Newsletter · Edition #7 · Third-party risk · 4 min read

Vendor risk: the breach that starts in someone else’s network

Your data doesn’t care whose logo is on the door it walks out of.

Some of the most damaging breaches never touch the victim’s own systems first. They start at a vendor with access, weaker controls, and your data. Third-party risk is now first-party risk.

Access is the exposure

Every vendor with a login, an API key or a copy of your data extends your attack surface. If you don’t know which vendors hold personal or regulated data, you can’t scope your own risk — or answer for it under DPDP, PCI or RBI expectations.

Due diligence that isn’t theatre

A one-time questionnaire at onboarding ages badly. Tier vendors by the data and access they hold, reassess the critical ones periodically, and bake security and breach-notification obligations into contracts. Focus effort where a vendor failure actually hurts.

The bottom line

Inventory who has your data, tier by impact, and reassess the ones that matter. You’re accountable for their lapses too.

Get the next edition in your inbox

Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.

Compliance insights, no spam. Unsubscribe anytime.

← Browse all editions

Free tool
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →