Third Party risk is one of the Top Eight Cyber Security concerns as highlighted at the 2025 Gartner Cyber Conference
Third-Party Risk: A Critical Cybersecurity Threat and a Board-Level Responsibility
Third-party risk has emerged as one of the most significant cybersecurity threats facing modern corporations. It was identified at a recent Gartner Conference as one of the top eight Cyber security predictions for 2025.
As organizations increasingly rely on vendors, cloud providers, service partners, and software suppliers to support their operations, their exposure to external cyber vulnerabilities grows exponentially. A breach in a third-party system—no matter how distant—can lead to devastating consequences, including data loss, operational disruption, regulatory penalties, and reputational damage.
An unfortunate example of third party risk just hit Whole Foods. Unitied Natural foods (UNF), supplies fresh produce and branded products to more than 30,000 locations throughout North America, including to stores of upmarket grocery chain Whole Foods. UNF plays an important role in Whole Foods supply chain and they are UNF’s largest customer. https://www.ft.com/content/5b11eb25-b50f-4de7-af89-a14ea3625982
What makes third-party risk particularly challenging is the lack of direct control over external partners’ security practices. Many organizations fail to adequately assess the cyber maturity of vendors or lack visibility into the full extent of their digital supply chain. This blind spot leaves them vulnerable to attacks like the infamous SolarWinds breach and other sophisticated supply chain compromises.
To build effective cyber resilience, corporations must proactively develop third-party risk profiles and incident response plans tailored to the impact of a vendor-related attack. This includes conducting thorough risk assessments, requiring robust security certifications, monitoring vendor performance, and establishing contingency strategies in the event of a breach.
Boards of Directors have a critical role to play in this oversight. As fiduciaries responsible for long-term value and risk governance, board members must ensure that management is taking third-party risk seriously. This includes requesting regular updates on vendor risk exposure, integrating cyber risk into enterprise risk frameworks, and participating in tabletop exercises that include third-party scenarios. Increasingly, regulators and shareholders are holding boards accountable for cyber failures—including those stemming from external vendors.
Cyber Knowledge Partners specializes in working with Boards to create a framework for ensuring they have the knowledge and understanding of cyber security risks to provide solid oversight.
Third-party cyber risk is not just an IT issue—it’s a boardroom imperative. Directors who stay informed and engaged will help position their organizations for greater resilience and trust.