By Chris Gunner
Third party vendors can expose financial firms to severe cyber risk. This article outlines why vendor security is business security, drawing lessons from the MOVEit breach. It proposes three steps: engage a vCISO, run rigorous vDDQ for potential vendors and suppliers and fortify backup and continuity for resilience.
With cyberattacks and data breaches increasingly on the rise, a lot of attention is understandably going towards an organisation’s own cyber resilience and whether the company is prepared if IT systems go down. But what about a business’ third-party vendors?
Understanding the risk an organisation takes on when partnering with third-party vendors is a critical component of having a strong security posture, because their weakest link is now that of the buying business.
But it’s a threat that is going amiss among many organisations. The Cyber Security Breaches Survey 2025 in the UK shows that only just over one in ten businesses have reviewed the risks posed by their immediate suppliers (14%) and only 7% were exploring the risk to their wider supply chain.
For financial organisations in particular, the threat can be even greater. With a key focus on offering bespoke financial services, firms may lack sufficient internal resources to manage their cybersecurity and therefore complete effective due diligence on a third-party vendor.
The consequences posed by breaches to suppliers
The risk posed by third-party breaches to buying organisations can be catastrophic. A high-profile example was the exploitation of a vulnerability in Progress Software’s MOVEit file transfer app, utilised by numerous organisations around the world. Customer and employee data was then stolen from businesses with supply chains that utilise the app.
Over the weeks following the breach, a string of high-profile organisations reported that national insurance numbers and bank details may have been taken. Ernst & Young, alongside numerous financial organisations, were also implicated in the attack. This high-profile incident paints a clear picture of the risk posed to financial institutions, and the need to take immediate action before bringing on any new suppliers.
Step 1: Calling on the advisors
Before evaluation of any new vendors, financial institutions need to fill any internal knowledge gaps with external expertise. CISOs are vital within businesses, with these professionals responsible for developing the overall cybersecurity strategy of their organisations. But in specialist sectors such as finance, it might be an unaffordable role to hire for.
A Virtual Chief Information Security Officer (vCISO) is an Executive-Level cybersecurity practitioner that leverages their years of experience to help financial firms develop and managed a tailored information security program. By providing guidance on areas such as incident response planning, security policies and procedures, financial firms can access the resources to complete due diligence of third-party vendors.
Step 2: vDDQ of third-party vendors
With the might of a vCISO behind them, financial firms can confidently carry out a Vendor Due Diligence (vDDQ) process. This involves the assessment and management of potential risks associated with external parties, such as suppliers, vendors or service providers. To evaluate the cybersecurity strength of a particular vendor, it might involve questions around current data protection measures, compliance with laws and regulations, current incident response plans and even the training and awareness being delivered to staff.
A vDDQ is a critical component of overall risk management and cybersecurity efforts to safeguard an organisation’s data and operations against the third-party threat, and is often required for compliance purposes as well.
Step 3: Fortify financial defences
The vDDQ process gives financial firms the peace of mind they need to select vendors that prioritise strong cybersecurity posture, but they should still take measures to protect their own operations if a critical vendor is attacked and data becomes vulnerable to being stolen. That’s why business continuity planning should include a backup of sensitive data.
It’s true that many organisations do have cloud backups now with the big providers such as Amazon, Google or Microsoft. But a separate backup of cloud data with specialist third-party can provide the extra peace-of-mind should something happen to a vendor. Cloud backups today means that data restoration doesn’t have to be a lengthy process, so they need to be in place should the worst happen.
Third-party risk is business risk
Third-party risk is business risk. As the MOVEit incident showed, a supplier’s weakness can quickly become the breach of a financial firm that uses one or many of its services. Treating vendor risk as a core pillar of cyber resilience means putting experienced leadership in place, standardising vendor due diligence and assuming a breach by hardening internal recovery capabilities.
The critical step is a rigorous vDDQ process. By completing due diligence of suppliers and vendors across a number of areas such as incident response planning, security policies and procedures and key roles, financial firms can best protect themselves against the cyber threat.
About the Author
Chris Gunner is a Virtual Chief Information Security Officer (vCISO) at Thrive. He has extensive experience in information security and risk management, particularly within the financial and legal sectors. He helps organisations strengthen their security posture through strategic guidance, risk management and governance.
