The repercussions of data breaches can impact third parties long after the original attack. That’s what happened recently with Wisconsin Physicians Service Insurance Corporation (WPS), a third-party vendor of Centers for Medicare & Medicaid Services (CMS). 

As a result, CMS had to recently report to its customers that their health information had possibly been exposed in the MOVEit breach, despite the breach occurring in 2023. Although WPS had checked immediately after the breach to see whether or not the MOVEit vulnerability had been exploited in their system, they determined that it had not. However, after gaining new information about the breach in May of this year, the third-party indeed found evidence that the vulnerability had been exploited and personal information had potentially been exposed. 

This incident emphasizes the importance of continuous monitoring in third-party risk management and the complexity of the supply chain.  

How the Cyber Threat Landscape Takes Advantage of Vendor Networks

As the CMS incident illustrates, cybercriminals take advantage of the fact that smaller third parties that provide services to larger, well-established enterprises may not have the same resources for cybersecurity protection and proper cybersecurity awareness in place to mitigate against attacks. Attacks have evolved to become increasingly complex, making vendor risk management critical. Complex supply chains, where organizations aren’t always able to identify their third, fourth, and fifth parties, make vulnerability management even more challenging. Yet many organizations still have inadequate third-party risk management practices in place. 

The Expanding Attack Surface of Third-Party Vendors

The rise of digital transformation, cloud services, and the use of AI technology for services means that attackers have greater potential to penetrate unsecured networks and systems than in the past. For example, as organizations transform to newer technologies, they may integrate them with older legacy systems that may introduce more vulnerabilities into the system that can be more difficult to patch. In addition, AI bots have enabled cybercriminals to scan public cloud environments at scale to discover those with vulnerabilities that can be easily exploited. These trends combined with the ability to easily switch vendors makes it increasingly challenging for organizations to maintain consistent security across all of their third-party relationships.  

Emerging Cyber Threat Landscape for Third-Party Vendors

At the same time that new technologies have expanded the attack surface and enabled cybercriminals with more opportunities, the cyber threat landscape has evolved to include more sophisticated threats. 

Emerging threats across third-party vendors include:

  • Supply chain attacks. Cybercriminals target companies that supply services to many different companies (e.g. MSPs, IT) so that they have a greater impact. IoT and other hardware devices manufactured by third parties may also contain malicious firmware that installs malware on hundreds or thousands of different computers, stealing sensitive data. 
  • Ransomware-as-a-Service (RaaS). The proliferation of cheap ransomware kits on the dark web and the evolution of ransomware gangs combined with generative AI has made it easier for third parties to launch attacks. When targeting healthcare organizations, ransomware can lead to the disruption of critical medical services. 
  • Insider threats from vendors. These could be threats that stem from human error of contractors such as a misconfiguration, accidental data loss or deletion, or poor cybersecurity practices such as sharing the same passwords among different users. They could also be vendors with financial or criminal motives who don’t go through the same security process as the organization’s full-time employees and are more prone to slip through the cracks. 
  • Software supply chain attacks. The increased outsourcing of third-party SaaS services and cloud technology makes it easy to target vulnerabilities in software code, simultaneously impacting hundreds of well-established organizations using the same software such as in the CrowdStrike attack.  
  • Cloud security vulnerabilities. Under the Shared Responsibility Model, the provider or cloud service is responsible for securing the cloud infrastructure while the customer (or third-party vendor) is responsible for securing their data and applications. A lack of proper security measures by the customer or third party can result in data breaches, data loss or erasure, and supply chain attacks, especially since these third-party cloud providers outsource many of their services such as network services and data centers (making them a fourth party to the customer). 
  • IoT devices. These devices are often designed with functionality prioritized over security, making encryption, multi-factor authentication, and vulnerability patching afterthoughts. When used by third parties with limited cybersecurity resources and cyber awareness, it makes them a particularly ideal entry point for attackers. 
  • Data privacy violations. As third parties are tasked with processing, storing, and transmitting sensitive data, they are subject to regulations such GDPR and CCPA that demand greater privacy for consumers. This is compounded by the transfer of data across different geographical regions that must adhere to multiple regulations for different industries and types of consumers. 
  • Advanced Persistent Threats (APTs). State-sponsored attacks target third parties to penetrate a system over an extended period of time. For example, they might compromise a third-party network to gain lateral access to the main organization’s IT infrastructure, making it difficult to detect in time.   
  • Deepfake and social engineering attacks. Emerging AI-technology can manipulate employee or C-level executives to trick users into divulging information to execute identity fraud, phishing attacks, sign fraudulent contracts, or gain unauthorized access to restricted systems and networks. 
  • Zero-day exploits. These unknown vulnerabilities are exploited by attackers before they can be identified by developers and third-party providers and patched. They may also take advantage of third parties that are slow to apply patches and launch attacks during this delay.   
  • Third-party credential theft. Attackers exploit trusted relationships that well-established brands have with their third parties by gaining unauthorized access to sensitive data though bypassing traditional security controls. This allows them to execute data breaches, supply chain attacks, and disrupt critical systems the organization relies on for operation. 
  • Regulatory non-compliance risks. These can include breach of contract, data privacy violations, and financial penalties for the organization, all of which lead to lack of trust in the brand. Even when the violation originates from a third party, the organization is fined and typically suffers from a loss in reputation.

The Ripple Effect of Third-Party Vendor Breaches

Data breaches not only impact the organization directly, but also third-party vendors and even the entire supply chain. The impact – whether financial, reputational, legal, or operational – may not be felt immediately, but take months or even years. In many cases, data breaches are one of the first steps of a wider, more serious cybersecurity incident targeting the organization.  

Interruption of Services 

Data breaches can lead to widespread operational disruption, such as in the recent case with CDK Global, a software provider for car dealerships. After the company realized it had been breached, it shut down its operations. A day later, a second attack prompted it to proactively shut down its operations once again. The operational disruptions meant that many of its 15,000 users were unable to access records, complete transactions, handle orders for repairs or schedule appointments during both time periods. The car dealerships reported a loss of $605 million as a result in the first two weeks after the attack.  

Reputational Damage and Loss of Trust

Another effect of data breaches is a loss in reputation for the organization, which can be seen in the 5% fall in the stock price of Uber after it suffered its third data breach in six months. The fall in the stock price reflected the loss in the brand the company faced from both consumers and potential employees after multiple data breaches over the years.    

The latest third-party data breach was also the most significant. Originating from an IT SaaS vendor, it allowed the hacker to gain administrative access to many internal systems, including Privileged Access Management (PAM) tools, Google Workspace, AWS, VMware and XDR. 

Data breaches originating from third-party vendors also cause significant fines and legal consequences for the primary organization. Fines could happen years after the data breach, as the case with Morgan Stanley when it failed to properly retire IT equipment from two of its data centers in 2016 and again in 2010. It then resold the devices, which still had unencrypted data that could be accessed by unauthorized users. As a result of failing to adhere to proper data protection policies, Morgan Stanley was fined $60 million. In addition, it was responsible for the legal fees that ensued from these incidents. 

Increased Regulatory Scrutiny 

After the MOVEit supply chain attack last year and its wide impact on third parties across various industries, regulatory bodies increased their scrutiny of third parties that may have been impacted by the breach. For example, the Security and Exchange Commission (SEC) introduced new regulations that required companies to report data breaches within four days of discovery. The Federal Trade Commission (FTC) also responded by requiring non-financial firms such as car dealerships and payday lenders to explain their information-sharing practices to their customers and to safeguard sensitive data. 

Cascading Cybersecurity Risks

Since data breaches may also expose encrypted data or application code or files that contain vulnerabilities, they can lead to more serious cybersecurity attacks, such as ransomware, man-in-the-middle (MiTM) attacks, SQL injection, and exploitation of vulnerabilities. These secondary attacks not only affect the primary organization but impact third parties, suppliers, and vendors across the supply chain. 

Best Practices for Addressing the Cyber Threat Landscape 

Along with these challenges, organizations are increasingly relying on third parties for critical services, making them more vulnerable to attacks. But you can still take steps to mitigate and defend against these attacks even as you onboard new vendors. 

Here’s how: 

Vendor Risk Assessment and Due Diligence

Due diligence typically happens before an organization decides to enter a business relationship with a third party. A due diligence questionnaire sent to potential vendors can help evaluate the future risk by asking relevant questions related to the security and compliance policies, financial investments, current legal and business contracts of the vendor. It is an important tool for organizations to make the best strategic decisions regarding their business growth and operations. 


After an organization has taken on new vendors, a vendor risk assessment becomes necessary. 

Vendor risk assessment involves first taking inventory of your third parties and classifying them according to different levels of risk. After that, you can more deeply evaluate the inherent risks for each vendor and take the proper steps to mitigate risk against them. Third-party cyber risk management platforms such as Panorays also assign a qualitative risk score to each vendor that can be customized according to each company’s risk appetite.  

Continuous Monitoring and Auditing

Since both the threat landscape and IT infrastructure in any organization change frequently, it’s important to continuously monitor and audit vendor risk to detect new vulnerabilities or compliance issues that pose a threat to your cybersecurity. Automated tools with real-time insights and alerts can help assure these risks are dealt with proactively and at regular intervals. 

Strengthening Contracts and SLAs

In addition, Service Level Agreements (SLAs) should include the specific regulations and standards which the third party must adhere to, such as PCI-DSS, NIST CF, GDPR, or CCPA. It should also include the steps the vendor should take to ensure data protection, incident response, and breach notification, and allow the organization to audit the vendor after an incident or at regular intervals. Expectations for security performance must be clearly stated, such as the acceptable time frame for patching vulnerabilities and incident response times. If the vendor is unable to achieve these requirements, the SLA must provide the vendor with a process for termination of the agreement. 

Risk Management Tools That Identify Cyber Threats

Beyond the steps above, you can also implement different risk management tools to assist in monitoring and defending against third-party risks. 

These include: 

  • Automated third-party risk assessments that send dynamic cybersecurity questionnaires to vendors tailored according to industry and adherence to regulatory compliance. 
  • Risk scoring is calculated according to external data, internal questionnaires and the unique and evolving business context of each vendor. 
  • Vendor inventory mapping that identifies third, fourth, and n-th party vendors for greater visibility into your supply chain. 
  • Continuous monitoring and alerts that monitor and alert you to changes in your vendor’s security posture from changes in their network and services, recent data breaches or other security incidents. 

Cybersecurity Frameworks for Vendor Management

Many organizations also proactively develop cybersecurity plans according to internationally recognized industry standards such as NIST Cybersecurity Framework, HITRUS, CIS, and ISO 27001. These frameworks allow organizations to standardize vendor management across different industries and build customer trust since many companies will only do business with vendors who follow specific industry guidelines and standards. These frameworks also help vendors avoid penalties for non-compliance while at the same time strengthening their cybersecurity practices and reducing the risk of data breaches and other cybersecurity incidents.  

The Importance of Monitoring the Cyber Threat Landscape 

As third-party risks from the cyber threat landscape continue to evolve, so does the IT infrastructure in your organization and its need to adhere to changing standards for regulatory compliance. However proactive risk management requires significant and often complex collaboration between vendors, organizations, and other parties and offers a one-size-fits-all approach to risk assessment.   

Panorays delivers a contextual and business approach to third-party cyber risk that shapes cybersecurity measures for every business relationship. 

Its comprehensive approach includes:

  • Supply Chain Discovery.  Identifying third, fourth, and n-th parties, including Shadow IT to give you greater visibility into your supply chain. 
  • Attack Surface Monitoring. Continuously assess risks over your entire attack surface and address third-party risks quickly, according to the level of risk criticality. 
  • Consolidated risk assessments. Internal and external risk assessments with AI-powered auto-completing questionnaires based on past questionnaires, documentation, and certificates to enable the most accurate third-party risk profiles, without having to rely on third parties to give you the information that you need.  
  • Effortless remediation and collaboration. Get customized, step-by-step remediation plans prioritized according to the risks that affect you the most, automated as much as possible to ensure minimal dependence on third parties

Ready to proactively defend against the third-party risks in your cyber threat landscape? Get a demo of our third-party risk management platform today.

Cyber Threat Landscape FAQs