How to Evaluate If Your Third-Party Providers are Cyber Resilient

There is no shortage of trials facing businesses and their decision makers. From navigating shifting economic conditions and adapting to political policy changes to training and retaining talent, managing every component of operations requires a strong and dedicated team. And that is just speaking for your business.

Running a business in today’s international, digital economy brings with it new and increasingly complex challenges when cybersecurity and third-party relationships are added to the mix. Effective policies, practices, and platforms are necessary to help ensure these aspects of operations are business strengths and not vulnerabilities threat actors are preparing to exploit.

Assuming your organization’s cybersecurity and day-to-day operations are optimized and effective, business leaders still need concern themselves with the cyber readiness of every third-party vendor, supplier, and contractor. Are your third-party providers cyber ready?

Overview of Third-Party Vendor Cybersecurity Challenges

The cybersecurity challenges when it comes to relying on third parties are vast. For one, consider risk management. Do your vendors and suppliers adhere to compliance, regulatory, and industry supported standards? Any single point of failure on their part can lead to significant damage on your end. According to Prevalent’s 2024 ‘Third-Party Risk Management Study’, 61% of respondents stated they experienced a “security incident related to the usage of a third party”, an increase in 20 percentage points from the previous year¹.

Given the interconnected nature of the current market, any single cyber incident from a third-party can have a wide-ranging impact up and down your supply chain. There are countless examples demonstrating this reality. One of the most significant instances of this was the breach of CDK Global, a software provider to automobile dealerships. A single cyber breach, which likely originated through a phishing scheme, resulted in an estimated $1 billion in losses across some 15,000 dealerships, shutting down victims’ ability to access financing, payroll, support and service, inventory, and standard back-office operations for many days².

In recent days, SpearTip’s Security Operations Center responded to an alert of malicious code execution at a car dealership (read about this incident here). As SpearTip investigated the websites users indicate they visited before they interacted with the ClickFix pop-up, it was discovered they all called an object “https://idostream[.]com/member/les_video_srp.js”, which contained malicious JavaScript to load the fake Captcha page. The campaign attempted to deploy the SectopRAT (Remote Access Trojan), which can be used to control browsers and steal sensitive information from the host. Fortunately, the vulnerability was patched quickly, in what could have otherwise been a devastating incident for auto dealers.

Both examples demonstrate that a single point of failure within one organization can usher in significant downtime for others dependent on third-party software.

Additional challenges businesses face with their third-party vendors include performance monitoring and cost management. Most organizations do not (and should not) provide carte blanche access to internal metrics and data, making navigating these proverbial waters potential blind spots. Dependence and continuity are others. Over-reliance on a single or a few third-party vendors can post risks to business continuity, in which a single software provider was so widely adopted that it shut down an entire industry for a time.

Because third parties increase your cyber-attack surface, do not necessarily adhere to rigorous security standards, or maintain limited visibility over their digital environment, these challenges can grow into large-scale disruptions in an instance.

The unfortunate reality is that you and your organization cannot take responsibility for the cybersecurity program of someone else. However, doing nothing cannot be an option.

Strategies for Mitigating Risks

By addressing these challenges with a strategic and collaborative approach, organizations can enhance the resilience and effectiveness of their third-party providers in managing risks, supply chain disruptions, costs, and other vital areas.

Here are a few ways to mitigate risks:

1. Vendor Risk Assessment: Conduct thorough risk assessments to evaluate the cybersecurity posture of all third-party vendors regularly. This includes evaluating their cybersecurity policies, procedures, and controls from lightweight scans to in-depth penetration testing.
2. Security Audits and Certifications: Limit consideration of vendors to those that undergo regular security audits following well-established guidelines like NIST and obtain relevant certifications such as ISO 27001.
3. Contractual Security Requirements: Include specific cybersecurity requirements and compliance clauses in vendor contracts and service level agreements, including compliance with security standards, regular assessments, and incident reporting protocols.
4. Continuous Monitoring and Reporting: Implement continuous monitoring and reporting mechanisms to keep track of vendor security practices and potential vulnerabilities.
5. Incident Response Collaboration: Establish joint incident response protocols and conduct regular simulations to ensure coordinated efforts in case of a cyber incident.
6. Cybersecurity Training and Awareness: Provide vendors with access to cybersecurity resources and training to enhance their security practices, or verify they independently maintain such practices.
7. Data Protection Policies: Ensure that vendors have robust data protection policies in place, such as use of encryption and MFA, to safeguard sensitive information. This is particularly important for vendors that handle information protected by regulations such as HIPAA or PCI.

Addressing third-party cybersecurity challenges is essential for maintaining the resilience and security of your organization. By implementing robust risk management strategies and conducting due diligence before onboarding a new vendor, the resilience of your organization and the supply chain in which you operation will become more secure. Diversifying the vendor base and having contingency plans in place are important.

Moving Forward with Resilience

Successfully navigating today’s business environment regarding third-party cybersecurity requires a proactive approach. The interconnected global economy means vendor vulnerabilities are also your vulnerabilities. Incidents like the CDK Global breach show how a single failure can affect entire industries and drive significant losses.

To mitigate risks, organizations must adopt comprehensive risk management strategies that foster a culture of cybersecurity awareness and ensure all involved parties adhere to high security standards.

Addressing third-party cybersecurity is crucial for protecting your business and strengthening supply chain resilience. By managing risks and planning strategically, businesses can turn potential vulnerabilities into strengths, maintaining security and a competitive edge in a digital, interconnected world.

Sources

1. 2024 Prevalent Third-Party Risk Management Study. https://www.prevalent.net/blog/2024-third-party-risk-management-study/
2. https://www.speartip.com/cdk-global-cyberattack-ftc-safeguards-and-how-speartip-can-help/

The information in this newsletter publication was compiled from sources believed to be reliable for informational purposes only. This is intended as a general description of certain types of managed security services, including incident response, continuous security monitoring, and advisory services available to qualified customers through SpearTip, LLC, as part of Zurich Resilience Solutions, which is part of the Commercial Insurance Business of Zurich Insurance Group.  SpearTip, LLC does not guarantee any particular outcome. The opinions expressed herein are those of SpearTip, LLC as of the date of the release and are subject to change without notice. This document has been produced solely for informational purposes. No representation or warranty, express or implied, is made by Zurich Insurance Company Ltd or any of its affiliated companies (collectively, Zurich Insurance Group) as to their accuracy or completeness. This document is not intended to be legal, underwriting, financial, investment or any other type of professional advice. Zurich Insurance Group disclaims any and all liability whatsoever resulting from the use of or reliance upon this document. Nothing express or implied in this document is intended to create legal relations between the reader and any member of Zurich Insurance Group. Certain statements in this document are forward-looking statements, including, but not limited to, statements that are predictions of or indicate future events, trends, plans, developments or objectives. Undue reliance should not be placed on such statements because, by their nature, they are subject to known and unknown risks and uncertainties and can be affected by numerous unforeseeable factors. The subject matter of this document is also not tied to any specific service offering or an insurance product nor will it ensure coverage under any insurance policy. No member of Zurich Insurance Group accepts any liability for any loss arising from the use or distribution of this document. This document does not constitute an offer or an invitation for the sale or purchase of securities in any jurisdiction.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright © 2025 SpearTip, LLC