Supply chain attacks remain the #1 breach vector in the public imagination for a reason: when you outsource work, you also outsource exposure. Yet many organisations still treat third-party risk like a checkbox exercise: collect a questionnaire, file the score, renew next year. This post reframes third-party risk as measurable liability with financial, operational, and reputational consequences you can (and should) quantify.

Below, we unpack what high-profile vendor breaches reveal, why traditional assessment methods fall short, how to adopt continuous vendor risk monitoring and liability quantification, how to translate vendor risk to board-level metrics (dollars, downtime, fines), and which contract and cyber-insurance moves strengthen your position.

What SolarWinds and MOVEit really revealed

Two of the most consequential supply chain events of the past few years SolarWinds and MOVEit share a through-line: the true blast radius isn’t visible from a vendor’s self-attestation. It shows up later as disclosure obligations, litigation, forensics spend, and regulatory scrutiny.

• SolarWinds (2020+): In 2023 the U.S. Securities and Exchange Commission (SEC) charged SolarWinds and its CISO with fraud and internal-control failures tied to allegedly known cybersecurity risks and misleading disclosures. Whether or not the litigation ultimately proves the claims, the message to public companies and their suppliers is unmistakable: representations about cyber risk are securities disclosures, and weak controls/oversight can become a governance and legal liability. 
• MOVEit (2023+): A zero-day in Progress Software’s MOVEit file-transfer platform cascaded worldwide. Public tallies estimate thousands of organisations and tens of millions of individuals impacted, with waves of secondary victim notifications months later. This was a single vendor’s component used across ecosystems demonstrating how fourth- and fifth-party dependencies turn a niche product bug into sector-wide exposure. 

Zooming out, macro studies reinforce the vendor theme. Verizon’s 2025 DBIR analysed 22,052 incidents and 12,195 breaches; commentary on the 2025 edition highlights third-party involvement doubling to around 30% of breaches, with vulnerability exploitation surging—exactly the pattern seen in MOVEit-style events. 

And when breaches happen, costs are rising. IBM’s 2025 Cost of a Data Breach (and the 2024 edition) detail average breach costs trending upwards, with third-party incidents identified as a key cost amplifier. Third-party incidents don’t just “touch” your compliance posture but they reshape your legal, financial, and operational risk profile.

Why Questionnaires and Static Scores Fall Short

Traditional vendor risk inputs—SIG questionnaires, ISO mappings, SOC reports, and external ratings—are still useful, but they’re point-in-time and often self-reported. The limitations are well-documented:

• Bias and staleness. Self-assessments depend on respondent honesty and may be outdated by the time you review them
  
  
• Observable vs. unobservable controls. External scans see perimeter hygiene, not identity governance, backup immutability, or incident response maturity.
  
  
• Operational velocity. Modern attacks move faster than annual recertifications. Risk posture can change weekly with new vulnerabilities, misconfigurations, or staffing churn.
  
  
• Market shift. Analyst and market guidance show programs migrating from siloed, static questionnaires to platforms with integrated workflows and continuous monitoring. (Isora GRC)
  
  

Simply put, questionnaires are necessary but insufficient. They offer a baseline, not a live risk picture.

From Due Diligence to Continuous Monitoring (and Quantifying Liability)

Adopt Continuous Vendor Risk Monitoring

A modern program blends periodic assessments (depth) with continuous monitoring (timeliness). Continuous monitoring streams external signals (exposed services, TLS issues, leaked credentials, ransomware leak sites), while periodic assessments verify non-observable controls (privileged access management, secure SDLC, backup testing). 

Standards bodies encourage this lifecycle view. NIST SP 800-161 Rev.1 lays out a multilevel supply-chain risk management approach across enterprise, mission, and operational tiers. CISA’s Secure-by-Design initiative and SBOM guidance push transparency and vendor accountability, giving acquirers concrete artefacts to request and monitor.

Measure the Liability, not Just the Compliance

To move beyond red/yellow/green, use Cyber Risk Quantification (CRQ). The FAIR model (Factor Analysis of Information Risk) is the leading standard for quantifying cyber risk in financial terms—probable event frequency multiplied by probable loss magnitude, so you can compare vendor scenarios like any other enterprise risk. FAIR also offers extensions for control analytics (FAIR-CAM) and materiality assessment (FAIR-MAM). 

The Open Group’s Open FAIR body of knowledge provides the taxonomy and analysis steps; many boards now expect this style of analysis, not heat maps. 

How this plays out: for a critical SaaS vendor, you can estimate a one-year expected loss from a ransomware data-exfiltration scenario by combining (a) control efficacy and threat activity (frequency) with (b) loss components (forensics, customer notification, downtime, regulatory fines, legal and settlement). That expected loss becomes an input to buy-down decisions: additional controls, contract changes, or insurance limits.

Tie Vendor Risk Directly to Board-Level Metrics

Boards care about dollars, downtime, and disclosure—not checkbox completion rates. Frameworks from NACD and the World Economic Forum emphasise quantification and actionable dashboards.

Here’s a pragmatic mapping:

• Dollars (Expected Loss / Value at Risk): Use FAIR to express the annualised loss expectancy (ALE) for your top ten vendors by critical business service. Summarise with tornado charts (largest contributors to probable loss), and show how specific remediations or contract clauses reduce the distribution’s tail. (fairinstitute.org)
  
  
• Downtime (Service-level impact): Tie vendor incidents to RTO/RPO commitments. Track mean time to recover from third-party disruptions and show the cost of missed SLAs (lost revenue, overtime, penalties). NACD’s guidance encourages boards to oversee resilience metrics, not just prevention.
  
  
• Fines (Regulatory exposure): Translate breach scenarios into GDPR and NIS2 ranges. For personal-data exposure in the EU, the upper tier under GDPR reaches €20M or 4% global turnover; NIS2 fines can reach €10M or 2%, with executive accountability—numbers boards instantly grasp.
  
  
• Disclosure (Securities/market risk): For listed companies, the SEC’s 2023 rules require disclosure of material cyber incidents within four business days of determining materiality, and periodic disclosure of risk management. Material third-party incidents can trigger Item 1.05 filings; enforcement posture has been active.
  
  

Bottom line for boards: treat third-party cyber as financially modelled risk with clear remediation ROI and insurance alignment, not as a compliance tally.

Best Practices that Actually Reduce Measurable Vendor Liability

Upgrade your Vendor Intake and Monitoring

1. Map critical dependencies. Maintain a register of third, fourth, and (where feasible) fifth parties tied to your critical business services. Tie each vendor to a service owner, recovery targets, data classification, and geo/regulatory footprint (e.g., EU personal data). Guidance from NIST 800-161R1 and ISO/IEC 27036 supports end-to-end supplier risk integration.
   
   
2. Blend periodic assessments with continuous telemetry. Keep questionnaires for governance and non-observable controls; pair them with continuous monitoring for exposed risk changes. This “both/and” model is now widely recommended.
   
   
3. Request SBOMs for critical software vendors. CISA’s 2024 SBOM guidance (and subsequent 2025 updates) provides baselines for software component transparency. Vital for rapid response to dependency vulnerabilities like MOVEit-class flaws.
   
   
4. Secure-by-Design proof points. Ask suppliers how they align with CISA/NSA “Secure-by-Design” guidance: memory-safe languages roadmap, default MFA, secure-config by default, exploit-resistant logging/telemetry. Use their answers in your CRQ inputs.
   
   

Put Teeth in Contracts (and Show the ROI)

Stronger paper directly reduces expected loss and improves claims posture. Consider the following (with counsel):

• Right to audit & evidence of controls. Annual SOC 2, independent penetration tests, secure development attestations, tabletop/IR testing proof, and notification of material findings. These clauses are widely advocated by practitioner guides and vendor-oversight resources.
  
  
• Breach notification timelines. 24–72 hours to notify after discovery, with interim updates and full incident write-ups. Align definitions to GDPR/NIS2 where relevant and to SEC materiality analysis for public companies.
  
  
• Security requirements & SBOM. Minimum security bar (MFA, EDR, immutable backups, least privilege, vulnerability SLAs), SBOM provision for critical components, and a documented vulnerability disclosure process. 

• Sub-processor controls and notice. Flow-down of obligations, advance notice and right to object to new sub-processors handling sensitive data, and mandatory due diligence obligations.
  
  
• Indemnity and caps. Set floor indemnity for regulatory fines where legal, carve-outs to liability caps for gross negligence/wilful misconduct, and liquidated damages tied to downtime/SLA impact for operationally critical services. (Consult counsel for enforceability in your jurisdictions.) Practitioner and legal checklists emphasise these levers.
  
  
• Termination & data return/erasure. Termination for security cause, verified deletion/return of data, and secure transition assistance.
  
  

Contracts like these aren’t just legal hygiene, they let you quantify risk reduction. If a vendor accepts 72-hour breach notice, participates in quarterly tabletop exercises, and proves immutable backups with routine recovery tests, your probable loss and expected downtime distributions compress, which you can demonstrate in FAIR outputs for the board. 

Strengthen your Cyber-Insurance Positioning

The cyber market increasingly prices and conditions coverage on control efficacy including how you govern third-party risk. Recent analyses from Marsh tie incident outcomes to 12 core controls and show benefits from tabletop exercises and IR planning. MOVEit-style events have also influenced claim trends and underwriting attention to supply-chain dependencies. 

What carriers and brokers like to see:

• Continuous monitoring of critical vendors, with documented response playbooks that include vendor co-ordination and legal/regulatory workflows (SEC, GDPR/NIS2).
  
  
• Evidence of controls (MFA, EDR, backups, segmentation) at you and your critical vendors, plus tabletop exercise results.
  
  
• Quantified risk to justify limits/retentions FAIR analyses tied to realistic loss scenarios, not generic industry averages. 

Better controls and credible quantification can help improve terms (limits, retentions) and avoid unpleasant coverage gaps for third-party incidents. 

Compliance is Changing, Regulators Now Care About Your Vendors

• SEC (US): Public companies must disclose material incidents within four business days of determining materiality, plus describe risk management and governance in annual reports. Material vendor incidents can be disclosure events—SolarWinds shows the stakes when cybersecurity statements mislead. (EY)
  
  
• NIS2 (EU): Requires supplier-chain security measures and imposes fines up to €10M or 2% of global turnover (lower tier for “important” entities), with explicit leadership accountability. If you rely on EU-based services, NIS2 expectations bleed into your contracts.
  
  
• GDPR (EU): Upper-tier fines reach €20M or 4% of global turnover for severe violations. Data processing agreements and sub-processor controls remain table-stakes. 

The policy momentum (NIST C-SCRM, CISA Secure-by-Design, SBOM) is toward continuous, evidence-based supply-chain assurance—not paperwork divorced from operational reality. 

What Good Looks Like: The Metrics

When your third-party risk program is working, your board pack should include:

• Top vendor risk register (by service). With ALE per vendor, top loss drivers, and trend arrows since last quarter. (FAIR)
  
  
• Control coverage & exceptions. MFA/EDR/backup immutability at you and the vendor; ageing of unpatched high-severity vulns; percentage of vendors providing SBOMs for critical software.
  
  
• Time-to-detect & time-to-notify for vendor incidents, measured against contract SLAs and regulatory clocks (SEC, GDPR/NIS2).
  
  
• Exercise results. Tabletop frequency, findings closed, and simulated downtime impacts—evidence that your IR playbooks with vendors actually work (underwriters care about this too). 

The Mindset Shift

Third-party risk isn’t about collecting stacks of PDFs. It’s about translating vendor exposure into business outcomes you can manage:

• Financially: What is our expected loss and tail risk from Vendor X? Which control or clause reduces it the most per dollar?
  
  
• Operationally: How does Vendor Y’s outage map to our RTO/RPO and revenue at risk?
  
  
• Legally/Reputationally: If Vendor Z loses EU personal data, what is our realistic fine range and required disclosure cadence?
  
  

If your answers rely on “we have a completed questionnaire on file,” you’re carrying unpriced liability. If your answers include FAIR charts, SBOM coverage stats, continuous-monitoring deltas, and contract levers, you’re managing a measurable liability and that’s where boards, regulators, and insurers are steering the ecosystem.