Such is the complexity of modern tech and IT systems that for one business to do everything can prove prohibitively expensive and highly time-consuming. Therefore, companies are now increasingly outsourcing key functions – such as cloud, SaaS, logistics and payroll – to third-party suppliers.
While this may unlock efficiency – a tempting motivation in today’s financially straitened business environment – it also expands the attack surface (the total sum of all potential entry points – digital, physical or human – where an attacker can try to breach a system, network, or organisation to steal data or disrupt operations).
And of course, implicit in the use of third-party suppliers is the fourth party – further down the chain and more distant from both the scrutiny and control of the business that outsourced its key functions in the first place. This can create a huge and complex problem of exposure and danger.
Many of these problems arise from blind spots in oversight. In 2022 PwC carried out a survey that revealed only 31% of organisations rely on formal enterprise-wide assessments to understand risks from third-party, fourth-party etc. vendors. Worryingly, the rest trusted to luck, or ad hoc processes with little or no logic or forethought behind them.
Such inadequate control systems mean that, despite sometimes spending millions on cybersecurity, many companies fall back on responses to questionnaires which are never independently verified, or superficial contract clauses that don’t hold water legally. This can leave big gaps in the security of the supply chain, inviting serious risk.
How does this affect businesses?
The incidence of breaches and the costs associated with those breaches has surged in recent years. A McKinsey report says that about a third of cyber breaches in recent years arise from technology supply chains. The average cost of a breach that involves a third party is $4.45 million; such breaches are nearly 12% more expensive than a typical cyber breach.
And it’s not just the financial damage. A 2025 survey showed that 84% of organisations acknowledge third-party incidents have caused them major reputational harm, affecting their financial value.
Where a firm’s shares are publicly traded, they often lose as much as 7.5% of their value following a third-party breach disclosure. The same survey reveals that 6 out of 10 businesses who suffer a significant third-party breach fail with six months of the occurrence.
Supply chain cyberattacks are getting more frequent and their severity is also increasing. Cybersecurity experts report a huge rise in supply chain cyberattacks – 431% from 2021 to 2023 and the proportion of breaches that were connected to the involvement of third-party suppliers grew from 29% (2023) to 35.5% (2024).
Figures from April 2025 figures show that the rate of breaches that involved third-party elements was already at 30%, only four months into the year.
It seems, therefore, that the problem is growing year on year.
Another major issue to consider is that of regulatory and compliance issues. Cyber regulation such as UK GDPR has been tightening the security obligations on vendors; failure to manage third-party risk can result in fines of up to 4% of global turnover.
Under Article 28 (1) of the GDPR, data controllers are under an obligation to make sure data processors give sufficient guarantees about whether their data processing is GDPR-compliant and safeguards the rights of data subjects.
So your business will need to assess whether you can depend on the vendor with whom you are working to manage the data in compliance with data protection law.
As well as this, you will also need to verify that a vendor won’t compromise your own data, especially if their process or products are integrated into your systems.
Concerned about how to carry out due diligence to check whether your third party vendors are regulation-compliant? Why not speak to our CDIL team for guidance on the steps you can take?
Now that we’ve looked at the danger points and the reasons why business need to take third party supplier risks seriously, what can be done to protect your business?
Governance and assessment
You will need to establish a central Third-Party Risk Management (TPRM) framework aligned with business goals and the regulations relevant to the jurisdictions where your business is based and from where it operates
Make sure you have a complete inventory of all third/fourth parties. Rank it by criticality and data access, and make sure that it’s kept up to date at all times.
Your due diligence on third/fourth parties needs to be comprehensive; use SOC reports, certifications (SOC 2, ISO 27001) as well as penetration test results
Take steps to introduce continuous, real-time monitoring. You should be using security ratings, automated scans and third-party risk platforms (if in doubt about which one is best for you, speak to an IT professional adviser)
Contractual controls
As we’ve already touched upon, many businesses think that they’ve got their third party issues sewn up with the contract between them, but that’s not always the case. You should embed explicit cyber clauses in contracts, including breach notifications, audit rights and remediation deadlines. And even before you engage the services of a third party, you should ask them to show you their own Third-Party Risk Management programmes to show that further down the chain, compliance can also be ensured.
Incident response and continuity
Do you have an Incident Response plan? If you don’t, it’s very important to get one drafted and implemented as soon as possible. If you do have one, has it been updated to include vendor-related incidents? To identify where the weak spots are, try performing tabletop exercises covering third-party failures Those exercises can include simulation drills but be sure to involve all stakeholders – IT, procurement, legal and risk management teams
Training and culture
Third party risk isn’t only an IT problem – all staff need to know about it, and you should establish a culture of risk awareness across all departments. Get training for staff on third party cyber threats and how the procurement process can play a significant part in risk mitigation.
Insurance and resilience
For many businesses in the modern digital landscape, cyber insurance is crucial to protect against both the risk and the consequences of cyber breaches. However, not all cyber insurance is the same and unless you’ve chosen a policy that includes cover for third party risks, you could find yourself vulnerable if anything happens. Speak to an insurance professional to check that your policy gives you the best protection.
And finally…update, update, update.
Businesses should be under no illusion that taking the steps outlined above is enough to guarantee either cyber security or regulatory compliance. It’s crucial to adopt a programme of continuous improvement, revisiting and reassessing your policies and procedures on a regular basis; at least annually and definitely when there’s a substantive change of scope and/or services within your business.
