Login
Home / All Governance Resources / Director’s Handbooks / Director's Handbook on Cyber-Risk Oversight / Toolkit for Action / Board Oversight of Third-Party & Supply Chain Cyber Risk
Toolkit for Action / Board Oversight of Third-Party & Supply Chain Cyber Risk

Cover of the 2026 Director's Handbook on Cyber-Risk Oversight

Download the report

Abstract digital artwork featuring transparent, interlocking glass structures that symbolize the complex, interconnected nature of cybersecurity oversight and systemic resilience.

Boardroom Tool

Board Oversight of Third-Party & Supply Chain Cyber Risk

By Kris Lovejoy

04/16/2026

Partner Content Provided by Internet Security Alliance
Cybersecurity Boardroom Tool Risk Oversight

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, provides questions directors can ask to ensure that key components of third-party and supply chain risk management are being managed effectively.

Introduction

While third-party technology and services are essential for business, they introduce significant and escalating risks that can impact profitability and reputation.

This threat is accelerating and expanding. According to Verizon’s 2025 Data Breach Investigations Report, compared to 2024 data “the percentage of breaches where a third party was involved doubled, going from 15% to 30%.” Adversaries are increasingly targeting everything from major software vendors to foundational open-source tools, as seen in the 2024 XZ-utils backdoor incident.

A board’s oversight must now extend beyond the company’s walls to its third- and fourth-party dependencies. This expanded responsibility is underscored by new SEC disclosure rules requiring boards to report on their governance of third-party cyber risk.

Questions the Board Can Ask Management About Third-Party and Supply Chain Cyber Risks

Governance and Strategy — Who Owns This?

Objective: Third-party risk is treated as a core enterprise risk, not a siloed issue, with clear accountability.

  • Is there a centralized function or a designated executive who owns this risk across the enterprise, and how does the board receive clear assurance of their effectiveness?
  • How is management assessing the impact of new technologies like AI in this risk area?
  • How well is our third-party risk management program integrated into our overall enterprise risk management program?
  • Do we need to make additional investments into third-party risk management, and are these investments aligned to our business objectives?
Risk Management and Due Diligence — Do We Know Our Exposure?

Objective: A structured process is in place to identify, prioritize, and mitigate risks based on business impact.

  • How do we classify vendors based on the criticality of their service and their data access, rather than just on contract size?
  • Can management confidently identify our most critical dependencies, including key fourth parties, which could put us at risk?
  • What is our strategy for managing risks from new and emerging supply chain dependencies, such as open-source software and the use of AI components?
Resilience and Response — Are We Prepared to Fail?

Objective: The organization can withstand and recover from a related incident.

  • Are clear cybersecurity standards and responsibilities defined in our contracts, and more importantly, are they enforceable?
  • What are the limits of our liability and insurance coverage for a third-party incident, and are they adequate?
  • Have we conducted realistic simulations that specifically model a failure or disruption from one of our most critical third parties?

 

Real-World Examples of Third-Party and Supply Chain Security Failures
Snowflake

Timeline: 2024

Description: A cybercrime campaign where attackers used stolen credentials to breach hundreds of company accounts hosted on the Snowflake cloud data platform. The attackers specifically targeted accounts that were not protected with multi-factor authentication (MFA).

Lesson: This incident highlights a failure in managing a third-party relationship under the cloud’s shared responsibility model. While the vendor platform was not breached, the customer’s failure to implement basic controls on that platform led to a catastrophic breach. Ensure management is accountable not just for vetting vendors, but for securing the company’s own configurations within those third-party services.
MOVEit

Timeline: 2023-Ongoing

Description: A single vulnerability in a popular secure file transfer software product was exploited by a ransomware group, leading to a cascading data breach affecting thousands of organizations globally.

Lesson: This is a textbook example of systemic software supply chain risk. A flaw in one widely used tool can create a catastrophic, industry-spanning event, underscoring the need for a robust inventory of sensitive data handled by third-party applications.
Kaseya

Timeline: 2021

Description: A ransomware attack on a major IT management firm’s software product had a cascading impact, disrupting nearly 1,500 downstream businesses.

Lesson: This demonstrates immense “concentration risk” in the software supply chain. Question management on dependencies related to widely used software to understand the potential for systemic disruption.

 

Further Reading

National Institute of Standards and Technology (NIST) Special Publication 800-161: Cybersecurity Supply Chain Risk Management Practices

This is the foundational US Government framework for C-SCRM. It provides comprehensive guidance to organizations on identifying, assessing, and mitigating supply chain risks.

European Union Agency for Cybersecurity (ENISA) Threat Landscape for Supply Chain Attacks

This report provides a crucial European perspective on the threat landscape. It maps and studies supply chain attacks, analyzes attacker techniques, and offers mitigation recommendations tailored to the EU’s regulatory environment.

 

Return: Toolkit For Action

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, provides questions directors can ask to ensure that key components of third-party and supply chain risk management are being managed effectively.

Introduction

While third-party technology and services are essential for business, they introduce significant and escalating risks that can impact profitability and reputation.

This threat is accelerating and expanding. According to Verizon’s 2025 Data Breach Investigations Report, compared to 2024 data “the percentage of breaches where a third party was involved doubled, going from 15% to 30%.” Adversaries are increasingly targeting everything from major software vendors to foundational open-source tools, as seen in the 2024 XZ-utils backdoor incident.

A board’s oversight must now extend beyond the company’s walls to its third- and fourth-party dependencies. This expanded responsibility is underscored by new SEC disclosure rules requiring boards to report on their governance of third-party cyber risk.

Questions the Board Can Ask Management About Third-Party and Supply Chain Cyber Risks

Governance and Strategy — Who Owns This?

Objective: Third-party risk is treated as a core enterprise risk, not a siloed issue, with clear accountability.

  • Is there a centralized function or a designated executive who owns this risk across the enterprise, and how does the board receive clear assurance of their effectiveness?
  • How is management assessing the impact of new technologies like AI in this risk area?
  • How well is our third-party risk management program integrated into our overall enterprise risk management program?
  • Do we need to make additional investments into third-party risk management, and are these investments aligned to our business objectives?
Risk Management and Due Diligence — Do We Know Our Exposure?

Objective: A structured process is in place to identify, prioritize, and mitigate risks based on business impact.

  • How do we classify vendors based on the criticality of their service and their data access, rather than just on contract size?
  • Can management confidently identify our most critical dependencies, including key fourth parties, which could put us at risk?
  • What is our strategy for managing risks from new and emerging supply chain dependencies, such as open-source software and the use of AI components?
Resilience and Response — Are We Prepared to Fail?

Objective: The organization can withstand and recover from a related incident.

  • Are clear cybersecurity standards and responsibilities defined in our contracts, and more importantly, are they enforceable?
  • What are the limits of our liability and insurance coverage for a third-party incident, and are they adequate?
  • Have we conducted realistic simulations that specifically model a failure or disruption from one of our most critical third parties?

 

Real-World Examples of Third-Party and Supply Chain Security Failures
Snowflake

Timeline: 2024

Description: A cybercrime campaign where attackers used stolen credentials to breach hundreds of company accounts hosted on the Snowflake cloud data platform. The attackers specifically targeted accounts that were not protected with multi-factor authentication (MFA).

Lesson: This incident highlights a failure in managing a third-party relationship under the cloud’s shared responsibility model. While the vendor platform was not breached, the customer’s failure to implement basic controls on that platform led to a catastrophic breach. Ensure management is accountable not just for vetting vendors, but for securing the company’s own configurations within those third-party services.

MOVEit

Timeline: 2023-Ongoing

Description: A single vulnerability in a popular secure file transfer software product was exploited by a ransomware group, leading to a cascading data breach affecting thousands of organizations globally.

Lesson: This is a textbook example of systemic software supply chain risk. A flaw in one widely used tool can create a catastrophic, industry-spanning event, underscoring the need for a robust inventory of sensitive data handled by third-party applications.

Kaseya

Timeline: 2021

Description: A ransomware attack on a major IT management firm’s software product had a cascading impact, disrupting nearly 1,500 downstream businesses.

Lesson: This demonstrates immense “concentration risk” in the software supply chain. Question management on dependencies related to widely used software to understand the potential for systemic disruption.

 

Further Reading

National Institute of Standards and Technology (NIST) Special Publication 800-161: Cybersecurity Supply Chain Risk Management Practices

This is the foundational US Government framework for C-SCRM. It provides comprehensive guidance to organizations on identifying, assessing, and mitigating supply chain risks.

European Union Agency for Cybersecurity (ENISA) Threat Landscape for Supply Chain Attacks

This report provides a crucial European perspective on the threat landscape. It maps and studies supply chain attacks, analyzes attacker techniques, and offers mitigation recommendations tailored to the EU’s regulatory environment.

 

Return: Toolkit For Action

Toolkit For Action

Fifteen specialized tools with best practices that enable boards to address common, board-level cyber-risk oversight issues.

Visual separator between sections

Final Days to Save $1,500
on NACD Directors Summit
 
2026 Registration

Register by Thursday, April 30 to take advantage of this exclusive discounted pricing.

October 11-14, 2026
The Gaylord National Harbor | Washington, DC Area

 

Register Now