Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
A third party paid $17.5 million in a settlement over its 2023 breach, a report revealed 35.5% of last year’s breaches were linked to third parties, and EU regulations require improved third-party risk management. Check out this week’s news below.
Defending against third-party risks in the pharmaceutical industry: Hackers are targeting pharmaceutical companies through third-party vendors. This causes a cascading effect, disrupting drug manufacturing, clinical trials, and supply chain logistics. To protect sensitive data and operations, pharmaceutical companies should establish third-party risk management programs, implement strong cybersecurity requirements in vendor contracts, and adopt multi-layered security protocols for third-party access.
Report: 35.5% of 2025 breaches linked to third-party vendors: Vendor vulnerabilities were linked to 35.5% of all breaches in 2024, according to a new study. Of these attacks, 41.4% of them were ransomware, as gangs increasingly exploit third-party access. Retail and hospitality industries had the highest third-party data breach rates in 2024. Countries like Singapore, the Netherlands, and Japan topped the list for the most third-party breaches last year.
Third party pays $17.5 million settlement after 2023 breach: A third party agreed to pay $17.5 million to settle six class action lawsuits after its 2023 data breach. The breach impacted several large financial institutions and roughly 6.5 million people had data stolen. Stolen data included names, Social Security numbers, and bank account and routing numbers.
Tips for pre-negotiation and contracting with third-party AI in healthcare: Artificial intelligence (AI) tools are growing in healthcare, offering new technology and growth. Set up third-party contracts that address AI and protect your healthcare organization from the risks. Before negotiations, thoroughly assess the third-party AI solutions’ fit, risks, and integration with existing systems. Engage with teams like IT, privacy, and compliance to address data privacy, ethical frameworks, and governance. When negotiating the third-party contract, outline privacy and security, data rights, and service level agreements.
Complying with subcontracting requirements in the European Union: The spotlight is on information and communication technology (ICT) vendors with regulations and directives like the Digital Operational Resilience Act (DORA) and NIS2. Industries like financial services and healthcare must navigate strict requirements for subcontracting. Activities like due diligence, contractual requirements, ongoing monitoring, and business continuity management are key practices to implement. To manage compliance, assign clear responsibilities for oversight of third parties and develop internal policies and processes.
U.S. privacy regulations and third-party requirements: Evolving privacy regulations across U.S. states have made data privacy a high priority issue for chief information security officers (CISOs). Organizations must perform detailed risk assessments to identify and address vulnerabilities, including those involving third-party providers. Be prepared to present these assessments to regulators. Verify third parties have privacy protections and policies in place through the due diligence process.
Preparing vendors for upcoming AI regulations: The first rules of the European Union’s AI Act started to apply last month. The full act will take effect next August, so organizations must be prepared. One key component is vendor management. Many organizations rely on vendor AI tools, and vendors frequently add new features to products. Communicate with vendors about upcoming regulations and push for transparency on how AI is used.
A third-party breach at a regional bank compromised 22,000, two GitHub supply chain attacks threaten data leaks at organizations, and UK regulators are focusing on third-party operational resilience. Read this week’s news below.
About 22,000 customers impacted in third-party software breach: Almost 22,000 customers were compromised in a third-party attack at a regional bank. The third party’s secure file transfer software was attacked. Hackers received access to financial data, Social Security numbers, and other sensitive information. Clop ransomware gang claimed the breach in January and said it breached 58 companies. Clop was also responsible for the 2023 MOVEit breach.
Two GitHub supply chain attacks may compromise sensitive data: Just days after a supply chain attack targeted GitHub Actions, another attack was discovered. Hackers exploited vulnerabilities in the third-party tool, compromising the development environment of users incorporating the tool into their workflows. This attack highlights growing risks with third-party dependencies. Stay vigilant by ensuring the security of integrated components and promptly applying recommended fixes and patches from the third party.
UK introduces Critical Third Parties regime to address financial industry resilience: Due to the increasing reliance on third-party suppliers at financial institutions, two United Kingdom regulators introduced the Critical Third Parties (CTP) regime. It focuses on third-party operational resilience to avoid disruptions that could destabilize the financial industry. CTPs must follow resilience standards, report incidents, and implement security protocols. It’s unclear what firms will be designated as CTPs. Financial institutions should also conduct scenario testing with third parties and put security measures into third-party controls to ensure supply chain resilience.
Third-party breaches a top concern for New Zealand businesses: Third-party cyberattacks and data leaks are a top concern for New Zealand businesses, according to a new study. Even when services are outsourced to a third party, New Zealand businesses are still responsible for compliance with the Privacy Act. Third parties should also be considered in business continuity and cyber-response plans.
Addressing third-party AI risks: At a recent summit, experts emphasized the need to carefully manage third-party AI’s access to data and follow good security practices. Collaborate with departments like security, privacy, and IT to navigate the complexities of third-party AI tools and meet privacy regulations. These steps help address third-party AI privacy risks.
Two third-party data breaches impacted customer and organizational data, UK regulators asked for feedback on third-party regulations, and the Institute of Internal Auditors is looking to address third-party risks. Check out this week’s news below.
Client data compromised in third-party breach: Japanese telecommunications third-party provider NTT notified about 18,000 corporate clients of a data breach. Hackers breaches its system that contained information on customers, including contact numbers, emails, and service usage information. NTT will not send personalized alerts to clients, so organizations should watch for spam and other unwanted communication.
Third-party data breach perpetrated by ransomware gang, impacts over 100,000: A ransomware gang took credit for a third-party breach that impacted at least 110,000 K-12 school employees. Carruth Compliance Consulting, which administers retirement savings for public schools, said the breach impacted information like Social Security numbers, financial accounts, and W-2s. Breaches on even just one third-party provider can impact multiple educational institutions.
UK regulators ask for feedback on third-party regulations: Two United Kingdom regulators – Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) – are consulting on new requirements for material third-party arrangements. Organizations have until March 14 to submit feedback. The proposals require more timely, consistent, and accurate reporting of disruptive incidents and on third-party relationships. Reporting includes a register of information on material third-party arrangements. Although both regulators aligned their proposals, but there are slight differences. For examples, the PRA only requires third-party reporting on a risk-based approach.
Institute of Internal Auditors releases draft on Third-Party Topical Requirement: The Institute of Internal Auditors (IIA) released a draft of the Third-Party Topical Requirement that addresses rising third-party risks. The draft is part of IIA’s broader framework to help internal auditors assess governance, risk management, and control processes in third-party relationships. The draft requirement provides a consistent approach to managing growing third-party risks like geopolitical shifts, supply chain disruptions, and operational challenges. The public comment period on the draft runs until April 20.
Mishandling of data at third party causes small breach at financial institution: A large financial institution said a third-party document destruction service inappropriately handled confidential documents, breaching the information of a small group of customers. It’s not clear how many accounts were impacted. The financial institution said the bank didn’t secure materials properly in transport, so some documents were found outside of the secure containers.
Managing and monitoring third-party software tools: Third-party software tools are now considered a necessity for most organizations to communicate. However, if these tools aren’t secured, data leaks may occur through misconfigured sharing settings, unrestricted third-party integrations, lack of monitoring, and human error. To prevent this, organizations should enforce strict access controls and role-based access. Regularly review user permissions and channels and monitor activity through audit logs and real-time alerts of suspicious activity.
The costs of poor third-party risk management practices are high. Third-party risk contributed to 23% of insurance claims with incurred losses, third-party remote access was responsible for almost half of 2024’s data breaches, and noncompliance with the Digital Operational Resilience Act (DORA) may lead to steep penalties and even suspended business operations. Catch up on all the headlines below.
A third of 2024 cyber claims tied to third-party incidents: Vendor-related ransomware and outages contributed to 31% of all cyber insurance claims in 2024, according to a new study. For the first time, third-party risk contributed to 23% of claims with incurred losses. Eighteen percent of third-party incidents were ransomware attacks. Significant financial losses are tied to these third-party incidents, impacting industries like finance, healthcare, transportation, and manufacturing. Cybercriminals increasingly target vulnerabilities along the supply chain, making third-party risk management more important than ever.
Third-party remote access responsible for 48% of 2024 data breaches: Nearly half of 2024 data breaches involved third-party remote access, according to a new survey. Almost 66% of the respondents said third-party data breaches will increase or remain the same over the next one to two years. A significant number of organizations (34%) said they grant excessive privileged access to third parties. However, 41% struggle to mitigate third-party access risk. The consequences of the third-party access breaches included compromised sensitive data, regulatory fines, and damaged third-party relationships. Keep an inventory of what data third parties have access to and continuously monitor who has access.
The cost of noncompliance with DORA: The Digital Operational Resilience Act (DORA) in the European Union (EU) reshapes how organizations approach cybersecurity and operational resilience, focusing on areas like third-party risk management and critical providers. Noncompliance can result in significant financial penalties – while supply chain vulnerabilities continue to rise as a top risk. A report showed that 43% of organizations were expected to miss the DORA compliance deadline, which may be costly as DORA has taken effect. Individual fines can reach up to €1 million. Regulatory authorities may even limit or suspend the business activities of noncompliant financial institutions. Prioritize compliance and review current third-party risk activities to ensure there are no gaps that can be exploited.
Third-party administrator data breach exposes information of more than 48,000: A third-party administrator of retirement savings for school districts experienced a data breach, exposing the data of more than 48,000. At least 12 community colleges and public schools were impacted. Information impacted includes names, Social Security numbers, and financial account information.
Identifying red flags in your vendor’s business continuity plan: Your vendor’s operational resilience is just as important as your own. Weak or ineffective continuity plans can lead to operational disruptions, financial losses, and reputational damage. Look for key red flags when reviewing the vendor’s business continuity plan. This includes insufficient disaster recovery planning, outdated or untested plans, lack of staff training, and poor compliance management. Regularly review and assess the vendor’s plans to identify issues early and ensure the vendor can recover quickly.
Securing third-party software provider risks: Third-party suppliers pose first-party risks for organizations, particularly software providers, which can often be overlooked. Third-party software vendors should follow strict security standards to prevent potential data breaches and cyberattacks. Review the vendor’s security practices and continuously monitor for new vulnerabilities and weaknesses.