BitSight Insights

Are Vendors Meeting Your Company’s Security Standards?

Noah Simon | September 28, 2017

When it comes to vendor risk management, organizations ultimately need their vendors to meet the same standard of security performance they hold for their own organization. For years, the Finance industry has been a trailblazer in managing the risk posed by vendors, suppliers, and business partners. However, are vendors in the Finance supply chain meeting the same level of security performance held by Finance organizations?

To answer this question, BitSight researchers looked at the security performance of more than 5,200 Legal, Technology, and Business Services global organizations whose security rating is tracked and monitored by hundreds of Finance firms using the BitSight Security Rating platform. These industries represent a set of critical vendors and business partners in Financial Services supply chains, consisting of: legal organizations, accounting and human resources firms, management consulting and outsourcing firms, and information technology and software providers.

The Performance Gap

A significant gap exists between Finance firms and companies in their supply chain. As of September 1st 2017, the mean rating of Finance companies in this study was 710.


The spread of BitSight Security Ratings amongst Finance Firms and monitored Legal, Technology, and Business Services organizations as of September 1st 2017.

However, the mean ratings for Legal Organizations, Technology Firms, and Business Services firms were 680, 670, and 660 respectively. While managing third-party cyber risk is a relatively new initiative for businesses, this performance gap illustrates the challenge Finance firms have in raising the security performance of key vendors and business partners.

Outdated Vendor Systems Present A Large Risk

finance cybersecurity

What risks do vendors running outdated operating systems and browsers present for Finance organizations? Those in the Finance supply chain with a Desktop Software Grade of “B” or lower were more than twice as likely to have had a botnet in the past year. This means that outdated desktop operating systems and browsers that exist within a supply chain are correlated to more immediate risks of system compromise and data loss.

A vendor with outdated operating systems or browsers should prompt a discussion about why they have not made updates. Companies should ask vendors about their timeline for updates and continuously monitor their security to ensure progress is being made in this area. Given that outdated systems are likely to lead to machine compromise, it is a proactive way to safeguard your data.


The BitSight Desktop Software Grade for Business Services, Technology, and Legal firms as of July 1st, 2017. Desktop Software grades are comprised from the number and severity of outdated browsers and operating systems a company has on their network.

What Other Cyber Risks Exist in the Supply Chain?

Outdated systems aren’t the only cybersecurity risk present in supply chains. See how server software versions and peer-to-peer file sharing also present challenges for vendor risk management.

Download your free copy of the latest BitSight Insights Report.


Suggested Posts

Data Insights on the BlueKeep Vulnerability

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical...


Cybersecurity in Europe is Improving: Thank You GDPR?

After years of debate over whether to impose new cybersecurity regulations on companies,  General Data Protection Regulation (GDPR) laws went into effect in Europe in May 2018. Already we’ve seen several data breach victims ordered to pay...


Security Ratings of U.S. Federal Agencies & Government Contractors

The federal government relies on tens of thousands of contractors and subcontractors — often referred to as the federal “supply chain” — to provide critical services, hold or maintain sensitive data, deliver technology, and perform key...


Subscribe to get security news and updates in your inbox.