TPCRM
Jun 25, 2026

Third-party cyber risk and corporate liability: considerations and recommendations for a shifting landscape

There is plenty of legal precedent and a long history of cases showing that companies can be held responsible for actions taken on their behalf, so there’s really no question when it comes to whether or not they are liable for the activities of third parties. However, things have not been so clear when it comes to technology vendors.

Software vendors often limit their liability in license agreements, while internet platforms are exempt from liabilities related to user-generated content in most situations.

These exemptions, along with inconsistencies in regulations and enforcement, have created a confusing environment, raising questions as to who is accountable for bad practices, cyber incidents and, ultimately, the financial damage they cause.

Why the landscape is shifting

Recent events have brought renewed attention to this question: with vendors more connected than ever to their clients and IT infrastructures, some mistakes have directly impacted operations (and thus liabilities). There are documented cases where helpdesk failures or social engineering of outsourced IT staff facilitated hacking campaigns. In these instances, the vendor can claim no client data has been compromised, yet it is still responsible for the root cause of the breach.

The world witnessed one example of this when a CrowdStrike update crashed computers in airports, causing delays and inconveniencing passengers. This incident made headlines in major publications and sparked a legal battle between Delta Airlines and CrowdStrike.

Moreover, data privacy laws and new regulations for critical sectors like banking, utilities, and healthcare have often taken into account the fact that businesses outsource many of their IT needs. Cloud computing has made regulators increasingly concerned about concentration risks and third-party infrastructure, and specific requirements for its adoption have been crafted as a result.

When it comes to notifying victims of a data breach, there are cases where a vendor has taken responsibility for this task, but also several others where the first party did it. In one interesting case in Norway from January, the Data Protection Authority ruled that a vendor was effectively a data controller after its client went bankrupt. In other words, there are a lot of questions for third parties here as well.

This is an evolving landscape, which means we don't yet know the best practices that will be set moving forward. What we do know is that authorities have realized they will not achieve the outcomes they seek without taking a careful look at how companies manage their security with regards to third parties, and imposing fines when they deem it inadequate.

In other words, simply being careful when selecting a vendor (or even a client) with due diligence and onboarding practices may not be enough to satisfy regulators. Authorities have understood that vendors can accumulate responsibilities that surpass the scale their business would typically allow, and that this is due to the size and significance of their client pool. This is especially common in IT, where smaller vendors can easily process large volumes of data.

Vendors have also left their clients to pay damages and deal with the aftermath of an incident after filing for bankruptcy.

It's worth mentioning that corporate data can also be leaked by vendors that are not directly linked to the company's IT infrastructure. In Thailand, the Personal Data Protection Committee (PDPC) fined a hospital after patient documents were used as snack bags. The vendor also had to pay a fine, but it was just 16,940 baht (US$ 500), while the hospital was on the hook for 1.21 million baht (around US$ 37,000).

In cybersecurity, we are often worried about hackers and data breaches, but third-party liability risks can be broader than that and include assets that are more difficult to financially measure, such as reputational damage.

Insights for mitigating liability risks

Since many businesses already have due diligence processes for ensuring basic requirements and validating paperwork, our recommendations here will go in a different direction. We already mentioned some of these ideas in other articles, but it's still worthwhile to understand how they play into vendor liabilities. 

Collect signals and verifiable evidence

Trust in third-party relationships is often established by promises and data points obtained through reports, certifications, or questionnaires. These are difficult to verify, which means that businesses can be exposed to risks even when third parties claim that controls or mitigations exist. Furthermore, changes, mistakes, or new technologies can undermine these controls.

To avoid overwhelming cybersecurity and GRC teams, this work should be automated. Continuous monitoring with an inside-out approach can supply a stream of updated signals about a third party's cybersecurity posture. Cooperation with vendors to address any issues that are found helps to reduce tension in the business relationship and leads to better outcomes.

Aside from tangibly improving your cybersecurity outcomes, this approach demonstrates up front that your business is serious about vendors backing up their claims, and ensuring that the real world matches your expectations.

Do not assume third parties will deal with incidents alone

Liability risks are sometimes overlooked because companies trust the assurances in their contracts. Instead, everyone involved should prepare to work together, both during and after a cybersecurity incident.

A third party might not be familiar with all the requirements that its partners or clients must comply with, or the requirements might have been changed since the contract was signed. Establishing a framework for cooperation beforehand makes it easier to find solutions under pressure.

Adapt to the most restrictive regulatory framework

Even businesses that do not directly operate in more than one country might be subject to multiple regulatory frameworks. For example, certain jurisdictions have specific laws for healthcare providers, which means that companies in this sector must comply with general privacy and health laws at the same time. 

In addition, clients that do operate internationally might request compliance with other rules that they are required to follow. An evaluation is needed to answer whether third parties have to be aware of this as well.

For businesses in this situation, one idea is to identify the most demanding regulatory framework and adapt the third-party risk management program accordingly. The reason is that processes can be scaled down and simplified if the opportunity arises, while it's often challenging to augment processes designed with less strict requirements in mind.

Consider public sentiment and trends

It's easier to effectively mitigate risks to brand reputation if you keep up with the public sentiment and related trends. Third parties can cause a disproportionate amount of damage when the tasks they perform are deemed sensitive or suspicious by the public. When a cybersecurity incident or questionable behavior involving a vendor comes to light, clients will not be spared just because there was a legal promise not to do things that way.

As an example, a business might find itself in hot water if media reports link them to some suspicious operation that the same vendor performed for a different client. In cybersecurity, many will find it suspicious if a company hires a vendor with a known history of data leaks without solid assurances of their performance. A vendor's social media presence and attitude can also aggravate incidents unnecessarily, so it's valuable to coordinate your communication, too.

People can easily present theories of willful negligence if they find that not enough was being done to ensure a vendor behaved appropriately. However, this can be mitigated by following the other recommendations.

Establish a roadmap for continuous improvement

Because this is an evolving landscape, it's important to build and routinely follow processes that ensure the third-party risk management program is achieving its intended goals. As far as cyber risk is concerned, it's possible to retrieve performance indicators based on the signals that serve as a foundation for the program through inside-out monitoring.

That said, changes in regulatory frameworks may require the indicators themselves to be reviewed and expanded, while third parties should receive prior notice of any new requirements that they will have to meet because of the direction that the business is heading. This will make it easier to ensure compliance when the deadlines arrive.

Third-party cyber risk management is not optional

We know it is challenging to make changes to existing TPCRM programs and GRC efforts, especially when they directly impact business operations and vendor selection. Fortunately, these changes can lift some of the weight from the onboarding and contracting processes, making them more efficient and responsive to market conditions.

At the end of the day, mitigating supply chain and third-party risks is not optional. Outsourcing a task does not outsource risk. Whether a business adopts some of these ideas or tries doing things some other way, it is important to keep an eye on this shifting landscape.

Share
Latest Posts
The Hidden Risk in Third-Party Cyber Risk Management: When TPCRM Teams Don't Fully Understand the Services They Are Assessing
Verizon's 2025 DBIR shows third parties in 30% of breaches. The hidden cause is a TPCRM skills gap: teams that cannot map the services they assess. The 2026 report confirms this alarming trajectory, showing another 60% increase, with third parties now involved in 48% of all breaches.
Read more
The Verizon 2026 Data Breach Investigations Report: third-party breaches, credential exposures, and more insights
Read more
Digital sovereignty and fragmentation: understanding the impacts on third-party cyber risk management
Read more