PDF Report | 14 Pages | Third-Party Cyber Risk Management
Companion intelligence page for the Ethixbase360 A Practical Guide to Third-Party Cyber Risk Management. This 14-page strategic guide is for compliance and risk professionals.
Executive Summary
Third-party cyber risk has become one of the most significant and least understood threats facing modern organisations. As businesses increasingly rely on cloud platforms, managed service providers, and outsourced technology, attackers are shifting their focus away from direct targets and toward suppliers that offer the most efficient path into multiple organisations at once. A single compromised vendor can provide access to hundreds or even thousands of downstream customers, turning a single vulnerability in a supplier’s environment into a systemic event with widespread operational, regulatory, and reputational consequences.
Ethixbase360’s April 2026 guide, authored by Natasha Martin and Jonny Shenxane, establishes that third-party cyber risk management is no longer an IT issue to be handled in isolation. It is a critical evolution of traditional Third-Party Risk Management (TPRM) that requires shared accountability across Compliance, Legal, Procurement, Risk, and Security functions, with cyber risk embedded into the full vendor lifecycle from onboarding through to off-boarding, not bolted on as an afterthought.
The scale of the challenge is substantial. In 2025, nearly 30% of reported global data breaches were linked to third-party vendors, double the proportion seen the year before. Yet 79% of companies have less than half of their supply chain covered by cybersecurity programmes, meaning the majority of third-party cyber risk remains invisible to the organisations it threatens. Real-world incidents in 2025, including breaches at Marks & Spencer (estimated £300 million impact), the Co-op (£206 million in disruption costs), and Qantas Airways (over 6 million customer records extracted), demonstrate that no organisation is too large or too mature to be exposed through its supplier ecosystem.
This guide explains why third-party cyber incidents are accelerating, how attackers exploit supplier ecosystems, and why many organisations remain exposed despite existing vendor risk processes. It then sets out a practical, integrated model for managing third-party cyber risk, covering vendor onboarding, risk segmentation, due diligence and assessment, contractual enforcement, continuous monitoring, and incident response integration. The organisations that succeed will be those that treat their third-party ecosystem with the same rigour and scrutiny as their own internal systems.
A Practical Guide to Third-Party Cyber Risk Management
Related Intellifence Hubs (TBC)
Key statistics & data points
In 2025, nearly 30% of reported global data breaches were linked to third-party vendors, double the proportion recorded the year before, signalling that supplier ecosystems have become the primary attack surface for organisations globally.
Source: Cited in Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026
70% of organisations say they are highly concerned about supply chain cyber risk, yet most have not implemented continuous monitoring programmes to match that stated concern.
Source: Supply Chain and Demand Executive, as cited in Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026
79% of companies have less than half of their supply chain covered by cybersecurity programmes, meaning the majority of third-party cyber risk remains invisible to the organisations it threatens.
Source: SocRadar, as cited in Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026
82% of organisations give third parties access to all cloud data, creating broad and persistent exposure that extends far beyond the IT perimeter and into every vendor relationship involving cloud platform access.
Source: Wiz Research 2025, as cited in Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026
Marks & Spencer estimated a £300 million loss in profits following a 2025 supply chain cyber breach in which phishing and social engineering targeted a third party rather than M&S’s own systems directly.
Source: Marks & Spencer, as cited in Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026
The Co-operative Group suffered an estimated £206 million in disruption costs following a 2025 breach through a misconfigured third-party IT contractor system, with customer loyalty programme data exposed.
Source: Co-op, as cited in Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026
Qantas Airways faced potential fines of up to A$50 million or 30% of adjusted turnover under Australia’s Privacy Act after cybercriminals extracted over 6 million customer records by exploiting a third-party customer service platform.
Source: Australia’s Privacy Act; Qantas, as cited in Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026
93% of boards identify cyber risk as a threat to stakeholder value, yet governance structures to manage that risk across the third-party ecosystem remain fragmented in most organisations.
Source: Gartner Board of Directors Survey 2024, as cited in Ethixbase360 Cyber POV, 2025
Expert Quotes and Insights
"How confident are you that the organisations you rely on will not become the easiest way into your business?"
— Ethixbase360 · A Practical Guide to Third-Party Cyber Risk Management · April 2026
"What separates resilient organisations from vulnerable ones is their ability to act decisively, not simply react. The organisations that succeed will be those that treat their third-party ecosystem with the same rigour and scrutiny as their own internal systems."
— Ethixbase360 · A Practical Guide to Third-Party Cyber Risk Management · April 2026
Chapter Breakdown
Chapter 1: What Is Third-Party Risk Management (TPRM)? (p. 3)
TPRM is the discipline of identifying, assessing, and reducing risks created by external organisations, suppliers, service providers, outsourcers, and partners. Risk domains span operational disruption, data protection, regulatory compliance, financial stability, and reputational damage. TPRM manages risk across the full vendor lifecycle from onboarding through to off-boarding.
Chapter 2: A New Vendor Risk Domain, What Is Third-Party Cyber Risk Management? (p. 4)
Third-party cyber risk management is an emerging TPRM domain focused on the cybersecurity posture of external vendors. Breaches occur through vendors rather than direct attacks, and are attractive to attackers because vendors hold privileged access, organisations have limited vendor security visibility, breaches go undetected for extended periods, and a single compromised vendor can impact hundreds or thousands of downstream customers.
Chapter 3: How the Risk Landscape Has Changed (p. 5-6)
In 2025, nearly 30% of global data breaches were linked to third-party vendors, double the prior year. Five structural factors drive this: greater vendor dependency (every business function uses external platforms); excessive vendor access enabling lateral movement; vendors as social engineering targets; fragmented internal ownership; and absence of continuous monitoring. 79% of companies have less than half their supply chain covered by cybersecurity programmes (SocRadar).
Chapter 4: Why Third-Party Cyber Attacks Are Attractive to Attackers (p. 7)
Third-party attacks offer three structural advantages: one breach can compromise hundreds or thousands of downstream customers simultaneously; the return on effort is far higher than direct attacks, especially in ransomware campaigns; and third-party incidents create outsized leverage, operational outages, regulatory scrutiny, and reputational damage all at once, pressuring rapid payment.
Chapter 5: Real-World Incidents, Cautionary Tales (p. 8-9)
Three 2025 cases show that major organisations are not immune. M&S lost an estimated £300 million in profits following a phishing-based third-party breach. The Co-op incurred £206 million in disruption costs through a misconfigured contractor system. Qantas had over 6 million customer records extracted via a third-party customer service platform, facing potential A$50 million fines under Australia's Privacy Act.
Chapter 6: Who Is Responsible for Third-Party Cyber Risk? (p. 10-11)
Third-party cyber risk is one of the most significant and least understood threats facing organisations. A single compromised vendor can create a multiplier effect across multiple organisations. AI is accelerating risk detection and risk creation, enabling synthetic identities, automated fraud and phishing, and rapid disinformation. Effective programmes are moving toward shared accountability, risk-based vendor segmentation, continuous monitoring, and contractual enforceability.
Chapter 7: Integrating Cybersecurity Into Your TPRM Programme (p. 12-13)
Five lifecycle integration areas: vendor onboarding (baseline cyber expectations aligned to role, access, and criticality); risk segmentation (controls scaled to risk profile and business dependency); due diligence and assessment (beyond questionnaires to independent attestations and vulnerability scans); contractual enforcement (security obligations, breach notification timelines, audit rights); continuous monitoring (point-in-time is insufficient, detect changes between reviews); and incident response integration (clear escalation and accountability before incidents occur).
Chapter 8: Conclusion (p. 14)
Third-party cyber breaches are the predictable outcome of expanding digital ecosystems and attackers treating suppliers as the most efficient enterprise access route. Organisations that treat this as a narrow IT problem will struggle with modern threats, regulatory scrutiny, and supplier failures. Those integrating cyber risk into their broader TPRM operating model are better positioned to detect issues early, respond effectively, and limit damage.
Definitions and Entities
Third-Party Cyber Risk
The cybersecurity and information security exposure created by an organisation’s reliance on external vendors, partners, contractors, and service providers. Distinct from direct cyber risk in that the threat originates outside an organisation’s own perimeter, through vendor access credentials, shared integrations, or compromised supplier infrastructure. A single third-party compromise can cascade across multiple downstream organisations simultaneously.
Third-Party Cyber Risk Management
An emerging vendor risk domain within TPRM focused specifically on the cybersecurity posture and information security controls of external vendors. Involves assessment, continuous monitoring, contractual enforcement, and incident response integration across the full vendor lifecycle from onboarding through to off-boarding.
TPRM (Third-Party Risk Management)
The structured discipline of identifying, assessing, and reducing risks created by external organisations, including suppliers, service providers, outsourcers, and partners, across domains including operational disruption, data protection, regulatory compliance, financial stability, and reputational damage. Effective TPRM requires shared ownership across Compliance, Legal, Procurement, Risk, and IT functions.
Supply Chain Cyber Risk
The aggregate cybersecurity exposure created by an organisation’s network of suppliers, subcontractors, technology providers, and intermediaries. In 2025, nearly 30% of global data breaches were attributed to third-party vectors. 79% of companies have less than half of their supply chain covered by cybersecurity programmes (SocRadar), meaning most supply chain cyber risk remains invisible.
Risk Segmentation (Cyber)
The practice of tiering vendor cyber risk assessment requirements based on overall risk profile, level of system and network access, and business criticality. Ensures cyber due diligence effort is proportionate, preventing over-assessment of low-risk suppliers while ensuring rigorous coverage for critical vendors with high access levels or complex subcontractor relationships.
Continuous Monitoring (Vendor Cyber)
An ongoing programme of real-time and near-real-time surveillance of vendor cybersecurity posture between formal review cycles. Detects changes in vendor exposure, emerging vulnerabilities, new subcontractor relationships, and shifts in threat actor tactics that are missed by point-in-time assessments. Identified by Ethixbase360 as foundational for any mature third-party cyber risk programme.
Social Engineering (Vendor Context)
Manipulation techniques — including phishing, pretexting, and impersonation, used to compromise vendor employees and gain access to their systems or credentials. Vendor employees are attractive targets because they often hold privileged access to multiple client environments. The 2025 Marks & Spencer breach involved phishing and social engineering targeting a third party rather than M&S’s own systems.
Lateral Movement
A technique used by threat actors who have gained initial access to a vendor environment to move progressively through connected systems and networks, including those of the vendor’s clients. Particularly effective in third-party breach scenarios because vendors frequently hold persistent access to client systems without triggering the same monitoring as direct employee access.
Contractual Enforcement (Cyber)
The embedding of explicit cybersecurity obligations within vendor contracts, security standards, breach notification timelines, audit rights, and remediation responsibilities. Without defined and enforceable contractual obligations, organisations lack leverage to compel vendor remediation and face delays when speed matters most during an active incident.
NIS2 Directive
EU Directive 2022/2555, effective October 2024, requiring essential and important entities across 18 sectors to implement documented supply chain security policies and contractual breach notification obligations with direct suppliers, making third-party cyber risk management a regulatory compliance requirement for EU-regulated organisations, not merely best practice.
Frequently Asked Questions
What is third-party cyber risk and why does it matter?
What is third-party cyber risk and why does it matter?
Third-party cyber risk is the cybersecurity exposure created when an organisation relies on external vendors with access to its systems, data, or business processes. In 2025, nearly 30% of reported global data breaches were linked to third-party vendors, double the prior year. A single compromised vendor can cascade across hundreds of downstream customers, producing operational disruption, data loss, regulatory fines, and reputational damage.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
How is third-party cyber risk management different from traditional TPRM?
How is third-party cyber risk management different from traditional TPRM?
Traditional TPRM covers operational, financial, reputational, and regulatory risk across the vendor lifecycle. Third-party cyber risk management is an emerging domain within TPRM focused specifically on vendor cybersecurity posture, requiring continuous monitoring, technical assessment methods (vulnerability scans, attestations), and incident response integration. Treating it as a subset of IT risk rather than embedding it into the broader TPRM operating model with shared cross-functional ownership is a primary failure mode.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
Why are third-party cyber attacks so attractive to threat actors?
Why are third-party cyber attacks so attractive to threat actors?
Third-party attacks offer three structural advantages: one breach can compromise many victims simultaneously; the return on effort is far higher than direct attacks (especially in ransomware campaigns); and they create outsized leverage, operational outages, regulatory scrutiny, and reputational damage all at once, pressuring rapid negotiation and payment.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
What are the most common reasons third-party cyber risk programmes fail?
What are the most common reasons third-party cyber risk programmes fail?
Ethixbase360 identifies five failure modes: excessive vendor dependency, expanding the attack surface; excessive or persistent vendor access enabling lateral movement once compromised; vendors as prime social engineering targets; fragmented internal ownership leaving no complete risk view; and absence of continuous monitoring, onboarding-only assessments miss ongoing changes in vendor systems, subcontractors, and controls.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
Who should own third-party cyber risk in an organisation?
Who should own third-party cyber risk in an organisation?
There is no single owner. Many critical controls, contracts, SLAs, due diligence, monitoring, sit with Compliance, Legal, Procurement, and Risk teams. Leading organisations adopt shared accountability with executive sponsorship, defined cross-functional roles, central governance, and cyber risk embedded into TPRM. Cyber expertise sits with security teams; ownership sits at the enterprise level.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
What do the M&S, Co-op, and Qantas breaches demonstrate about third-party cyber risk?
What do the M&S, Co-op, and Qantas breaches demonstrate about third-party cyber risk?
All three 2025 incidents show large, well-resourced organisations are not immune. M&S lost an estimated £300 million in profits through a third-party phishing breach. The Co-op incurred £206 million in disruption costs through a misconfigured contractor. Qantas had 6 million records extracted via a third-party platform, facing A$50 million potential fines. Strong internal security does not protect against a vulnerable supplier ecosystem.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
What does effective third-party cyber risk integration into TPRM look like?
What does effective third-party cyber risk integration into TPRM look like?
Effective integration covers five lifecycle areas: vendor onboarding (baseline cyber expectations); risk segmentation (controls scaled to risk profile and access); due diligence and assessment (beyond questionnaires to independent attestations and vulnerability scans); contractual enforcement (security obligations, breach notification timelines, audit rights); and continuous monitoring. Incident response integration ensures escalation channels and accountability exist before incidents occur.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
Why is continuous monitoring essential for third-party cyber risk?
Why is continuous monitoring essential for third-party cyber risk?
Point-in-time assessments miss ongoing changes, vendors change systems, introduce subcontractors, and face evolving threats between reviews. Wiz Research 2025 found 82% of organisations give third parties access to all cloud data, meaning any vendor security change creates broad exposure. Continuous monitoring that detects changes in vulnerability, access, and threat signals between formal reviews is a foundational programme requirement.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
What regulatory obligations apply to third-party cyber risk management?
What regulatory obligations apply to third-party cyber risk management?
The NIS2 Directive (EU, effective October 2024) requires essential and important entities across 18 sectors to implement documented supply chain security policies and contractual breach notification obligations. Australia’s Privacy Act creates fines of up to A$50 million or 30% of adjusted turnover for personal data breaches. Organisations across multiple jurisdictions face escalating and diverging regulatory expectations for vendor cybersecurity due diligence, monitoring, and incident response.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
What is risk-based vendor segmentation for cyber risk?
What is risk-based vendor segmentation for cyber risk?
Risk-based segmentation tiers cyber due diligence requirements by each vendor’s overall risk profile, level of system and network access, and business criticality. A cloud platform with persistent access to all internal data requires substantially different controls than a low-integration analytics vendor. Segmentation prevents over-assessment of low-risk vendors while ensuring rigorous coverage for critical ones, calibrating questionnaire depth, scanning, contractual obligations, and monitoring frequency accordingly.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
What should be included in vendor contracts to manage third-party cyber risk?
What should be included in vendor contracts to manage third-party cyber risk?
Effective contractual enforcement requires explicitly defining: minimum security standards; breach notification timelines specifying how quickly vendors must report incidents; audit rights enabling independent verification; and remediation responsibilities setting out required steps when vulnerabilities are identified. Without enforceable provisions, organisations lack leverage when issues arise and face delays in detection and response when speed matters most.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
What proportion of supply chains currently have cybersecurity programme coverage?
What proportion of supply chains currently have cybersecurity programme coverage?
According to SocRadar research cited in Ethixbase360’s April 2026 guide, 79% of companies have less than half of their supply chain covered by cybersecurity programmes, meaning most third-party cyber risk is invisible. This gap persists despite 70% of organisations reporting high concern about supply chain cyber risk (Supply Chain and Demand Executive). The disconnect between stated concern and actual coverage is identified as a structural vulnerability and primary driver of current third-party cyber exposure. Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026.
Key Takeaways and Actions
Treat third-party cyber risk as an enterprise governance issue, not an IT problem.
The most important controls, contracts, SLAs, due diligence, and monitoring sit with Compliance, Legal, Procurement, and Risk. Assign shared accountability with clear executive sponsorship and defined roles across functions.
Map your entire vendor ecosystem, not just IT vendors.
Identify all suppliers, partners, and service providers with access to data, systems, or business processes, including payroll, HR, customer service, and analytics platforms. Cyber risk does not respect internal category boundaries.
Segment vendors by actual cyber risk, not perceived category.
Scale due diligence requirements to each vendor’s risk profile, access level, and business criticality. Over-assessing low-risk vendors wastes resources; under-assessing critical ones creates material exposure.
Go beyond questionnaires for high-risk vendors.
Supplement self-reported questionnaires with independent attestations, evidence-based reviews, and external permission-based vulnerability scans. Questionnaires report what a vendor says; independent validation confirms what is actually in place.
Embed cyber obligations explicitly in every vendor contract.
Define security standards, breach notification timelines, audit rights, and remediation responsibilities as enforceable contractual terms. Without them, organisations have no leverage when issues arise.
Implement continuous monitoring, point-in-time assessments are not sufficient.
Vendors change systems, onboard subcontractors, and face new vulnerabilities between formal reviews. Monitoring must detect changes in exposure and threat signals in near real-time, not months after they occur.
Integrate incident response planning before an incident occurs.
Visibility does not equal prevention. Establish clear escalation channels, remediation plans, and accountability frameworks so the organisation can act decisively, not reactively, when a vendor breach occurs.
Conduct an honest audit of current supply chain cyber coverage.
79% of companies have less than half their supply chain covered by cybersecurity programmes. Assess how much of your vendor population falls outside current coverage and prioritise closing the most material gaps first.
Citation-Ready Snippets
↗Cite this Finding
In 2025, nearly 30% of reported global data breaches were linked to third-party vendors, double the proportion from the year before, according to research cited in Ethixbase360’s April 2026 guide, making supplier ecosystems the primary attack surface for enterprise organisations.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026 · https://ethixbase360.com/intelligence-hub-a-practical-guide-to-third-party-cyber-risk-management
↗Cite this Finding
79% of companies have less than half of their supply chain covered by cybersecurity programmes (SocRadar), meaning most third-party cyber risk is invisible — despite 70% of organisations reporting high concern about supply chain cyber security (Supply Chain and Demand Executive), according to Ethixbase360’s 2026 guide.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026 · https://ethixbase360.com/intelligence-hub-a-practical-guide-to-third-party-cyber-risk-management
↗Cite this Finding
Marks & Spencer estimated a £300 million loss in profits following a 2025 supply chain cyber breach in which phishing and social engineering targeted a third party rather than M&S’s own systems, demonstrating that even organisations with strong internal security remain exposed through their vendor ecosystem.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026 · https://ethixbase360.com/intelligence-hub-a-practical-guide-to-third-party-cyber-risk-management
↗Cite this Finding
Third-party cyber risk must be embedded into the full TPRM lifecycle with shared ownership across IT, Risk, Compliance, Procurement, and the business, treating the third-party ecosystem with the same rigour and scrutiny as internal systems, according to Ethixbase360’s April 2026 practical guide.
Source: Ethixbase360, A Practical Guide to Third-Party Cyber Risk Management, April 2026 · https://ethixbase360.com/intelligence-hub-a-practical-guide-to-third-party-cyber-risk-management
Download the full guide
A Practical Guide to Third-Party Cyber Risk Management | Guide | 14 pages | April 2026