<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=229461991482875&amp;ev=PageView&amp;noscript=1">
3 Ways to Prevent Vendor Cyber Attacks
10:40

If your vendors get hacked, you’re in trouble.

If your vendor’s vendor gets hacked - you’re still in trouble.

Cyber security across your supply chain should be a priority. Cyber security protects internet-connected systems such as hardware, software and data, from cyber attacks. It involves preventing unauthorised access, destruction, or manipulation of computer systems and networks.

Sounds critical. And it truly is. 

Experian recently reported that total cyber security breaches by section were:

  • 38% in Healthcare
  • 21%  in Financial Services
  • 16% in the Public Sector

The recent cyber attacks on Santander and the NHS reinforce this trend of vulnerabilities within major institutions.

And it makes me wonder how many organisations genuinely know what is happening across their supply chain.

That worries me.

vendor Cyber attacks in regulated businesses

Santander, a global banking giant, recently issued a breach notification following a supply chain attack. The attackers, known as Shiny Hunters, stole data from Santander’s banks in Chile, Spain, and Uruguay and are holding the data ransom to $2 million.

This unauthorised third party accessed a database containing:

  • Personal information of 30 million customers and employees
  • 28 million credit card numbers
  • 6 million account numbers and balances

The UK’s National Health Service (NHS) trust faced a similar crisis when Synnovis, a provider of lab services, was hit with a ransomware attack. This incident affected seven hospitals as their IT systems became unusable. 

As a result, multiple hospitals had to cancel operations and blood transfusions and some appointments needed to be redirected to other providers. 

Cyber attacks on businesses like Santander and the NHS can have dire consequences for ordinary people. Compromised financial data can lead to identity theft and financial ruin, while attacks on healthcare systems can disrupt medical procedures and put lives at risk. These breaches threaten personal welfare while eroding customer trust in essential services. 

The risks of poor Vendor cyberSecurity 

Healthcare, Financial Services and other regulated industries handle vast amounts of sensitive data and operate under complex legal frameworks. 

As well as breaches and operational disruption, poor levels of cybersecurity throughout your supply chain can also lead to: 

  • Financial Losses: Direct costs from ransom payments, recovery efforts, and regulatory fines. The average cost of a data breach globally was $4.45 million in 2023.
  • Reputational Damage: Erosion of customer confidence, affecting long-term business prospects.
  • Legal Consequences: Increased scrutiny, audits and potential lawsuits from regulatory bodies and affected parties.
  • Non-compliance with evolving regulation: 

Yet, procurement teams are still struggling to manage their vendor's cyber security, with 98% of companies having had one of their vendors breached in the last two years, according to a report by Security Scorecard and the Cyentia Institute.

The cost of poor compliance and control of your vendors’ cyber security could break your business. But I've got you covered here with three ways to assess their security and mitigate potential risks.

3 easy ways to assess your Vendor Cyber Security

I used to oversee hundreds of vendors and their contracts for a London-based FinTech. We prioritised cybersecurity and broader risk reviews of every vendor.Our most strategic vendors were given priority based on our vendor segmentation model and cross-team collaboration. But I know this isn’t the story everywhere.

These steps are best used in your business with a joined-up approach from Procurement, Legal, Risk, InfoSec and IT. (Or some combination of individuals experienced in these areas if you don’t yet have dedicated team members.)

1. Market IQ Cyber Assessments and Mitigation Workflows

Market IQ Cyber, powered by SecurityScorecard, is designed to address your third-party risk management requirements and fortify your defences against cyber attacks.

It makes your business more resilient by automatically alerting you to changes in your vendor's profile, allowing you to identify and mitigate cybersecurity vulnerabilities. 

This is how it works.

Each vendor you assess with Market IQ Cyber is assigned a grade between A-F. "A" means the vendor is in good shape.

We know that any vendor that scores between a C-F is 5.4 times more likely to suffer a consequential breach than A-B rated companies. 

Behind each grade is a scoring system.

Security Scorecard gradesSecurityScoreCard Grades and Scores

Behind the scores is a weighting aligned to a specific risk factor.

SecurityScoreCard Risks

If you’ve got a vendor that scores 100, no cyber security issues were detected.

I particularly like the historical performance that provides an insight into how they’ve treated cyber over a more extended period.

But what happens if a vendor’s cyber score declines?

This lower score triggers a Best Practice Cyber Risk Mitigation Workflow (Market IQ Escalation) in Gatekeeper's Workflow Engine, prompting the business to send  questionnaires to the vendor about their cyber status. 

You can then assess the responses from the vendor whilst also reviewing more details with your SecurityScorecard account.

 I’d also suggest you catalogue any risks in the Gatekeeper Risk Register.

If the cyber risk is no longer a concern, you can move the card through to completion without further action. If this vendor is of concern, that’s when you can further manage their performance and even ensure that the vendor’s RAG status is marked as Red on their vendor record.

All of this gives you the following:

  • Visibility as to your vendors’ cyber health
  • Automated mitigation measures
  • Evidence that you're assessing your vendors’ cyber health which can be given to any data subjects, auditors and/or investors.

2. Security Assessment and Certification

Look for certifications such as ISO 27001, SOC 2 and PCI DSS (depending on your industry). These certifications are a good indication that the vendor has the required security posture and processes in place to protect your data.

I recommend asking your vendors if they have completed any third-party security assessments or have additional certifications such as ISO 27002 or NIST 800-53.

By assessing a vendor’s cyber security posture, you can ensure that the vendor you are working with is taking the necessary steps to protect your data. If you're operating in Europe, this will become even more crucial with the upcoming Digital and Operational Resilience Act. 

We must go beyond the certificates and understand:

  • The vendor’s policies and processes around cybersecurity
  • Their incident response plans, data backups, and regular security audits
  • If they have participated in any vulnerability assessments or penetration tests

You can always ensure a penetration test is carried out before you engage the vendor for added protection.

3. Due Diligence Questions on Cyber Security

I’ve always been a fan of sending out carefully selected questionnaires that require the vendor to provide assurances. The answers to these questions - combined with Market IQ Cyber and the vendor’s certifications - should give you a good reading about their cyber security stance.

You can mandate these questions as part of vendor onboarding or ongoing due diligence. 

Questions Objectives
Have you implemented appropriate information security policies which have been approved, published, and communicated to your employees and relevant external parties? This question seeks to understand your vendor’s policies. You could then review each individually or hand-pick specific policies to focus on.
What are your security policies and processes related to remote access? How often do you check employee knowledge and awareness of your policies? What is the approach to employees, vendors, contractors etc., accessing parts of your business online from anywhere in the world?
Can you explain how your software can produce reports of all registered users, including their location, log-in history, password expirations, and any changes they make to customer data? Most organisations must comply with regulations requiring them to understand how their employees use customer data. You need to ensure that your employees, when using any new software platform, are doing so compliantly e.g. they aren’t changing or moving customer data from the platform (except for reports).


I’ve included a list of additional questions you could ask to inspire you when creating your own due diligence questions.

  • Does the vendor have a dedicated cybersecurity team and/or a Chief Information Security Officer?
  • Does the vendor have a written cybersecurity policy that is regularly updated and reviewed?
  • Does the vendor have a response plan in place in the event of a breach?
  • Does the vendor regularly conduct security audits and vulnerability assessments?
  • Does the vendor have a backup plan in case of a system outage or data loss?
  • Does the vendor have a data protection strategy in place?
  • Does the vendor use encryption to protect data in transit and at rest?
  • Does the vendor have a policy for monitoring and managing user access?
  • Does the vendor have a patch management system to ensure the software is up to date?
  • Does the vendor have a policy in place for securely disposing of data?
  • Does the vendor have a policy in place for securely storing data?

You can build each of these questions into Gatekeeper and automate follow-up questions depending on the responses you receive.

We have a form feature that allows you to build out questions, and you’ll have an audit log of the activities around these questions.

This would include a visual that they’ve been submitted, reviewed and approved in Gatekeeper.

I’m telling you that this is an auditor’s, customer’s and investor’s dream.

Wrap Up

By using Gatekeeper, you can assess your vendors' cyber security, evaluate their security policies, conduct a risk assessment, and verify their compliance with industry standards.

By doing this you’re going to reduce the likelihood of a vendor being hacked, be alerted to any cyber issues in your vendor base and mitigate the impact of a breach.


If you want to take your due diligence approach to a new level, let’s set up a meeting to discuss how Gatekeeper can help you with this.

Daniel Barnes
Daniel Barnes

Daniel Barnes is a seasoned Procurement and Contract Management Leader, with a Masters in Commercial Law from the University of Southampton. He’s on a mission to transition the sector from manual, spreadsheet-driven processes to efficient, automated operations. Daniel hosts the Procurement Reimagined Podcast, exploring innovative strategies to modernise procurement and contract management, striving for a more streamlined and value-driven industry.

Tags

Contract Management , Control , Vendor Management , Compliance , Contract Lifecycle Management , Contract Management Software , Visibility , Contract Lifecycle , Case Study , Supplier Management , Vendor Management Software , Vendor and Contract Lifecycle Management , Contract Risk Management , Contract Management Strategy , Contract Repository , Regulation , Risk Mitigation , Contract Automation , Regulatory compliance , Third Party Risk Management , TPRM , VCLM , Workflows , Artificial Intelligence , CLM , Contract Ownership , Contract Visibility , Contract and vendor management , Contracts , Procurement , Supplier Performance , Supplier Risk , contract renewals , Legal , Legal Ops , NetSuite , Podcast , Risk , Vendor Onboarding , Future of Procurement , Gatekeeper Guides , Procurement Reimagined , Procurement Strategy , RFP , Supplier Relationships , Business continuity , CLM solutions , COVID-19 , Contract Managers , Contract Performance , Contract Redlining , Contract Review , Contract Risk , Contract compliance , ESG , Metadata , Negotiation , SaaS , Supplier Management Software , Vendor Portal , Vendor risk , webinar , AI , Clause Library , Contract Administration , Contract Approvals , Contract Management Plans , ESG Compliance , Financial Services , Kanban , Market IQ , RBAC , Recession Planning , SOC Reports , Security , SuiteWorld , Sustainable Procurement , collaboration , Audit preparedness , Audit readiness , Audits , Business Case , Clause Template , Contract Breach , Contract Governance , Contract Management Audit , Contract Management Automation , Contract Monitoring , Contract Obligations , Contract Outcomes , Contract Reporting , Contract Tracking , Contract Value , Cyber health , DORA , Dashboards , Data Fragmentation , Digital Transformation , Due Diligence , ECCTA , Employee Portal , Excel , FCA , ISO Certification , KPIs , Legal automation , LegalTech , Obligations Management , Partnerships , Procurement Planning , Redline , Scaling Business , Spend Analysis , Standard Contractual Clauses , SuiteApp , Suppler Management Software , Touchless Contracts , Vendor Relationship Management , Vendor risk management , central repository , success hours , time-to-contract , APRA CPS 230 , APRA CPS 234 , Australia , BCP , Bill S-211 , Biotech , Breach of Contract , Brexit , Business Growth , CCPA , CMS , CPRA 2020 , CSR , Categorisation , Centralisation , Certifications , Cloud , Conferences , Confidentiality , Contract Ambiguity , Contract Analysis , Contract Approval , Contract Attributes , Contract Challenges , Contract Change Management , Contract Community , Contract Disengagement , Contract Disputes , Contract Drafting , Contract Economics , Contract Execution , Contract Management Features , Contract Management Optimisation , Contract Management pain points , Contract Negotiation , Contract Obscurity , Contract Reminder Software , Contract Routing , Contract Stratification , Contract Templates , Contract Termination , Contract Volatility , Contract relevance , Contract relevance review , Contracting Standards , Contracting Standards Review , DPW , Data Privacy , Data Sovereignty , Definitions , Disputes , EU , Electronic Signatures , Enterprise , Enterprise Contract Management , Financial Stability , Force Majeure , GDPR , Gatekeeper , Healthcare , ISO , IT , Implementation , Integrations , Intergrations , Key Contracts , Measurement , Mergers and Acquisitions , Microsoft Word , Modern Slavery , NDA , Operations , Parallel Approvals , Pharma , Planning , Port Agency , Pricing , RAG Status , Redlining , Redlining solutions , Requirements , SaaStock , Shipping , Spend optimzation , Startups , Supplier Cataloguing , Technology , Usability , Vendor Consolidation , Vendor Governance , Vendor compliance , Vendor reporting , Voice of the CEO , automation , concentration risk , contract management processes , contract reminders , document automation , eSign , enterprise vendor management , esignature , post-signature , remote working , vendor centric , vendor lifecycle management

Related Content

 

subscribe to our newsletter

 

Sign up today to receive the latest GateKeeper content in your inbox.

Subscribe to Email Updates