with the Digital Operational Resilience Act in the European Union: In January, about 22,000 European Union-regulated financial institutions were required to comply with the Digital Operational Resilience Act (DORA). It sets a framework for maintaining operational resilience, particularly with third-party relationships. To comply, institutions should map critical information and communication technology (ICT) dependencies, establish incident response procedures, and strengthen third-party risk management activities. U.S.-based vendors working with EU financial institutions also need to comply with DORA’s standards.  

Recently Added Articles as of February 20

This week’s headlines emphasized rising third-party cybersecurity risks and revealed best practices to manage them. Catch up on the week’s news below.  

New survey from Ncontracts and Venminder reveals third-party risk management trends: A new survey from Ncontracts and Venminder reveals a growing challenge: organizations are managing more vendors than ever, but staffing hasn’t kept pace. As third-party risk management (TPRM) programs evolve, more firms are adopting hybrid models, reflecting a maturing approach to managing vendor risks. The survey also highlights increasing concerns around third-party cybersecurity and AI risks, underscoring the need for more sophisticated TPRM strategies.

Managing growing third-party cybersecurity threats: Supply chain data breaches can have serious consequences, making supply chain cybersecurity a high priority. Yet many organizations only assess third parties once or twice a year, leaving vulnerabilities unchecked. Continuous, risk-based monitoring helps stay on top of this risk. Track issues to full remediation to protect your organization.  

Almost half of healthcare organizations experienced a third-party data breach: Third-party risks continue to rise in healthcare, yet a lack of adequate budget and governance prevent healthcare organizations from managing these risks effectively, a new survey reveals. 44% of healthcare organizations experienced a third-party data breach or cyberattack in the last 12 months, often leading to regulatory fines or an end of the third-party relationship. Third parties often need access to networks, exposing organizations to risk – especially when there’s a lack of defined roles and responsibilities in third-party risk management.

Tips to guard against third-party cyberattacks: As third-party cyberattacks become more common, organizations need to understand how to protect themselves. Include clauses like indemnification and data breach notifications in the third-party contracts. Review cyber insurance to ensure third-party cyberattacks are covered. Include plans for third-party outages in incident response plans.

IT practitioner survey says third-party data breaches will get worse: Most IT security practitioners believe third-party data breaches will increase or remain at high levels over the next couple years, according to a new survey. Almost half of the respondents said third-party remote access is becoming a common attack surface. It’s still a challenge for many organizations to implement the proper tools and resources for a third-party risk management program.  

Recently Added Articles as of February 13

In this week’s third-party risk management news, several studies showcased the importance of managing third-party risks, a third-party data breach impacted customer information, and FINRA highlighted regulatory requirements for TPRM. Check it out below.  

Most third-party data breaches target healthcare industry: The healthcare industry continues to be the most targeted for third-party data breaches, according to a new study. This is mostly due to the high value of patient data, reliance on third parties, and healthcare security challenges. The report also highlighted concerns over third-party breaches that involved unauthorized network access and ransomware as a top threat.  

FINRA highlights third-party risks in regulatory report: The Financial Industry Regulatory Authority (FINRA) addressed third-party risks in its recent Annual Regulatory Report. There are growing risks with third-party relationships, particularly with cybersecurity and service outages. FINRA reminded financial institutions of regulatory obligations – including oversight for vendor management, cybersecurity, and data protection. This encompasses comprehensive third-party risk management policies, due diligence practices, and data security controls in contracts. Financial institutions also need to assess how third parties use subcontractors and address it in the third-party contract.  

Third-party breaches impacting insurance industry: Most breaches in the insurance industry are due to third parties, according to a new study.  Even the strongest internal security measures won’t always prevent third-party breaches. Threat actors often target the weakest links in the supply chain. To address these third-party security risks, it’s important to prioritize third-party risk management. Third parties should also have strong TPRM programs to address supply chain risks.

ArdyssLife victim of third-party data breach: A health and wellness company, ArdyssLife, recently disclosed a third-party data breach. Portions of the company’s IT network were operated by a third-party provider. A malware attack breached the network and compromised information. The malware was removed, and systems were secured, but the hacker was able to access some customer information.  

Large UK financial services companies experienced third-party data breaches: Most large UK financial services companies had at least one third-party cyberattack in 2024, new research showed. Some institutions said they only assess third-party risk during onboarding. UK regulators have recently emphasized operational resilience at financial institutions, specifically with third-party risks.  

A resilient approach to the supply chain: Organizations are facing environments with more vulnerabilities due to increased reliance on third parties. The European Union focused on these threats with the Digital Operational Resilience Act (DORA) and NIS2. These regulations and directives require some organizations to identify critical third-party providers and strengthen security. A risk-based approach ensures the most critical assets receive the most attention.  

Recently Added Articles as of February 6

In this week’s headlines, a third-party data breach impacted GrubHub customers, the World Economic Forum brought attention to software supply chain risks, and best third-party risk management practices help keep your organization prepared. Check this week’s news out below:

Third-party data breach impacts GrubHub customers and drivers: GrubHub experienced a third-party data breach that exposed sensitive information of customers and drivers, including some payment information and hashed passwords. The third-party provider was for GrubHub’s support team, although the third party wasn’t identified. The third party was removed from GrubHub’s systems after the breach. The specific data accessed by the hackers differed for everyone. GrubHub urged victims to change log-in credentials as soon as possible.  

World Economic Forum emphasizes software supply chain risks: The World Economic Forum called attention to software supply chain risk. As more organizations rely on third-party software, it’s important to ensure the security and integrity of the software. The World Economic Forum said vulnerabilities within software supply chains must be addressed. Complex supply chains create a more unpredictable risk landscape, as weak security practices can expose the entire supply chain. Proactive strategies like secure coding practices and SBOMs strengthen organizations. 

How pharmaceutical companies can manage third-party risks: Third-party risk management is critical for pharmaceutical companies to ensure compliance, maintain quality, and protect reputations. For the first step, pharmaceutical companies should understand the third-party inventory. Then, assess third-party inherent risks. Identify your company’s risk domains, like information security, privacy, compliance, and financial. Pharmaceutical companies will also need to manage third parties’ manufacturing and clinical practices. Although identifying and managing these risks is challenging, best practices like enhanced governance, detailed procedures, and the right technology help. 

Assess your third parties’ cybersecurity posture: A new study showed 52% of small and mid-sized supply chain organizations had a third-party cybersecurity incident. Threat actors target the weakest link in the supply chain to disrupt operations, steal data, and damage reputations. Strengthening third-party risk management programs protects organizations. Your organization should know how third parties protect your data. Analyze third-party risks, assess security posture, and remediate any identified weaknesses. Remember to consistently monitor the third party’s risk posture. 

Protecting from third-party cybersecurity risk: A strong cybersecurity posture protects your organization and presents a secure investment for investors. Cybersecurity incidents can often be at the hands of third-party vendors. If your third parties have inefficient controls, your organization can be impacted. Having controls in place to mitigate third-party cybersecurity risk protects your organization. Cyber insurance policies reduce the costs of a cybersecurity incident and internal subject matter experts are a great resource to implement the right controls. 

Improving vendor risk management practices: There are many strategies organizations can adopt to strengthen vendor risk management practices and protect against cybersecurity risk. First, a thorough due diligence process evaluates the vendor’s security practices. Request information on network security, data protection protocols, and security attestations like SOC 2. Implement ongoing monitoring practices like quarterly reviews of business continuity plans and regular reviews of the vendor’s security posture. Maintain clear communication with the vendor throughout the relationship. Technology and tools help your organization better manage vendor risks with real-time insights, allowing you to act quickly.