Newsletter · Edition #7 · Third-party risk · 4 min read
Vendor risk: the breach that starts in someone else’s network
Your data doesn’t care whose logo is on the door it walks out of.
Some of the most damaging breaches never touch the victim’s own systems first. They start at a vendor with access, weaker controls, and your data. Third-party risk is now first-party risk.
Access is the exposure
Every vendor with a login, an API key or a copy of your data extends your attack surface. If you don’t know which vendors hold personal or regulated data, you can’t scope your own risk — or answer for it under DPDP, PCI or RBI expectations.
Due diligence that isn’t theatre
A one-time questionnaire at onboarding ages badly. Tier vendors by the data and access they hold, reassess the critical ones periodically, and bake security and breach-notification obligations into contracts. Focus effort where a vendor failure actually hurts.
The bottom line
Inventory who has your data, tier by impact, and reassess the ones that matter. You’re accountable for their lapses too.
Get the next edition in your inbox
Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.
