Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


May 2022 Vendor Management News

19 min read
Featured Image

Stay up-to-date on the latest vendor management news happening this month. Discover information to help improve or freshen up your third-party risk management program. Check out some informational articles below.

Recently Added Articles as of May 19

Cybersecurity is once again the main topic we’re seeing this week with a doctor accused of ransomware and banking trade groups responding to the SEC’s proposed rules on cybersecurity disclosures. Connecticut has officially enacted privacy legislation and CISA is warning against a recent Windows update. We also have an article on building trust between tech vendors and their customers. Read on for all of this week’s headlines!

Four elements to understand scope for MSSPs: Cybercrime is a very destructive and costly threat, but organizations shouldn’t feel as though they need to completely avoid using digital systems. Utilizing a managed security services partner (MSSP) is an effective strategy that can create a security baseline for an organization. These security services often include things like continuous firewall monitoring and protection against viruses and malware. Before choosing an MSSP, it’s important to understand the scope of your needs. This includes elements like your cyber risk exposure, identification of your valuable data and understanding which of your systems are most vulnerable. You should also perform an audit of your physical, logical and environmental assets. It’s best to avoid “scope creep” by ensuring both you and your vendor are on the same page from the beginning of the relationship.

Cardiologist accused of moonlighting as cybercriminal: It appears as though a French-Venezuelan doctor has broken one of the core principles of the Hippocratic Oath, causing harm not only to a patient, but in the cyber world. The Department of Justice issued a press release accusing Moises Luis Zagala Gonzalez of being the mastermind behind the Jigsaw v2 variant. He’s also accused of offering the Thanos strain as a ransomware-as-a-service in which one of his ransomware customers was able to infect 3,000 computers. The doctor has yet to be apprehended, but faces five years in prison if caught and convicted.

How tech vendors can build customer trust: Many organizations are planning to spend more on digital transformation in the aftermath of the massive shift to work-from-home environments. However, a corresponding increase in cyberattacks has led to a level of distrust between tech vendors and their customers. To address these concerns, vendors can take a few key steps. First, they should acknowledge that prioritization flexibility and customization within their solutions. Vendors should also focus on building a long-term relationship with their vendors rather than maintaining a transactional process. Finally, transparency on important issues is an absolute must. Vendors and customers need to align on their strategic business goals, especially concerning sustainability.

Learn the basics of C-SCRM: If you’ve been wanting to learn more about Cybersecurity Supply Chain Risk Management (C-SCRM), this is your chance. A primary goal of C-SCRM is to lessen the likelihood of a cybersecurity threat compromising a supply chain. This is achieved by improving the ability to detect, respond and recover from disruptions caused by C-SCRM compromises. Supply chain risk encompasses vulnerabilities caused by third-party cloud services as well as fourth-party risks. To effectively implement a C-SCRM strategy, begin by documenting your entire supply chain. Next, establish a formal governance plan for cybersecurity risk management and identify critical suppliers. Governance guidelines should also be updated continuously.

Cybersecurity risks affect more than just data: In the early days of cybercriminal activity, the biggest threats were data loss and maybe losing a large chunk of change to a ransom demand. However, cybercrime is increasingly affecting critical infrastructure like hospitals and public safety facilities, which can have a significant impact to human health and lives. Two notable examples include the attack on a water plant in Florida and another incident at the University of Vermont Medical Center, which shut down systems for almost a month. Cyber-warfare is also a real threat, as state actors are initiating attacks on other countries. Organizations can prepare for these challenges by identifying critical data sources that are capable of an ongoing attack. It’s also important to provide proper training for security analysts. And, remember that your vendors are also a source of cybersecurity risk, so it’s essential to ensure that they’re implementing an effective security strategy of their own.

iPhones at risk for malware through Bluetooth loophole: If you’re one of the one billion iPhone users out there, beware of a malware loophole. It turns out that your iPhone doesn’t need to be powered on for a malware attack. The iOS Find My function allows attackers to load malware onto a Bluetooth chip while in a Low Power Mode (LPM), bypassing the need for the device to be on. Researchers say that LPM support can’t be removed by changing software components because it’s built into the hardware, which poses a new threat model. They also point out that the design of LPM was likely prioritizing functionality and didn’t take into account other threats.

CISA says to avoid May Windows update: The Windows updates for May contained a security flaw that was removed by CISA. A zero-day known as CVE-2022-26925 was actively exploited and would’ve enabled attackers to gain control over the Windows domain. CISA stated that the issue only affected May 10 updates on servers used as domain controllers. They instead encouraged updates on non-domain controller Windows Servers. As cyber threats continue to be a top third-party risk, it’s important to stay on top of the software updates that are safe and those that cause harm.

Healthcare supply chain gets support in whitepaper: In response to the recent CISA alert for managed service providers, the Cloud Security Alliance has published a new whitepaper addressing cybersecurity risk management. The report includes best practices for healthcare providers to manage third-party vendors including food suppliers, pharmaceuticals and medical device vendors. A previous reports discovered that only 23% of providers have adequate security grades for their supply chains, proving that this continues to be a major blind spot for the healthcare industry. The whitepaper also includes details on assessments, treatments, monitoring and response needs. With so many headlines on healthcare data breaches, this whitepaper should be a valuable resource.

Connecticut signs data privacy legislation: The U.S. now has a total of five states with comprehensive data legislation, after Connecticut Governor, Ned Lamont, recently signed Senate Bill 6. The law goes into effect July 1, 2023 and contains many similarities to laws in California, Colorado, Utah and Virginia. A notable difference in Connecticut’s bill is the absence of an annual revenue threshold. In other words, an organization won’t be in scope of the law due to its annual revenues. Other exempted entities include state and local governments, nonprofits and higher education. As more states join the data privacy law bandwagon, it’s important to ensure both you and your organization remain in compliance.

Healthcare supply chain risks in spotlight after ransomware: A recent ransomware attack on a California-based medication management systems provider is a critical reminder of the cybersecurity threats facing healthcare. Omnicell disclosed to the SEC that it was the victim of ransomware which had affected its internal IT systems. The filing stated that Omnicell took immediate steps to respond to the incident and implemented its business continuity plans to ensure they could still operate. The healthcare provider also acknowledged the significant risk of cyber threats and data breaches within the supply chain while noting that cyber insurance cover is decreasing. A key takeaway from an incident like this is that healthcare providers and their suppliers need to remain vigilant against these attacks while also being prepared to intervene quickly.

Banking groups take issue with SEC cybersecurity rules: After the SEC announced its proposed rules on cybersecurity risk management in March, certain banking trade bodies are warning that they fall short of addressing other policy goals. The Bank Policy Institute, American Bankers Association and others are generally supportive of the proposals but believe that certain requirements related to incident disclosures were made “without sufficient regard” to security risks. The groups argue that periodic disclosures shouldn’t have to reveal details around remediation activities as this would be beneficial to threat actors. As third-party security incidents are one of the leading threats to organizations today, it should be interesting to see how this debate will play out. Read the full joint trades letter to learn more.

Recently Added Articles as of May 12

This week, the White House hired a former Microsoft executive and an ex-CIA leader to strengthen the country’s cybersecurity efforts. The UK’s critical infrastructure is seeing an increase in cyberattacks and a ransomware attack is to blame for the permanent closure of a historic school. NIST has also revised its guidance on supply chain cybersecurity. Read on for more of this week’s highlights.

Secure connectivity for third-party access: Did you know third parties are behind over half of all data breaches? It’s estimated that cybersecurity risk will soon be the deciding factor for many organizations when choosing third-party vendors. For vendors looking for a competitive advantage, they’ll need to implement technology that is effective in controlling, managing and securing connectivity into their customer networks. Third parties will also need to re-evaluate their security measures to stay on top of industry-wide threats. Organizations are no longer just looking for vendors to perform a job. They want a strategic business partner who is actively managing cybersecurity risks.

Cyberattacks rising among UK critical infrastructure: UK professionals in the transport and aviation sectors are voicing their growing concerns about the potential for cyber warfare. Since the beginning of Russia’s invasion of Ukraine, the UK’s critical national infrastructure (CNI) has faced more cyberattacks and many security professionals are worried about vulnerable systems. A recent survey found that one in ten security decision makers aren’t confident in their teams’ ability to handle a cyberattack. CNI operators are advised to collaborate with their peers and implement threat intelligence to strengthen their resilience strategy. We’ve seen how the Russia-Ukraine conflict continues to have a global impact, so it’s imperative to monitor these emerging threats that could potentially affect your organization.

Corporate compliance’s expansion into ESG: As ESG initiatives gain traction in today’s business environment, many are wondering where this responsibility lies. Corporate compliance professionals are likely the most prepared to manage ESG, but they still need proper guidance to effectively incorporate ESG efforts into their programs. The EU is leading the way when it comes to regulatory frameworks on ESG transparency, and many organizations are developing their own strategies to prepare for formal regulations. It’s important to remember that ESG isn’t just about an organization’s carbon footprint. It also extends to environmental and social issues within its third parties. Reputation risk is a concern if your third parties are engaged in unsavory practices, so it’s essential to understand your third-party ecosystem.

Microsoft and CIA alumni join White House cyber program: The Biden Administration is making good on its promise of protecting the country from cyber threats. The Office of the National Cyber Director is gaining a few high-level executives to strengthen cybersecurity in the United States. Former Microsoft executive, Kemba Eneas Walden, previously led a program to combat ransomware and will be the new principal deputy national cyber director. Neal Higgins, who previously served as a senior CIA official, brings a background of cybersecurity and open-source collection. With the addition of these new experts in the White House, let’s hope that we see a decrease in cybersecurity crises moving forward.

Malicious apps found on Google Play Store: Joker malware is still playing tricks on Android users as a new set of trojan-infected apps was discovered on Google Play. The malware allows hackers to steal texts, contact lists and other device information. The infected apps are often disguised as messaging, health tracking or PDF scanner applications. Experts warn that the joker malware proves that basic security and managing mobile devices simply aren’t enough to protect against these types of attacks. If you download an app from an official store, it’s important to read the reviews and verify the legitimacy of the developers. And, be selective when granting permissions, which should only be for performing intended functions. Due diligence best practices aren't only relevant to third-party risk management… they can also help keep you safe from harmful apps!

Microsoft Security Experts combine humans and machines: Microsoft is offering new, managed cybersecurity services that uses both machine learning and human skills. The goal of Security Experts is to help organizations achieve their goals around security, privacy and compliance. One new service named Defender Experts for XDR aims to detect, analyze, investigate and respond to threats within various apps like email and cloud. These new services arrive at a time when many organizations are facing a labor shortage in their cybersecurity teams. Machine learning may help fill in the gaps of cybersecurity programs, but it’s evident that humans are still an essential part of an organization’s strategy.

Ransomware attack permanently closes Lincoln College: A college in Illinois is shutting down after 157 years, thanks in part to a ransomware attack in December. The college had previously survived other crises throughout its history, such as a major fire, the Great Depression and the 2008 financial disaster. The ransomware attack impacted admissions activities and prevented the staff from accessing institutional data. Many schools have been victims of these types of attacks, but this marks the first time that a school will permanently close as a result. Tragic stories like these serve a valuable lesson in the importance of cybersecurity practices and effective business continuity and disaster recovery plans. Cyberattacks can happen to anyone, so it’s critical to know how to respond and recover.

Lessons learned from vendor incidents: Most organizations have at least a few critical vendors that have a significant impact on their operations. Keep in mind that these same vendors are also primary targets for threat actors who are seeking out sensitive data for extortion. It’s important to strengthen your defenses to protect against the damages of vendor incidents. Be aware that identification and notification timelines can vary. Make sure you’re aware of your vendors’ ransomware playbooks and the results of their tabletop exercises. The process and extent of information sharing will also vary among different vendors. Remember that initial and recurring due diligence is key to evaluating a vendor’s compliance with security requirements. Also, don’t forget that vendor incidents can potentially lead to regulatory inquiries and class actions for your organization.

Healthcare faces unique third-party risk challenges: The healthcare industry faces the highest average costs of data breaches, highlighting the fact that third-party risk management (TPRM) is an important area of focus. Healthcare organizations of all sizes are exposed to different areas of third-party risk, including strategic, financial, regulatory, environmental, cyber and human capital. This final risk relates to the impact that a vendor might have on a healthcare workforce, that has already faced significant pandemic-related stress. It’s important to consider how a vendor’s work will affect employee morale, recruitment and retention. Minimizing third-party risk begins with onboarding, but ongoing monitoring is just as essential. Building a strong TPRM foundation begins with understanding the right questions to ask your vendors and forming an alliance to properly assess risk.

Overlooked risks in third-party physical security: Cybersecurity risk usually gets all the attention when it comes to third parties, but the truth is that physical risks can’t be ignored. A 2022 study on third-party risk management found that 40% of organizations are focusing more on non-IT security risks such as modern slavery, anti-money laundering (AML) and corruption. These physical security risks can lead to compliance violations, fines and reputational damage. While cyber threats are certainly a concern, a strong third-party risk management program should be aware of all types of threats.

New NIST guidance for supply chain cybersecurity: The National Institute of Standards and Technology (NIST) has revised their publication on Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations which includes details on how to identify, assess and respond to risks throughout the supply chain. This revision comes in response to last year’s Executive Order. One highlight encourages security professionals to evaluate the vulnerabilities of a product’s components rather than just the finished product. The revised publication is primarily meant for acquirers and end users of software, products and services.

Recently Added Articles as of May 5

As we head into May, we have some interesting articles on how third-party risk impacts e-commerce sites and why cybercriminals are benefitting from remote work. Supply chain disruption continues to be a struggle, but there are a few tips to help improve relationships with suppliers. Cloud technology has increased the risk of supply chain attacks and vendor management systems can potentially ease labor shortages in healthcare. We also have an update on U.S. data privacy laws, so read on for all the details!

Preventing supply chain attacks in the cloud: A recent survey found that 36% of respondents are operating in multiple cloud platforms, a number expected to double over the next three years. Organizations have rapidly shifted to the cloud during the pandemic and attackers have followed in their footsteps. Vendor supply chain attacks in the cloud continue to be a threat, so organizations need to take an active approach in mitigating these risks. It’s essential to understand which vendors operate in a cloud environment and what privileges those vendors have. Organizations should also know what type of visibility they have into a vendor’s access and activity as well as the typical access chain for the identity. After establishing a baseline on a vendor’s access and activity, it’s easier to monitor for any deviations and detect anomalies. Security teams are then able to isolate the permissions if a vendor gets compromised.

E-commerce sites aren't immune to third-party risk: Highly regulated industries such as finance, healthcare and insurance are often the main players when it comes to third-party risk management, but e-commerce websites are just as vulnerable to third-party risk. According to a recent study of over two billion user sessions, 144,000 customer data records were at risk of leaking thanks to third-party services that were running on the e-commerce sites. This had the potential to lead to $1.6 million in damages. Third-party plugins are often used on sites to manage things like analytics and customer service, giving attackers multiple access points to steal sensitive data. Smaller sites hosting on open-source software can face different challenges and risks as they don’t always have access to vulnerability and remediation information. The findings from the survey also highlighted how quickly a third-party service can become infected with little to no awareness from the victim websites.

American Dental Association hit with ransomware: The American Dental Association (ADA) appears to be the latest victim of the Black Basta crime group who stated that it deployed a ransomware attack on the ADA’s systems. The criminals claimed to have leaked 30% of the data they stole, though the ADA has found no evidence that members' data was compromised. The same ransomware group was responsible for a cyberattack on a German wind turbine company in April. Researchers are suggesting that Black Basta may actually be a rebrand of the Conti group because of its use of double extortion ransomware techniques. As with any high-profile incident, this serves as a reminder to stay on guard against potential cyberattacks.

Europol warns of deepfake threats to cybersecurity: You may have seen deepfake technology making the rounds online with celebrity faces being superimposed on different bodies. This is often done for satire or gaming purposes, rather than nefarious goals. However, experts are warning that this technology could potentially be used by criminals to spread disinformation, execute phishing and business email compromise (BEC) attacks, falsify evidence and even manipulate financial markets. Deepfakes are often convincing enough that the human eye can’t detect a forgery, but new technology is merging to combat this issue. The European law enforcement agency Europol recommends that users rely on audio-visual authorization instead of audio only. Demanding live video connection is another strategy that can help avoid being deceived by deepfakes. Cyber threats will continue to evolve into more sophisticated methods, so it’s critical to be vigilant of risks that can ultimately impact your organization.

Millions of Aruba and Avaya devices contain bugs: Five critical vulnerabilities have been identified in Aruba and Avaya devices, some of which can be triggered without authentication or user interaction. About 10 million devices are affected and, if exploited, can allow lateral moves to other devices where corporate data can be stolen. Security researchers have stated that captive portals are at risk for these vulnerabilities and organizations that have affected Aruba devices should patch them immediately.

Outsourcing medical device manufacturing: Nearly every organization relies on outsourcing, either to reduce costs or access specialized capabilities. For those in the medical industry, outsourcing manufacturing capabilities requires special considerations. Outsourcing the production of medical devices is known as contract manufacturing and this practice can provide many benefits including streamlined logistics, decreased lead time and access to product experts. When selecting a contract manufacturer, business leaders should consider whether the vendor has experience with the specific device and whether they can provide all the necessary services. It’s also a good idea to assess the manufacturer’s reputation and evaluate long term business needs. While these suggestions are aimed towards the medical industry, these are best practices that can benefit nearly every organization.

Remote everything gives cybercriminals an edge: It’s no secret that many employees have embraced remote working. And, the same can be said for cybercriminals. Security researchers have discovered that cyber adversaries are optimizing remote work attack vectors to deploy various malware variants. Phishing lures or scripts are typically used to inject malicious code or redirect users to dangerous sites. Three broad distribution mechanisms have been identified as Microsoft office, PDF files and HTML and JS browser scripts. Remote environments are expanding the attack surface, but there are ways to address this security problem. Security teams need to implement solutions that follow, enable and protect users wherever they work. Endpoint security and zero trust network access are also valuable tools. In general, it’s a best practice to take a comprehensive approach that considers all work possibilities whether in the office or at home.

Six data breaches lead to personal health information (PHI) exposure: Hacked email accounts are to blame for six separate data breaches on HIPAA-regulated entities. A phishing attack was behind an incident at a Colorado-based provider as well as one at the Los Angeles County Department of Mental Health. Another incident in Iowa was linked to an employee who sent unauthorized emails to internal and external addresses. It’s evident that social engineering attacks continue to be a primary threat for many organizations, not to mention poor cybersecurity practices by employees. As healthcare data is a prime target for cybercriminals, it’s more important than ever to implement effective cybersecurity education and training.

The latest on U.S. data privacy laws: Until the U.S. establishes federal legislation for data privacy, business leaders need to stay on top of the various state laws that can impact their organization. State privacy laws are in place to protect users’ personal data from being mishandled or maliciously used. Some laws state that an organization needs explicit permission to handle data in a certain way while other laws allow users to ask for permanent deletion of their data. Existing federal data privacy laws apply to specific types of data and individuals, such as the Gramm-Leach-Bliley Act which governs financial institutions, and the Health Insurance Portability and Accountability Act which covers protected health information. At the state level, California and Virginia are leading the way in having the most comprehensive privacy laws to date. Colorado and Utah also have legislation, but there’s still a ways to go before we see the rest of the U.S. join in.

DDoS attacks target Ukrainian and Romanian authorities: Ukraine and its allies continue to be targeted in pro-Russian cyberattacks. One of the latest attacks was launched by the group Killnet which specializes in the Distributed-Denial-of-Service variety. Public and private Romanian organizations were impacted, including the Ministry of Defense and Romanian Railways. Killnet was also responsible for recent attacks on critical infrastructure in the Czech Republic though they failed to access private citizen data. Interestingly, the hacking group has stated that they don’t wish to harm people of other countries, but rather to “create maximum damage to the network info structure of enemy countries." Though your organization may not have a direct link to Ukraine, it's important to consider whether your vendors could be impacted by these attacks.

SEC’s proposed climate rules bring increased litigation risks: If the SEC’s recent proposed rule on climate disclosures are implemented, they'll inevitably increase enforcement and litigation risks related to environmental, social and governance (ESG) issues. Organizations should be aware of these risks and how they can extend to their third parties. There will likely be comparisons between an organization’s SEC disclosures and other public statements such as sustainability reports and website marketing. Business leaders should also expect greater scrutiny of public information on relevant operations within their organization and supply chain. The proposed disclosures mandate the exposure of an organization’s management and operations, leading to an increased likelihood of shareholder actions, proxy fights and board election battles. It’s recommended to maintain a strong and integrated risk assessment and compliance program to address the SEC’s proposed rules and mitigate risk.

Five strategies for supply chain disruption: It can sometimes feel as though supply chain disruptions will never end. Global events like the pandemic and Russia’s invasion of Ukraine have continued to highlight the need for organizations to improve vendor relationships so they can maintain supply. Managing suppliers can be improved with five simple strategies. First, it’s important to treat your suppliers like partners to achieve a win-win relationship. Second, create strategic long-term agreements to ensure uninterrupted supplies and open opportunities for sustainability and innovation. The third strategy is to create supplier performance scorecards as they're a valuable tool that creates clear expectations and enables you to provide immediate feedback if improvement is needed. Contract clauses should be carefully written to safeguard against legal disputes or risk events. Finally, it’s essential to regularly assess your supplier inventory based on business priorities.

Vendor management systems are at the center of a healthcare study: Are vendor management systems the answer to labor shortages in healthcare? This is the question Cross Country Healthcare is hoping to answer in a new study which will evaluate the use of vendor management systems to automate and streamline the hiring process. A centralized platform provides users with valuable data allowing for more informed hiring decisions. Cross Country Healthcare Chief Commercial Officer, Dan White, noted that government mandates and increased support for healthcare IT solutions have been a driving force behind the growth of this market. A study found that 40% of healthcare providers currently use vendor management systems with data security and improved processes being the top benefits.

Privilege escalation flaws found in Linux OS: Microsoft has identified two privilege vulnerabilities in Linux, named Nimbuspwn. The flaws can be used to gain root privileges and allow attackers to deploy payloads and perform other malicious activities. The defects have been tracked as CVE-2022-29799 and CVE-2022-29800 and Microsoft noted that they could ultimately be used to deploy ransomware. The increase in Linux vulnerabilities has emphasized the need for robust monitoring, and comprehensive and proactive vulnerability management. As most experts will agree, an effective cybersecurity strategy includes clearly defined details on how to prevent, detect and respond to incidents.

Related Posts

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo