Your Supply Chain Is Only as Secure as Its Weakest Vendor
The MOVEit attack of 2023 changed how every supply chain leader thinks about third-party risk. The Cl0P ransomware gang exploited a zero-day vulnerability in the MOVEit managed file transfer (MFT) software, a platform used by over 2,400 organizations worldwide to exchange sensitive data with suppliers, partners, and customers. The attack exfiltrated data from over 90 million individuals and cost organizations billions in remediation. The victims were not companies with poor security—they were companies that trusted a vendor whose security was breached.
The SolarWinds attack of 2020, which compromised 18,000 organizations through a malicious update to the SolarWinds Orion IT management platform, was an earlier warning that went largely unheeded. State-sponsored hackers inserted backdoor code into a software update that trusted customers automatically installed. Victims included the US Treasury, Department of Homeland Security, and Fortune 500 companies—breached not through their own defenses, but through a trusted vendor's software supply chain.
The Kaseya VSA attack in 2021 followed the same pattern: compromise a managed service provider (MSP) platform, and every MSP customer (itself a service provider) becomes compromised. The REvil ransomware group used this technique to deploy ransomware to 800-1,500 downstream businesses through approximately 50 MSP customers.
How Supply Chain Cyber Attacks Work
Compromised Software Updates
The most impactful supply chain attack vector. Hackers compromise a software vendor's build system or distribution infrastructure and insert malicious code into legitimate software updates that customers automatically download and install. Because the update comes from a trusted source with a valid digital signature, endpoint security tools do not flag it. The SolarWinds and MOVEit attacks both used this pattern.
Vendor Access Abuse
Suppliers and third-party service providers often have network access to their customers' systems for legitimate purposes: a logistics provider accesses inventory data through an API, a payroll processor receives employee information, a maintenance contractor remotely monitors equipment. When the vendor's own systems are breached, hackers use those credentials and access paths to reach the customer's network. This is the most common supply chain attack pattern.
Data Sharing Vulnerabilities
Companies share vast amounts of data with suppliers: product designs, demand forecasts, employee information, financial records, and proprietary processes. If a supplier's data security is weak, this information can be stolen—or if the supplier is ransomware targeted, it can be encrypted, disrupting not just the supplier's operations but the customer's ability to receive goods and services from that supplier.
Regulatory Response: SEC Rules, EU DORA, and NIS2
SEC Cybersecurity Disclosure Rules (2024+)
The SEC's 2024 cybersecurity disclosure rules require public companies to disclose material cybersecurity incidents within 4 business days of determination. The rules also require annual disclosure of material cybersecurity risk management processes, including third-party risk management. This means that supply chain cyber risk is now a mandatory disclosure topic for US-listed public companies. Companies must assess and report on how they manage third-party cyber risk, and they must disclose material incidents even if the breach originated at a vendor.
EU Digital Operational Resilience Act (DORA, January 2025)
DORA requires financial entities (and their critical ICT third-party providers) to demonstrate operational resilience, including third-party risk management. ICT service providers to financial institutions face direct oversight for the first time. While aimed at financial services, DORA's framework—regular testing, incident reporting, third-party risk management—is being adopted as a model for supply chain cyber regulation across industries.
EU NIS2 Directive (October 2024)
The revised Network and Information Security Directive (NIS2) expands the scope of entities required to implement cybersecurity measures and incident reporting to include medium and large companies across sectors, with explicit coverage of supply chain security. Companies must assess the cybersecurity posture of their suppliers and report supply chain cyber incidents.
Security Ratings Platforms
Manually assessing the cybersecurity posture of hundreds or thousands of suppliers is not feasible. Security ratings platforms automate this process by continuously monitoring external signals of cybersecurity hygiene:
- SecurityScorecard — Provides A-F ratings for 20+ risk factors (network security, DNS health, patching, endpoint security, etc.) based on passively monitored IP address data. Covers 17 million+ companies. Allows continuous monitoring of supplier portfolio.
- BitSight — Similar security ratings approach with 22 risk categories. Used by major banks, insurers, and enterprise supply chains for continuous third-party risk monitoring.
- RiskRecon (Mastercard) — Combines external exposure data with customized questionnaires for internal security assessment. Particularly strong in regulatory compliance mapping.
In 2026, over 60% of Fortune 1000 companies use security ratings as a component of supplier onboarding and ongoing monitoring, up from 25% in 2021. The platforms typically integrate with procurement systems to automatically alert buyers when a supplier's security rating drops below acceptable thresholds.
Incident Response for Supply Chain Cyber Events
When a supplier is breached, the response must address both the supply chain disruption and the data protection implications:
- Assess exposure — What data was shared with the compromised supplier? What systems did the supplier have access to? How long has the supplier's systems been compromised?
- Activate contingency supply — Switch to secondary suppliers or alternative sources. If no alternative exists, begin production or procurement of substitute materials immediately.
- Contain data exposure — Revoke the compromised supplier's access to your systems. Force password resets for any shared credentials. Rotate API keys and authentication tokens.
- Assess regulatory notification requirements — Determine whether customer data, employee data, or regulated data (PII, PHI, financial data) was exposed at the supplier. File required notifications within regulatory timelines.
- Conduct post-incident review — Document lessons learned, update supplier onboarding criteria, and implement new monitoring controls. Share incident intelligence with industry peers through ISACs (Information Sharing and Analysis Centers).
The MOVEit attack was not a failure of cybersecurity technology. It was a failure of supply chain risk management. Organizations that had mapped which of their critical data flowed through MOVEit, that had alternative file transfer capabilities, and that monitored their vendors' security postures were able to respond within hours. Organizations that did not discover they had exposure when the breach hit the public news cycle—and they spent weeks scrambling to assess damage.
Third-Party Cyber Risk Assessment Framework
| Risk Category | Assessment Questions | Assessment Frequency | Risk Mitigation |
|---|---|---|---|
| Security posture | What is the vendor's security rating? Have they had recent breaches? Do they have SOC 2 / ISO 27001 certification? | Continuous (ratings); annual (certifications) | Set minimum rating threshold (e.g., B+); require security certifications for critical vendors |
| Access controls | What access does the vendor have to our systems? Is it least-privilege? Is MFA required? Are credentials rotated? | Quarterly | Zero-trust access, JIT credentials, session monitoring, regular access reviews |
| Data protection | What data do we share? How does the vendor store and encrypt it? What is their data breach history? | Annual; on incident | Data minimization (share only what's needed), encryption in transit and at rest, DPA requirements |
| Software supply chain | Does the vendor use SBOMs? How do they secure their build pipeline? Do they have a vulnerability disclosure policy? | Annual; on software change | Require SBOMs for software vendors, verify code-signing, monitor CVE databases |
| Business continuity | Does the vendor have a disaster recovery plan? When was it last tested? What is their RTO/RPO? | Annual | Require annual DR testing, contractual SLA on recovery, maintain alternative supplier relationships |
| Regulatory compliance | What regulations apply to the vendor? Are they compliant? Have they received any regulatory findings? | Annual; on regulatory change | Map vendor regulatory obligations, include compliance requirements in contracts, audit rights |
The Bottom Line
Supply chain cyber risk is the most consequential risk category facing modern enterprises. The MOVEit, SolarWinds, and Kaseya attacks demonstrated that even well-defended organizations are vulnerable through their vendors. The regulatory landscape (SEC rules, DORA, NIS2) makes supply chain cyber risk a board-level compliance obligation. Security ratings platforms provide the tools for continuous monitoring. The companies that are getting ahead of this risk are systematically mapping their vendor attack surface, setting minimum security standards, implementing zero-trust vendor access, and maintaining alternative supply paths for critical capabilities. In cyber risk, the weakest link determines the outcome.