Your Vendors Are a Risk You Cannot Ignore. Here Is How Boards Should Own It.

Most companies review their suppliers and tick the boxes. Far fewer can actually say how much financial damage a vendor failure would cause them. That gap is the problem.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial 16:9 image of a large corporate server room at night, rows of blinking rack-mounted servers casting blue and orange light across a poli
Share

Key points

  • A single vendor failure can trigger legal penalties, insurance gaps, lost customers, and broken operations all at once.
  • Most organisations build vendor-review programmes but cannot translate those reviews into a clear picture of what financial exposure remains.
  • Boards need a concise, numbers-based report on vendor risk, separate from the operational detail that management handles day to day.
  • Risk transfer tools such as insurance and indemnity clauses can coexist with serious unprotected exposure on a company's balance sheet.
  • Aggregating individual vendor exceptions matters: ten individually acceptable risks in the same system or data category can add up to one unacceptable one.

Every company relies on outside suppliers. A payroll processor. A cloud storage provider. A software platform that runs the booking system. When one of those suppliers fails, gets attacked, or simply goes dark, the damage lands on you, not them.

A piece published by Dark Reading, written by HITRUST founder Dan Nutkis, sets out a practical governance model for exactly this problem. The argument is simple. Most companies already run vendor-review programmes: they collect questionnaires, check compliance certificates, and sign contracts with liability clauses. That activity is necessary. It is not sufficient.

So what is actually missing?

What is missing is a clear answer to the financial question: after all those reviews and contracts and insurance policies, how much are we still on the hook for if a supplier lets us down?

Nutkis lays out a sequence of steps. First, measure the real leftover risk after every protection is counted. Second, check how much of the supplier base has actually been reviewed, and be honest about whether old or self-reported evidence is good enough. Third, compare that picture against the organisation's own stated appetite for risk. If the exposure sits outside what leadership agreed to accept, someone should be explaining why.

Exceptions happen. A business deal moves fast and a vendor gets approved before the full review is done. That is fine, so long as someone owns the decision, sets a deadline to fix it, and makes the risk visible rather than burying it in a spreadsheet.

The aggregation point deserves a pause. One vendor handling sensitive data outside normal standards is a manageable exception. Ten vendors, each approved on the same basis, all touching the same billing platform or the same cloud provider, is a portfolio problem. The individual decisions looked fine. Together they create a concentration of risk that could be genuinely material if something goes wrong.

Insurance and indemnity clauses deserve the same scrutiny. A signed contract and a valid insurance certificate feel reassuring. They do not automatically mean the company is protected. Boards should ask what the transferred portion actually covers and what stays on the balance sheet regardless.

For ordinary customers, patients, or employees whose data sits inside these supplier chains, the practical reality is straightforward. You cannot control how your bank or hospital manages its vendors. You can watch for unusual contact, check your accounts after any supplier breach is announced, and take notification letters seriously when they arrive.

For the organisations themselves, the message from this framework is that activity and governance are not the same thing. Counting completed reviews is activity. Knowing the residual financial exposure is governance. Boards need the second one.

© 2026 Threat Vectr