Trust but Verify: Ensuring Accountability with Security Vendors

Third-party trusts are integral to corporate ecosystems. Whether involving trusted technology partners or organizational agreements, such partnerships inherently elevate risk. The logic is straightforward: a larger threat landscape means greater risk. However, when a breach occurs, who bears accountability? This question is critical, as cyber insurance typically covers only about 10% of the total impact, leaving companies to absorb most recovery costs.

Over time, major incidents of compromising software updates have occurred, impacting countless customers and leading to hundreds of millions in losses across multiple businesses. This has led to ongoing lawsuits, congressional hearings, and governmental responses, like the issuance of Executive Order 14028, which mandated stronger cybersecurity measures for federal agencies and contractors.

A recent 2024 third-party incident caused by faulty updates affected approximately 8.5 million Windows devices, disrupting operations across various industries, including airlines, banks, retailers, and emergency services. Airlines alone experienced over 5,500 cancellations and extended operational disruptions. The initial cost estimates suggest billions in damages due to system crashes, lost productivity, and reputational harm. For affected companies, the average loss per affected company is anticipated to reach tens of millions across customer compensation, including discounts, credits, and brand damage that may affect future business.

In both cases, these were solid technologies that I love and have used in my professional and private life. However, they highlight the importance of understanding Trusts between businesses and vendors they depend on.

So, with third-party security and IT vendors being a given in the modern digital age, how do companies recoup their losses when something happens?

The organization granting trust (the "Grantor") must ensure end-to-end visibility of its data, understand where the data is shared, and assess the potential impact of a breach or event involving that data. Meanwhile, the entity entrusted with the data (the "Trustee") is responsible for performing due diligence and understanding the downstream consequences of any incidents.

This article outlines strategies for companies to assess their risks and implement best practices to mitigate potential losses. The question is no longer if an event will occur, but when.

Understanding end-to-end visibility

When a company or organization takes on the risk of using a third party, it needs to understand not only its own risks and threats but also the exposure of its partners, as these can create weak links in the security chain.

 Here are some steps that can help:

1. Increase threat intelligence gathering:  The hosted organization or the Grantor should incorporate their security teams into the trusted processes by increasing their threat intelligence gathering to spot threats before they happen so they can terminate the trust if need be as a mitigation strategy.
2. Asset inventory: Hosted organizations need to understand their hosted assets and the trusts created to incorporate mitigation strategies and offset an event's overall impact.
3. Break down silos: Break down the internal siloes and incorporate processes that include not only the security organization but the Infrastructure organization by focusing on data to outcomes.
4. Defining the trusts:  Understanding the type of trusts that are created and creating a data strategy for these trusts are key.  Data tagging, data classification, and an overall data strategy are key to mitigating these events.
5. Assess the risk: Before creating a third-party trust or partnership, ask the vendor for results from a risk assessment, as well as vulnerability reports and details about cybersecurity baseline requirements. They should verify if and how the provider adheres to a governance, risk, and compliance framework (GRC) for its industry to address threats and risks, such as MITRE and NIST.

Third-party trusts are here to stay, but foundational steps can significantly reduce the impact of third-party violations. Organizations should manage risk as they would personally. For example, we don’t hand a 16-year-old the car keys without preparation. We teach them to drive, require a permit, and only allow them to drive after increasing insurance coverage to mitigate risk. Similarly, businesses must proactively understand their data pathways and vulnerabilities. It's less about assigning blame and more about being prepared—ensuring your organization can act swiftly and effectively when an incident occurs.

Setting the bar for vendor cybersecurity

A main challenge of third-party risk management is that an organization can’t directly manage its vendor’s cybersecurity practices. Enterprises have suffered because of vendors’ oversight, such as overlooking foundational security requirements. While organizations can’t directly alter third-party and partner cybersecurity strategies, they can still enact change by having end-to-end visibility and incorporating these third-party trusts into their threat intelligence gathering. 

Some Best Practices organizations can take

1. Assess the risk: Before creating a third-party trust or partnership, ask the vendor for results from a risk assessment, as well as vulnerability reports and details about cybersecurity baseline requirements. They should verify if and how the provider adheres to a governance, risk, and compliance framework (GRC) for its industry to address threats and risks, such as MITRE and NIST.
2. Update your threat intelligence: Incorporate the third-party connection into intelligence gathering for both organizations. 
3. Shared Resources: Incorporate a better together strategy from day one by holding vendors accountable for the robustness of their cybersecurity practices.

In recent years, a major financial institution started requiring that every third party it did business with meet a heightened set of cybersecurity requirements. If any organization didn’t comply, the financial org would stop working with them. Enforcing such a baseline has strengthened the security posture of the bank’s ecosystem of vendors and the bank itself.

In the end, who is responsible?

There’s a lot of ambiguity about who is responsible when an incident strikes. Is the client accountable, or is the vendor? In general, the client can’t hold the vendor accountable for any harm to themselves if the vendor gets hacked unless the vendor violates the terms of the SLA.  Organizations that employ a third party's services accept the risks involved when they grant access to their networks. That’s why organizations should verify the vendor’s cyber posture and adherence to GRC guidelines in advance, which minimizes third-party risk.

Of course, there are exceptions. If a vendor is negligent — like when a healthcare vendor doesn’t abide by cybersecurity requirements and leaks patient data violating HIPAA — the client organization could pursue legal action.

When unaddressed, third-party risk can create devastating domino effects on the enterprise and its customers alike. But this narrative can change. If CISOs and CTOs band together to address third-party risk and set clear expectations with vendors, they will realize the full benefits of their third-party partnerships and continue to succeed unfettered.

To get more insights and expert analysis of today’s cybersecurity landscape, subscribe to the Perspectives newsletter.