By Risk Area

Anti-Bribery & Corruption
Modern Slavery & Human Rights
Sustainability
Environmental, Social & Governance (ESG) 
Third-Party Risk Management
Cyber

By Role

Third-Party Risk Management
Compliance & Risk
Legal
Procurement
C-Suite

By Industry

Healthcare & Life Sciences
Aerospace & Defense
Manufacturing
Telecommunications
Enterprise
Agribusiness
Oil & Gas

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

How It Works

Why Ethixbase360?
Trust Center

TPRM Capabilities

FastStart
Risk Assessment
Entity Verification
Ultimate Beneficial Ownership
Screening & Monitoring
Enhanced Due Diligence
Collaborative Due Diligence
Questionnaires
eLearning
Workflows & Case Management
Reporting & Analytics
Managed Services

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

Get Certified

Tcertification
TRAC
ESGmetrics

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

RESOURCES

Blog
Case Studies
eBooks/White Papers
Guides
Infographics

EVENTS

Events

Podcasts
Press Releases
Webinars – On Demand
Webinars – Upcoming
Templates

Ethics Exchange

Ethics Exchange Risk Center

ETHICS EXCHANGE

Ethics Exchange Risk Center

Access for the latest third-party risk management news, best practices, and insights.

Sign up for the monthly newsletter today.

EVENTS

View All Events

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

company

About Us
Careers
Current Vacancies
Sustainability @Ethixbase360

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

CAREERS

Careers
Current Vacancies

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

Request Demo

Who Owns Third-Party Cyber Risk?: Five Takeaways from Our Global Webinar Series

Across our recent EMEA and APAC webinars on third-party cybersecurity risk, one message came through clearly: organizations are still grappling with ownership—but the stakes have shifted.

What was once treated as a technical issue is now an enterprise-wide risk, with direct implications for operations, revenue, and resilience. As third parties become more deeply embedded in critical infrastructure and core business systems, they also hold increasing volumes of sensitive and personal data.

The sessions highlighted just how quickly this shift is happening—and why traditional models are no longer adequate.

Below are five key takeaways.

1. Third-Party Cyber Risk Is No Longer a Technical Problem

For many organizations, cyber risk still sits with IT or security. That model made sense when supplier ecosystems were smaller and risks were more contained. But that reality has changed.

Today’s third parties are embedded across critical infrastructure and core business functions—from finance systems to logistics, customer platforms, and operational technology. They don’t just support the business—they enable it.

At the same time, these suppliers often store and process significant volumes of sensitive data, expanding both the potential attack surface and the severity of impact if something goes wrong.

As Katherine Kearns of S-RM put it:

“Third-party risk is no longer a technical issue—it’s a board-level concern.”


2. Supply Chain Attacks Are Growing—Because They Work

A strong theme from the sessions was the simple economics behind cyber attacks. Threat actors are increasingly focused on suppliers because of the scale and access they provide.

Suppliers now sit at the center of complex, interconnected ecosystems:

  • They have direct access to sensitive data and systems
  • They rely on subcontractors, often with even less visibility
  • They operate through multiple integrations, tools, and user access points

Each layer introduces new vulnerabilities—and new pathways for exploitation.

As Katherine noted:

“Compromise of one supplier can potentially give you access to dozens or hundreds of downstream organizations.”

At the same time, advancements in technology are accelerating both attack capability and coordination. AI is enabling faster identification of vulnerabilities, while dark web marketplaces and secure communication channels allow attackers to share data and tactics at scale.

The result is a shift in pace. Attackers are moving faster—and more systematically—than ever before.

Organizations that remain reactive will struggle to keep up. The quality and depth of risk assessment, scanning, and monitoring capabilities now need to match the sophistication of the threat landscape.


3. Visibility Gaps Are the Real Vulnerability

The issue isn’t just how many third parties organizations rely on—it’s how little visibility exists across them over time.

Across both sessions, a familiar pattern emerged:

  • Due diligence is concentrated at onboarding
  • Monitoring is inconsistent or limited
  • Ownership becomes less clear as relationships evolve

At the same time, access often increases—without a corresponding reassessment of risk.

Even where organizations introduce controls—such as security standards or certification requirements—these are often treated as static checkpoints rather than part of a continuous view of third-party cybersecurity resilience.

As Katherine highlighted, many organizations still monitor only a portion of their supplier base—even as those suppliers retain ongoing access to systems, infrastructure, and data.

This creates a structural vulnerability—one that attackers are actively exploiting.


4. Shared Responsibility Needs Structure to Work

There was broad agreement that responsibility for third-party cyber risk should be shared across functions. But shared responsibility on its own isn’t enough.

As Katherine explained:

“Shared responsibility does not mean diluted responsibility—it means coordinated accountability.”

Organizations making progress in this area are focused less on where ownership sits—and more on how it operates in practice.

That includes:

  • A centralized, accessible view of third parties that supports cross-functional visibility
  • Risk assessment frameworks that distinguish between inherent and residual risk
  • Continuous scanning and monitoring to detect emerging vulnerabilities
  • Clear escalation paths between technical, risk, and business teams

Just as importantly, centralized systems need to bridge the gap between technical and non-technical stakeholders—translating complex risk signals into actionable insight.

In this model, third-party cybersecurity resilience is not just about preventing incidents, but about strengthening detection, response, and recovery capabilities across the ecosystem.


5. The Impact Is Shared—Whether Ownership Is or Not

In practice, ownership becomes less relevant once an incident occurs—because the consequences don’t stay contained.

Third-party cyber incidents can lead to:

  • Operational disruption
  • Financial loss
  • Regulatory scrutiny
  • Reputational damage

More importantly, they directly affect operational resilience.

A supplier’s ability—or failure—to detect, respond to, and recover from an incident becomes your organization’s problem.

As Katherine pointed out:

“Customers and partners very rarely distinguish what is your problem and what is your supplier’s problem.”

This reflects a broader shift across third-party risk: organizations are increasingly judged on their ability to demonstrate oversight—regardless of where the issue originated.


Final Thought: From Ownership to Oversight

The discussion across both sessions pointed to a subtle but important shift.

The question is no longer simply who owns third-party cyber risk. It’s whether organizations can see it, understand it, and respond to it—across the full lifecycle of a third-party relationship.

That means:

  • Breaking down information silos between teams
  • Strengthening communication between technical and business functions
  • Enabling faster detection, escalation, and response

And ultimately:

  • Moving toward predictive and ongoing visibility of third-party cybersecurity resilience
  • Moving beyond point-in-time checks comes down to better visibility, continuous monitoring, and stronger coordination.

Tools like Ethixbase360 Cyber Third-Party Risk Management, powered by S-RM, are designed to support this shift—combining risk assessment, continuous scanning, and actionable insight to help organizations strengthen oversight and respond more effectively to emerging threats. Learn more

Watch the on-demand webinars: 

APAC Session
EMEA Session
Sign-up now for the latest industry news, straight to your inbox.
Sign Up

On-Demand Webinar: ‘FCPA Trends to Watch: From Incentive Programs to Ephemeral Messaging Communications and Beyond’

Watch Now
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap