Law firms, financial software providers, and security vendors are confronting increasing supply-chain vulnerabilities, prompting a shift towards continuous monitoring, risk-based segmentation, and stricter contractual controls to safeguard sensitive data and prevent major breaches.
Law firms, financial software vendors, online marketplaces and the security providers that serve them are confronting a widening and more complex panorama of supply‑chain exposure, forcing ...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
a rethink of how organisations assess and manage the risks that live beyond their firewalls.
Legal practices are now widely recognised as high‑value targets because of the sensitive material they hold. According to the American Bar Association, firms routinely process privileged communications, trade secrets, client financial information and personal data through an ecosystem of third‑party suppliers. That mix, the ABA warns, creates multiple attack vectors: insecure software updates, weakly worded contracts, undisclosed fourth‑party subprocessors and unregulated use of client material to train generative AI models. The ABA recommends standardising contractual language across vendor portfolios, demanding full disclosure of subprocessors and imposing strict vendor AI policies to limit unwanted training or reuse of client data.
Those recommendations resonate with findings from KPMG’s 2026 Global Third‑Party Risk Management Survey, which shows many organisations remain some distance from a mature, enterprise‑wide approach. The consulting firm reports just 18% of TPRM programmes are fully integrated with broader enterprise risk management, only 15% of leaders express strong confidence in their TPRM data, and a mere 5% have adopted end‑to‑end managed services. KPMG notes that while 22% of respondents viewed AI as very effective for TPRM, most are still experimenting rather than operating at scale. The firm advises a shift from broad, checklist‑style screening to targeted, risk‑based segmentation, improved alignment between TPRM and enterprise risk functions, and greater visibility into Nth‑party relationships that sit several links down the chain.
Evidence of why that visibility matters keeps mounting. The makers of Marquis Software have filed suit against firewall vendor SonicWall, alleging a February 2025 cloud breach exposed unencrypted multi‑factor authentication scratch codes and device configuration data via an insecure API. Marquis claims the exposed data , including predictable device serial numbers used as access keys , enabled attackers to mount a ransomware campaign that later compromised data at more than 700 banks and credit unions. The complaint accuses SonicWall of failing to encrypt sensitive information and of delaying disclosure.
Similarly, an incident affecting ManoMano flowed through an overseas third‑party customer‑service provider, with the threat actor claiming to have lifted 37.8 million customer accounts and almost one million support tickets. ManoMano disputes the scale, but the material allegedly contained names, email addresses, telephone numbers and service correspondence across several European countries. Stolen support logs and attached documents, security analysts say, are fertile ground for highly convincing phishing and social‑engineering campaigns.
These breaches underline a recurring blind spot: plugin and integration ecosystems. Security commentators note attackers increasingly go after third parties because that is where rich datasets are concentrated. Plugin modules and embedded integrations present particular difficulty; once woven into multiple systems they are hard to excise and are easily overlooked as teams reorganise or personnel move on. Practical steps still matter , regular contract reviews, documented vendor‑risk processes and automation of data collection , but industry voices stress these measures must be paired with continuous monitoring and stronger control of downstream suppliers.
The consequences extend to managed security providers. With supply‑chain dependencies expanding the attack surface, MSSPs and MSPs that cling to manual, point‑in‑time assessments risk becoming liabilities rather than partners. Security advisers argue smaller organisations are especially vulnerable because they lack in‑house tools and scale, while larger enterprises attract campaigns capable of outsized impact. For service providers, the imperative is clear: evolve towards continuous, structured oversight and embed zero‑trust principles and automation into supplier governance.
Taken together, the developments present a practical playbook for organisations aiming to reduce exposure. Industry analysts advocate applying risk‑based segmentation to concentrate scrutiny on the most critical relationships; extending discovery beyond direct suppliers to identify fourth‑ and Nth‑party links; automating evidence collection and monitoring to move from periodic checks to near‑real‑time awareness; and treating contractual protections , including encryption, multifactor authentication, subprocessor disclosure and incident notification timelines , as central, enforceable controls rather than boilerplate.
The picture painted by recent reporting and surveys is unambiguous: third‑party risk is no longer an operational footnote. Organisations that continue to treat vendor oversight as a checkbox exercise will likely face more damaging incidents, while those that adopt continuous, data‑driven, and risk‑prioritised approaches will be better placed to limit both immediate compromise and the longer tail of supply‑chain fallout.
Source: Noah Wire Services
