Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


MOVEit Ransomware Breach: Third-Party Risk Management Next Steps

4 min read
Featured Image

Multiple cyber hacking incidents have occurred by exploiting SQL injection vulnerabilities in Progress Software's MOVEit file transfer application, enabling hackers to access the server database. MOVEit is software designed to move sensitive files securely and is popular around the world.

There are likely to have been hundreds of organizations affected worldwide, with about 50 confirming the hack either directly or indirectly. Organizations affected include the BBC, British Airways, U.S.-based financial services firms, global cloud computing provider Extreme Networks, and others. In the coming days, many more MOVEit breach victims are expected to be identified.

According to the FBI and CISA (Cybersecurity and Infrastructure Security Agency) warnings last week, the CL0P ransomware gang, also known as Clop, exploited previously unknown MOVEIt vulnerabilities. A Reuters journalist and Bleeping Computer reporter were reportedly contacted Monday by representatives of the CL0P ransomware gang taking credit for the attacks. CL0P announced on Tuesday that it had exploited the MOVEit flaw to steal information from at least 47 organizations before demanding payment to prevent them from being published online in a rapid hacking spree. 

In the past, CL0P has demanded ransoms of up to millions of dollars. However, law enforcement agencies worldwide strongly advise organizations against paying them because it only further encourages criminals. It was reported on Wednesday that CL0P began posting the names of organizations on its darknet website. As of Thursday, there was still no conclusion to the incident as it was revealed that several U.S. government agencies, including the Department of Energy, had been affected. However, CISA has not provided specific information regarding which agencies were compromised.

moveit ransomware breach third party risk management

How to Respond to the MOVEit Breach From a Third-Party Risk Management Perspective

The situation is still unfolding, and there's much we don't know. This includes which organizations have been affected and if sensitive data will actually be leaked by hackers. It's likely that your organization doesn't yet fully understand if they have been affected directly or indirectly through its vendors. What we do know, however, is that a passive "wait and see" approach is not very wise. 

Instead, you should take the following six steps in your third-party risk management program:

  1. Collaborate with your organization's cybersecurity team. Ask for their guidance and teamwork as the situation progresses. For example, if new technical information regarding patching or other remediation methods is released, your cybersecurity team should help you craft communication or instructions for your vendors.
  2. Determine which of your vendors use MOVEit. This can be accomplished by issuing a short questionnaire asking:
    • Does your organization use an affected version of MOVEit Transfer in your environment? IF YES:
      • Has your organization disabled traffic to your MOVEit Transfer environment as recommended?
      • Was your organization's instance of MOVEit improperly accessed due to these vulnerabilities?
      • Have you applied the most up-to-date patches provided by MOVEit?
      • Have you reviewed your audit logs for signs of unexpected or unusual file downloads?
      • What data is processed and stored in MOVEit in relation to our organization and customers?
      • Please include any official response or bulletin your company has released.
  3. Check the vendor contract. Make sure to review your vendor’s contract for data breach notification requirements to ensure that your vendor is meeting their obligations. 
  4. Notify any impacted customers. If you find that your customer's information was affected by the data breach, you'll want to limit the impact and protect your reputation. Make sure to follow your organization’s breach notification protocols and notify your customers quickly if their data was compromised. It's considered a best practice to offer them at least a year of free credit monitoring services.
  5. Perform cybersecurity due diligence for similar vendors. If you have technology vendors that are similar to MOVEit and provide data storage/transfer services, remember to take a closer look at the following due diligence items:
    • Application penetration testing
    • Static and dynamic code analysis
    • Change management program
    • File integrity monitoring
    • Encryption at rest and in transit
  6. Stay updated with the official information. The following links provide important technical details and updates from Progress Software:

These days, cyber and ransomware attacks are more common than ever. It's always a matter of when, not if your organization will be affected by a cyberattack. In these situations, effective third-party risk management systems and routines can help you minimize fire drills. 

For example, comprehensive and up-to-date vendor inventories should include current contact data, as well as product or service information. Having that information at your fingertips will make it much easier to issue urgent communications or requests to your vendors in situations such as the MOVEit breach. 

If your vendor due diligence documentation is current and well organized, you can quickly narrow your requests for any additional vendor information that might be needed. This will be incredibly beneficial when you discover a need for off-cycle due diligence due to a cyberattack or another serious issue. 

While the MOVEit breach reminds us that there is never any shortage of urgent issues to address, having the right third-party risk management practices in place can help your organization respond to them in an effective and timely way.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo