Series: From the Books, Updated for Now Source anchor: The Book on Cybersecurity

Published date: 2026-04-03 Word count: ~900 words Category: Board Governance Tags: Third-party risk, Supply chain security, Vendor management, Board governance, NIS2, DORA

> "A chain is only as strong as its weakest link, and modern organizations have thousands of links." > — Adapted from cybersecurity principle

In January 2024, a healthcare technology vendor suffered a ransomware attack that encrypted patient records for 450 hospitals across three countries. The hospitals themselves had robust security programs. Their networks were monitored, their endpoints protected, their staff trained.

None of it mattered.

The attack came through a trusted vendor—a medical billing platform with privileged access to core systems. The vendor's security was adequate for their size. It was not adequate for their position in critical infrastructure supply chains.

The Procurement Fallacy

Third-party cyber risk used to be treated as a procurement issue.

A vendor questionnaire was sent. A few controls were checked. The contract was signed. The organization moved on.

That approach no longer matches reality.

Today, companies are deeply dependent on cloud platforms, SaaS providers, managed service partners, outsourced development teams, data processors, and increasingly AI vendors. In many cases, the organization's ability to operate depends not just on its own security posture, but on the resilience, discipline, and judgment of external partners.

That is why third-party cyber risk is no longer a vendor-management subcategory. It is a board-level strategy problem.

The Concentration Risk No One Sees

The issue is not simply whether a supplier is "secure." The issue is structural dependency.

If one vendor fails, what stops? If a concentration risk emerges, what becomes fragile? If an external platform changes terms, suffers a breach, or experiences an outage, how exposed is the business model?

Consider this: How many critical systems in your organization rely on the same cloud provider? How many different vendors have administrative access to your identity systems? What happens if your primary payment processor goes offline for 24 hours?

This is where leadership teams often underestimate the challenge. They review security by control domain, but experience disruption through dependency chains.

Five Questions for the Board

A board that wants a more realistic view should ask:

1. Which third parties are operationally critical? Not just which vendors cost the most, but which ones could stop the business if they failed.

2. Where are we over-concentrated? Are we betting the company on a single vendor for a critical function?

3. What data and decision flows leave the organization? Do we know what information each vendor can access, modify, or export?

4. Which suppliers have become effectively irreplaceable? Could we switch vendors in 30 days if we had to?

5. What is our contingency plan if one of them fails badly? Not their disaster recovery plan. Ours.

The Regulatory Reality

The European Union's NIS2 Directive, now being transposed into national law, explicitly requires organizations to manage supply chain cyber risk. The Digital Operational Resilience Act (DORA) imposes similar obligations on financial entities and their technology service providers.

In the United States, the Securities and Exchange Commission's disclosure rules expect boards to understand and report on material risks—including those that arise through third parties.

The message from regulators is clear: vendor risk is your risk.

Beyond Due Diligence

This is not anti-vendor thinking. Modern business depends on ecosystems. The point is not to eliminate dependence, but to govern it honestly.

In my cybersecurity work, I have long argued that trust should not be confused with assumption. The same principle applies here. Third-party relationships deserve the same seriousness as internal systems because, in practice, they are part of the system.

The organizations that handle this well do not stop at due diligence. They map dependency, prioritize resilience, assign accountability, and revisit assumptions before the next disruption forces the conversation.

The Bottom Line

Third-party cyber risk is strategic because business dependency is strategic.

The board's job is not to panic about that fact. It is to see it clearly enough to act on it.

Action items for this quarter:

  • Map your top 10 critical vendors and their interdependencies
  • Review your vendor assessment process—does it match the risk?
  • Test your response plan for a major vendor breach

Originally appeared in "The Book on Cybersecurity" (2023)