Category Archives: Vendor Risk Management

The Evolving Challenge of Supply Chain Compliance in the Banking Industry helps with supply chain compliance in the banking industry

Not often would one think to tie a bank and a supply chain together, but the supply chain is everywhere – even in the banking industry. 


Managing compliance risks in the banking industry has long been central to banking operations. But the nature of those risks has expanded and evolved – and so have the strategies that banks must adopt to stay ahead of both internal and external compliance challenges.


For example, banks today must grapple not just with conventional compliance risks, like an obligation to identify money laundering, but also with risks that originate from within the supply chain in the banking industry.


Compliance And Banking: The Traditional Approach

In the old days, compliance for banks was relatively simple. It included two key components:


  • External Compliance. This involved adhering to compliance rules set by regulators or other external groups. On this front, activities like anti-money laundering were banks’ main priority.

  • Internal Compliance. This meant the establishment of internal systems necessary to identify and adhere to regulatory risks. These internal systems typically weren’t specifically mandated by regulators, but banks implemented them as a means of complying with external regulations.


Whether externally or internally, banks’ traditional approach to compliance was essentially reactive. Businesses focused on detecting and responding to risks, rather than preventing them proactively.


The Challenges Of Banking Compliance And Supply Chain Management

Those days of traditional compliance for banks are over. Today’s compliance landscape within the banking industry looks quite different.


  • Terrorist Financing: As the IMF notes, “the international community has made the fight against money laundering and the financing of terrorism a priority.” This change has raised the stakes surrounding anti-money laundering compliance for banks and increased the pressure they face from regulators around the world in this area.

  • Bribery & Corruption: Along similar lines, “the past decade has seen the emergence of anti-corruption compliance systems in companies across the globe,” according to the OECD. Here again, banks face heightened pressure to establish compliance processes that can mitigate activities related to corruption.

  • Internal & External Fraud: These risks have seen an increase to the tune of 218 percent during 2022 alone, according to TransUnion.

  • Business Continuity Risks: The need to ensure that banks can remain operational in the face of unexpected disruptions – such as problems within the supply chain in the banking industry – has been a continued challenge for finance compliance officers to master.

  • Information & Cyber Security Risks: Last but not least, cyber security incidents continue to surge, creating a pervasive compliance challenge for banks.


For all of these reasons, banks today require compliance strategies that are capable of addressing a much broader range of risks than traditional money laundering. At the same time, they must be able to track and mitigate not just those risks that originate internally, but also risks that arise from within their supply chains – such as insecure software provided to banks to third-party vendors, or lack of compliance adherence by a bank’s partners.


Modernizing Compliance And Supply Chain Management In Banking

To meet those challenges, banks must turn to new practices that can supercharge their approach to compliance, such as:


  1. RegTech: RegTech refers to a new breed of IT tools – including supply chain risk management solutions like Findings – that can help banks to streamline and automate compliance operations.

  2. Proactive Compliance: Mandates like SEC Rule 30 require banks to think and act more proactively than they did in the past by establishing plans for dealing with risks ahead of time. Reactive compliance no longer cuts it.

  3. Risk Mitigation Playbooks: In a similar vein, banks should establish “playbooks” that spell out how they’ll react to particular compliance risks or incidents. By establishing playbooks ahead of time, banks can remediate problems much more efficiently when they arise.

  4. Next-generation AML: Anti-money laundering remains a pillar of banking compliance, but as noted above, modern AML must be more expansive than in the past. It must extend to domains like preventing terrorist financing and corruption – and not just among clients that banks deal with directly, but also within the banking industry supply chain.

  5. Reporting: Banks must double down on their approach to compliance reporting by ensuring that they have processes in place to disclose vulnerabilities through a VDP and violations promptly in order to comply with mandates like FINRA Rule 4530.

  6. Regulatory Penetration Testing: Regulatory penetration testing can help banks to identify risks proactively, rather than waiting for real-world violations to occur before they take action.


Put simply, modern banks must adopt more actionable, efficient and comprehensive compliance strategies, and they must ensure that they can enforce compliance across the entire banking industry supply chain.


Compliance solutions like Findings can help. By providing end-to-end visibility into supply chain operations and the compliance status of third-party vendors and suppliers, Findings makes it easy to detect risks in real time, then take action before the risks trigger compliance violations.

  Don’t be a stranger! Sign up at today and see how Findings can help you showcase your compliance

ESG: Nice to Have or a Must?

ESG an intro into what it is

Yup, the world has taken a new turn… and I’m not talking about post-COVID-19. Industries, governments, and the environment began adapting to new standards way before the world experienced the effects of COVID-19. 


This is what is more commonly known as environmental, social and governance (ESG) data and numerous companies have defined it as a “must have” for supply-chain risk management. 


Stakeholders are no longer willing to work with companies who do not take a genuine interest in incorporating ESG measures and let’s just say that investors are following along step by step. In addition, stakeholders and investors want greater transparency of information regarding issues such as carbon emissions and modern slavery.


That being said, as ESG standards and regulations are still developing and have not been considered a “concrete” measure like cybersecurity, companies need to understand what needs to be done to adhere to supply-chain compliance.

Let’s break it down.


What is ESG?


According to Investopedia ESG, “refers to a set of standards for a company’s behavior used by socially conscious investors to screen potential investments.”


In other words, numerous investors have this topic on their minds when it comes to making an investment decision. ESG guidelines and principles are expected to be incorporated into an organization’s culture and business strategy. 


This is extremely important, but practically speaking, how do companies measure their carbon footprint and outline the specific steps to incorporate ESG into their supply chain and pipeline? For this, we need to have a better understanding of what each one of the pillars is referring to. 


How can companies adhere to ESG standards?


As ESG is still a developing framework across the world, industry best practices based on experts in the field is usually what is adhered to.

 In the United States, for example, there is not one body that has created a compliance audit for all companies to follow. Setting aside the political hemisphere, incorporating federal government law can reduce the flexibility and progress of the framework, not to mention that industries vary. 


In contrast, the EU has a formal body (the EU Commission) that creates ESG regulations, but here comes the issue of trial and error to continuously stay up to date with standards. 


In Singapore, a centralized registry exists where companies can upload all their ESG reporting, but this has only been recently implemented and has very little data currently. 


Considering all of these alternatives, it seems the best solution for companies and organizations is to reach out to experts who provide software or auditing services that can review their ESG spectrum. 


What can Findings do to Help?


Findings is a centralized, one-stop shop for enterprises and vendors to automate and scale their ESG assessment(s). We enable you to implement a sophisticated, straightforward, and efficient ESG vendor due diligence process. 


Enterprises can use pre-built best practices assessments or can be custom-built according to an enterprise’s needs. Vendors can use our automated response to easily and quickly respond to incoming ESG questionnaires. Fast, automated, and at scale all in one place!

Reach out today

What’s At Stake With Ineffective Third Party Vendor Risk Management

ineffective vendor risk management

Virtually every business today has to outsource work to external vendors. By extension, it needs a plan to handle what Gartner calls vendor risk management, or VRM/TPRM. 

Working with third-party vendors exposes businesses to a variety of risks:


  • Reputational harm: Security mistakes made by third party vendors could harm your brand’s reputation. Even if your company wasn’t at fault, customers or partners might hold your business accountable because they believe you made the poor choice of working with a risky third-party vendor.
  • Operational damage: Problems with third-party vendors could disrupt your operations. For example, if a software product you depend on becomes vulnerable, your supply chain may cease to function until you find a replacement. Or your third party vendor may be hacked, leaving the door open to your organization for breaches or system failures.
  • Financial loss: Third party vendor risks that turn into operational disruptions can ultimately lead to revenue loss, exacerbating the operational fallout of the situation and costing your organization money.
  • Compliance challenges: You may be required to prove that your supply chain risk management complies with specific security or data privacy frameworks, and mistakes made by third party vendors could expose you to compliance failures. Like customers and partners, regulators aren’t likely to care whether the root cause of the issue lies with you or your vendor; all that matters to them is that you were non-compliant.


To respond to these challenges, especially considering the fact that 89% of businesses experiencing a supplier risk event in the past 5 years more needs to be done to develop an effective third party vendor risk management strategy. Developing that strategy starts with recognizing the mistaken assumptions that businesses often make when attempting to manage vendor risks.


Let’s look at those mistakes, why they’re dangerous and what businesses can do to avoid them.


1. Assuming All Vendors Are Covered

It can be easy to assume that as long as you have some kind of third party vendor risk management operation in place, it covers all of your vendors and gives you complete visibility into the risks associated with them.


The reality is that in many cases, TPRM programs overlook some vendors. The oversights most often result from relying on manual processes to identify and vet vendors, but you can also miss some vendors because your supplier list is always changing and you may not keep it up-to-date. 

Not only that, in many cases, coverage itself is partial. Modern supply chains are complex and because of this, long-tail vendors can be easily overlooked or ignored, exposing your organization and supply chain to huge risk.

The solution to these challenges is to rely on automation to track vendors. When you automate, it becomes much easier to find all third party vendors in your supply chain, and to keep your vendor inventory continuously up-to-date.


2. Overlooking Risk Assessment

Simply identifying vendors is only the first step in third-party vendor risk management. Equally important is assessing how much risk each vendor introduces to your supply chain. Risk assessments should reflect factors such as how much harm the vendor could cause to your reputation, operations, finances and so on. However, too often is the risk tolerance or risk appetite in an organization under-assessed so the true effects are unknown in the case of vulnerabilities in your supply chain.


Ideally, risk assessment should happen automatically. Whenever you introduce a new vendor into your supply chain, or when your relationship with a vendor changes, you should be able to determine automatically how the vendor impacts your overall risk and make a valid assessment of exactly what level of risk is acceptable to your organization.


3. Vendor Risk Management Ends With Onboarding Assessment

While risk assessment is important, it’s not the end of the third party vendor risk management process.


Your relationship with vendors may evolve in ways that change the types and extent of the risk that each vendor poses. For that reason, it’s important to be able to reassess risks on a continuous basis. Using automation, you can ensure that your risk assessments are constantly updated and that they remain relevant even as your vendor relationships evolve.


Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)


4. Underestimating Vendor Compliance Needs

Sometimes, organizations assume that as long as they’ve met basic third party vendor risk management requirements, they’re covered against compliance mandates related to their supply chain and vendors.


In reality, compliance requirements tend to be complex and business-specific. For that reason, generic vendor risk management is not enough to guarantee compliance. Third party vendor risk management is a step toward compliance, but you also need to step back and assess the unique compliance requirements of your company and supply chain, then determine whether additional steps are needed to achieve compliance.

Simplify Third Party Vendor Risk Management With Findings

Findings takes the hard work out of vetting third party vendors. By automating the processes of identifying and assessing vendors across your supply chain, Findings makes it easy to maintain continuously updated visibility into where supply chain risks lie and how each vendor could harm your reputation, operations  finances and more.

See for yourself by requesting a demo at

Supply Chain Attacks Surged By 42% in 2022. Here’s Why.

Increase in supply chain attacks

There’s been a massive and recent increase in the awareness of supply chain attacks. Significant investment going to tools and strategies to protect supply chains against attack have been poured into business plans, but this isn’t helping. You would think that all of this time and effort would in turn bring a decline to these threats, but you’d be wrong.


Quite the contrary actually. According to research from PurpleSec, supply chain attacks rose by 42% in 2022, and 64% of businesses have now been affected by supply chain software attacks.


Recent Supply Chain Attacks

In the case of the SolarWinds attack, malicious code inside a popular IT monitoring platform gave hackers a back door into thousands of IT networks. Similar breaches occurred in the Colonial Pipeline attack, where a leaked password caused massive panic, and in the Kaseya and Log4j breaches, which were also examples of supply chain attacks in which breaches in third-party software tools exposed a large number of businesses to attack.

The Appeal Of Supply Chain Attacks

Exacerbating matters further is the fact that a single supply chain breach allows attackers to target hundreds or thousands of victims by seizing upon just one vulnerability and one attack technique. From the hacker’s perspective, the ROI on supply chain attacks is exponentially higher than a traditional attack, wherein a single business is placed at risk.


As TechTarget explains, “supply chain attacks are difficult to detect, as they rely on software that has already been trusted and can be widely distributed.


Why Supply Chain Attacks Continue To Rise


Both of these factors – the difficulty of preventing supply chain attacks and the advantages of supply chain attacks from an attackers perspective – help to explain why supply chain attacks remain so pervasive – to the point that supply chain attacks will increase by 400 percent, according to the European Union Agency for Cybersecurity (ENISA), which adds that “strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers.”

In other words, traditional approaches to defending against cybersecurity risks – such as hardening servers against attack, enforcing strong access controls and deploying malware scanners – aren’t very effective in cases where the bad guys break in by breaching your supply chain. If your IT systems are configured to trust software delivered to them by third-party suppliers, no amount of access controls or virus scanners are going to protect against flaws within those third-party systems. Conventional security controls only protect against threats that originate internally, which means they don’t address supply chain attacks.


What You Can Do: How To Stop Supply Chain Attacks


Fortunately, there are practices that can help to prevent supply chain attacks, even for organizations with complex supply chains:


  1. Implement Zero Trust

Zero trust means configuring IT resources so that they do not trust any other resources –internal or external – by default. They only share data and interact with resources that are explicitly validated to be secure. Zero trust policies can help to mitigate supply chain attacks by ensuring that servers, applications and other resources only trust third-party software if that software has been scanned and vetted to be secure.


  1. Gain Asset Visibility

Visibility – specifically, visibility into which supply chain assets exist and which risks impact them – goes a long way toward preventing supply chain attacks. Businesses should be able to identify risky assets, determine the root cause of the risks and remediate risks in a proactive manner.




  1. Work With Suppliers

Effective supply chain security management means not just cutting off suppliers who might place the supply chain at risk, but working with them to identify potential breach points and ensure transparency in the face of risks. Vulnerability Disclosure Programs can help here by providing a systematic means of identifying and responding to supply chain attack risks.



 Findings can help with all of these initiatives by providing automated visibility into your entire supply chain so that you know when and where risks arise. In addition, Findings helps you assess vendor compliance and manage vulnerability disclosure policies, ensuring that you’re prepared to react quickly when your supply chain becomes vulnerable to attack.



Learn more about how to prevent supply chain attacks with Findings.

Finally: Practical Guidance for Supply Chain Risk Management

Businesses are being bombarded with warnings from a variety of sources regarding supply chain risk management – ranging from media organizations like Forbes, to analyst firms like Gartner, and even to the White House, which notes that “foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure” through supply chain attacks.

However, actual advice for managing supply chain risks is harder to come by. Figuring out where risks lie and working to detect them is an exercise that often falls to individual businesses – which often struggle to put supply chain risk management into practice, given the fact that few organizations were closely focused on supply chain risks until just a couple of years ago, when incidents like the SolarWinds breach brought supply chain risks to the fore.

1. Optimize Supply Chain Visibility

The single most effective step businesses can take to manage supply chain risks is to achieve visibility into their supply chains. You can’t mitigate the risks you can’t see, and if you wait for the risks to impact your own IT environment, it’s too late to prevent them from causing a disruption.

That’s why you need visibility not only into where your software comes from, but also which checks and protections your software suppliers have in place. Believe it or not, vulnerabilities will come from your least expected vendors, and more often than not, your smaller vendors. When you identify vendors who fail to manage risks, you can remove them from your supply chain in order to protect your own organization. This is where continuous monitoring steps in and becomes invaluable to your team by getting ahead of issues before remediation steps are even needed. 

When it comes to supply chain visibility, the more information you have, the better. It’s often impossible to gain complete, definitive visibility into supply chain risks because the “probability and severity of many risks is difficult to ascertain,” as Tucker Bailey, McKinsey Partner notes. But the more information you have about who your suppliers are, how they build out their supply chain and which practices they follow to mitigate security risks, the greater your ability to find and respond to the most serious supply chain vulnerabilities

2. Build Supply Chain Risk Management Into Onboarding

While continuous visibility into the supply chain is one step toward identifying risks, it’s also important to establish a rigorous process for vetting vendors when you onboard them into your supply chain. Identify which specific security controls you expect vendors to have in place, then implement a process that assesses how well they adhere to those practices.

There is always a risk that vendors who meet your requirements during onboarding will become insecure over time, which is why you need to monitor continuously for new supply chain risks. The most common onboarding process would be to do an initial risk scan of the vendor and setting a score. However, the better and more effective method is to set a periodic scan that includes an action plan. 

But even with all these processes, it doesn’t mean you should skimp on vendor validation at onboarding time. Rooting out risky vendors before they even join your supply chain is more effective than identifying risks after the fact.

3. Plan For Supply Chain Changes

Actually removing risky vendors from a supply chain is hard to do if you depend on those vendors and have no alternatives.

That’s why it’s important to ensure that your supply chain is dynamic enough to accommodate sudden changes in vendors. Always have backup suppliers in mind to who you can turn to if you need to stop using one vendor due to cyber security risks.

Supply chains constantly fluctuate. Vendors that seem rock-solid one day may be in the news the next because they are the center of a major breach. You can’t control what your suppliers do, but you can control your ability to pivot to alternative suppliers quickly in order to mitigate supply chain risks.

4. Enforce Continuous Supply Chain Risk Management

Supply chain risk management should never be a one-and-done affair. Nor should you rely on periodic audits to find risks.

Instead, strive to monitor your supply chain continuously. Continuous monitoring means that you can identify vulnerable third-party software, as well as vendors who are no longer conforming to your security requirements, as soon as the risk emerges. That beats waiting until your next audit to identify a risk – or, worse, not identifying it at all because you vetted your suppliers initially and have no mechanism in place for determining when vendors who were once secure no longer are.

Ensure that the protections that your suppliers claim to have in place actually work. For example, as Jay Shaw explained during a recent LSEG event, don’t just take someone’s word for it that backups are in place. Instead, say “you’re going to get a phone call, And that phone call is going to say, ‘Bam, we’re now down, so do the backup plan. We want to see how long it takes you and how well it works.”

It might not be practical to vet every vendor in that way, but for high-stakes suppliers, it’s important to know that promises align with realities when it comes to supply chain security protections.

5. Automate Supply Chain Risk Management With Cyber Solutions

For most businesses, the rigorous, continuous supply chain monitoring and risk management practices described above are impossible to implement manually. They would require too much time, and too much effort on the part of employees who already have overfilled plates.

That’s why it’s critical to leverage cyber solutions that automate supply chain risk management. They can identify multiple types of threat within third-party software – including malware, phishing risks, ransomware and beyond – without requiring manual vetting. And they can do this continuously so that you’re aware immediately when a new risk arises.

Automated cyber solutions have the added benefit of reducing the risk of human error. Your supply chain management tools will operate consistently and reliably, enforcing the same assessment policies over each and every vendor. Humans typically don’t achieve that level of consistency, which means that manual supply chain assessment increases the chances that risks will fall through the cracks.

How Findings can help

As a fully automated platform for identifying and managing risks across your supply chain, Findings makes it easy to put supply chain risk management practices into operation. Findings delivers centralized, continuous visibility into supply chains across any industry, enabling businesses to find and respond to risks before they turn into cyber security incidents.

See for yourself by requesting a demo at

The New Breed of Cyber Security Threats Coming for CISOs in 2023

The New Breed of Cyber Security Threats Coming for CISOs in 2023

Traditional challenges, like ransomware and software supply chain threats, have not gone away. But as we enter 2023, they’re being exacerbated by additional challenges, such as government-sponsored cyberattacks, the increased number of supply chain attacks, new types of phishing exploits and even the possibility that quantum computers will totally invalidate most of the core cyber security tools that businesses rely on today.


Those and other trends were the subject of an excellent webinar hosted recently by the London Stock Exchange Group (LSEG), moderated by Charles Clarke, Head of Security Architecture at LSEG, which brought together industry leaders including:

  • Kobi Freedman, CEO and cofounder of Findings.
  • Reuven Aronashvili, founder and CEO of CYE.
  • Alan Platt, COO at CyberHive.
  • Jay Shaw, CEO of Praxonomy.
  • Alan Moffat, CISO & Director of Business and Cyber Security Services for Sapphire.


This diverse mix of companies and sectors, spent the morning discussing what they see as the most pressing cyber security challenges for 2023 and beyond. Although their insights gave CISOs – and businesses in general – plenty of problems to worry about, they also pointed toward solutions that forward-thinking organizations should be adopting in order to protect their operations against cyberthreats.


Key Cyber Security Trends for 2023

Although there was consensus that major trends in cyber security for 2023 will vary somewhat between different industries, the overall takeaway from speakers’ comments was that 2023 will see the continued emergence of a new breed of cyber security threats – or new takes on familiar ones.


Quantum Computing

Quantum computers – which use quantum mechanics to supercharge the processing of data – have been in the news for a long time as scientists come closer to developing quantum machines that are actually usable for real-world tasks.


As Alan Platt pointed out, the fact that quantum computing isn’t practical today doesn’t mean businesses shouldn’t be aware of the potential concerns. The reason why is that the sensitive data that businesses are generating today and protecting using encryption may become readable by quantum computers a few years from now.


“Most of the internet at the moment runs on RSA-2048 public key cryptography,” Platt said. “Breaking that using a conventional computer is estimated to take about 13.7

billion years, but a quantum computer doing exactly that same piece of cryptography would be able to crack it in just 42 minutes.”


The point here is that, in the not-so-distant future, security practices that CISOs rely on today to secure sensitive data may become obsolete. They’ll need to work even harder to prevent sensitive information from falling into the wrong hands in the first place, because even if the data is encrypted, quantum computers may be able to defeat the encryption with ease.


Increased State-Sponsored Cyberattacks

Platt also warned that the days may be coming to an end where malicious hackers seeking financial gain are the only people out to ruin a CISO’s day. Increasingly, he said, “the name of the game is about tightening security…against more complex and more damaging attacks that could take out critical infrastructure” – as opposed to threats like ransomware, which can be financially harmful but don’t usually impact physical infrastructure.


This new challenge reflects an increase in cyberattacks by nation-state actors seeking to use cyberwarfare as a means of harming their enemies. Although that practice is not completely new, the war in Ukraine has demonstrated an eagerness by both sides to extend traditional war into the cyber realm, heightening the security challenges faced not just by governments, but also individual businesses, who may be targeted by state-sponsored actors in order to harm countries in which businesses are based.


Lingering Covid Security Challenges

The Covid pandemic may effectively be over, but its impact on supply chain security and cyber security is not, according to Alan Moffat.


Covid forced companies to invest more of their IT spending in technologies that enable remote work and distributed workforces, as a result “less budget can be put into cyber security.” Due to the speed that companies had to be ready for the work-from-home/hybrid working models, mistakes in the initial set up are still being shored up by security leaders. These challenges are exacerbated by the fact that remote work infrastructure is often harder to secure because it involves IT assets that exist beyond a company’s corporate firewall and network, and lack the type of physical security protections that exist in a traditional office environment.


This means that CISOs need to do even more with even less budget – which makes strategies like automation and early detection of threats more important than ever.


Looking for a step-by-step VDP security roadmap? We’ve got you covered


VPNs Are No Longer Up To Snuff

Although VPNs – which are intended to protect sensitive data by encrypting packets as it flows between central IT infrastructure and remote locations, like the PCs used by workers who operate from outside the office – don’t make networks less secure, they don’t necessarily make them more secure, either. Beyond the risk that quantum computers, as noted above, could be used to break the cryptographic keys that secure VPN traffic, VPNs are complicated to administer, and they can cause problems for remote users who need to access business resources (like SaaS platforms) that aren’t actually hosted on the corporate network.


Instead of placing blind trust in VPNs, companies should be turning to other strategies – like zero-trust access controls – to secure their networks. Zero trust works even in a world where quantum computing may kill cryptography as we know it.


New Types of Supply Chain Security Threats

Supply chain security challenges have received a lot of attention in recent years, and many CISOs have begun investing in initiatives to protect their supply chains, as well as to disclose supply chain vulnerabilities efficiently. But they need to do a lot more, according to Kobi Freedman, CEO and CoFounder of Findings, to get a real handle on the risk.


“Looking forward, we see a dramatic increase in attacks which are driven by the IoT” and that target “IoT and industrial environment” systems, our CEO added. Supply chain security strategies that address just the conventional elements of the software supply chain – like server-side applications – aren’t enough. Businesses also need to be able to understand and secure their IoT and operational technology assets.


Kobi added that businesses need what he called “long-tail” visibility into the supply chain. He was referring to the ability to understand not just which suppliers a business depends on directly, but also who supplies them, and how supplier relationships evolve over time. Simply compiling a software bill of materials and calling it a day won’t be enough to achieve the deep visibility necessary to secure modern supply chains.


And businesses will need to do all of this, Kobi pointed out, with budgets that are likely to remain constrained at least through 2023. As a result, they’ll need to make heavier use of supply chain security automation than ever.


Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)


Evolving Phishing Threats

Kobi Freedman also pointed out that the nature of phishing attacks is changing. Businesses have seen an increase in targeted phishing initiatives, known as spear phishing attacks, that target high-level employees rather than ordinary, in-the-trenches workers. These attacks are more sophisticated, resulting in higher levels of success.


To correct against this, businesses need to understand that humans are often the weakest link in cyber security. “90% of the risk for spear phishing attacks and other exploits comes from the human factor in the organization,” he said. The more businesses know about what their employees have access to, the better they can defend against risks like spear phishing.


Thriving In The Face Of 2023 Cyber Security Challenges

Faced with threats like these – as well as traditional challenges, like ransomware – what’s a CISO to do?


Part of the answer, the panelists agreed, is to transform cyber security within their organizations from a cost center to a “business enabler,” as Reuven Aronashvili put it. In other words, CISOs should strive to demonstrate to other executives how investments in cyber security can save money by reducing the risk of revenue loss due to IT disruptions. Viewed from that perspective, it’s easier to explain and justify continued spending on initiatives like supply chain security, even in financially tight times.


Relatedly, CISOs should align their agendas with overall business needs. That strategy will help to achieve even more buy-in for cyber security investment from a board. One way to do that is by focusing on how cyber security can increase overall visibility into the organization. Cyber security tools protect all parts of the IT estate and extend to all facets of the business, which makes them an excellent resource for understanding what is happening across the company as a whole. They’re not just ways to identify threats, but to gain end-to-end visibility, which businesses can in turn leverage to support continued investment in cyber security initiatives.


“What are my crown jewels? What are the lines of business that we need to defend? How will that translate into direct investments into tools and technologies and projects and processes and so on” to keep assets safe? Those are the types of questions CISOs should be asking to keep cyber security in alignment with broader business needs, our CEO said.


Planning For Breaches

Beyond the issue of investing in cyber security, Freedman underlined the importance of also ]actively preparing for breaches. After all, it’s not a matter of if a breach will occur, but when. No matter how many fancy, next-gen cyber security tools you deploy, it’s likely that you will be attacked successfully at some point.


Preparation against this risk starts with ensuring that the basic tools and protections are in place to detect attacks and begin the response process. From there, CISOs should ensure that their organizations can execute mitigation plans that minimize the impact of a breach. They should also practice addressing the root cause of attacks in order to identify and shut down  breaches as quickly as possible.


The Changing Role Of The CISO

Ultimately, the net result of the new generation of cyber security challenges that businesses face is that the role of the CISO is changing. Today, the CISO is not just someone who has the last word on cyber security. Instead, as Aronashvili put it, the CISO is now “the middleman between the technical teams and management,” which means that CISOs need to get buy-in from other executives in order to deploy effective cyber security strategies.


To that end, CISOs must now focus on communicating the value of cyber security to management. They need to show that cyber security spending actually saves money, and that security doesn’t just support, but actually enables, the operations of the business as a whole.


Preparing For The Future With Findings

As CISOs grapple with a new wave of cyber security threats, one challenge they shouldn’t struggle to solve is supply chain security. Findings delivers end-to-end visibility into supply chain security risks and compliance by automatically compiling a profile of your business’s supply chain and helping you understand where your supply chain security challenges lie. No matter how complicated supply chain security may become, Findings makes it easy to conquer the challenge.


See for yourself by requesting a demo at

Supply Chain Compliance Strategies for an Economic Downturn


Economists debate whether stubbornly high inflation, combined with interest rate hikes by central banks, have actually created a recession.

But what’s not up for debate are the ways in which the current economic downtown complicates supply chain management. From less consistency within the supply chain, to fewer available resources for manually tracking supply chain compliance issues, the economic environment is imposing significant challenges on businesses. 


The Economy’s Impact on Compliance and Security

Economic uncertainty affects supply chain compliance initiatives in many ways – some obvious, and some less so.


1. The Bullwhip Effect and Lower Profitability

One of the most significant impacts results from what economists call the bullwhip effect. The term refers to the way in which mistaken assumptions about consumer demand tend to reverberate across the supply chain. For instance, if suppliers interpret a temporary uptick in demand for a product as a permanent trend, they may overinvest in production of the product. In turn, suppliers will then experience lower profit margins because they end up having to sell the product for less, due to lower-than-anticipated demand. Many economists blame the bullwhip effect as one reason why inflation has surged and corporate profits have dropped.

From the perspective of supply chain compliance, the bullwhip effect means that organizations across the supply chain face especially high pressure to squeeze profits out of their products in any way they can – including cutting corners, in some cases. For example, software companies may skimp on security monitoring or trade compliance for their products, placing organizations within their supply chain at risk. This makes the ability to detect supply chain compliance issues more important than ever in the present economic climate.


Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)


2. Labor and Fuel Cost Increases Across the Supply Chain

Factors like higher labor costs in regions where suppliers could historically find cheap workers  and the increased cost of fuel only exacerbate the challenges faced by organizations. 

It’s not only product manufacturers who are impacted by higher costs for labor and fuel. These costs flow down the supply chain to affect organizations of all types. A company that develops software is likely paying more for the hardware its developers use, due to the increased labor and shipping costs associated with producing that hardware. So the software company, too, is squeezed by economic challenges that don’t relate directly to software production.



3. Skimping on Cyber Insurance

The third trend that impacts supply chain compliance – and one that is easy to overlook – are the lower rates of cyber insurance uptake.

In good economic times, organizations would buy cyber insurance in a bid to protect themselves against cyberattacks. Such insurance doesn’t always guarantee solvency following an attack, but it may help in certain situations.

“Insurers have also been hit by the downturn, says Peter Mansfield, a partner at Reynolds Porter Chamberlain in London. “Policyholders will look to make savings, which may include buying less insurance or better insurance.

With less money to spend, organizations choose to forgo cyber insurance or purchase less comprehensive coverage. In doing so, they place not only themselves, but also companies within their supply chain, at risk. A software company that suffers a cyberattack and doesn’t have sufficient insurance to recover will go out of business, leaving its products unsupported and insecure – a major risk for customers of those products.


Read here: Cyber insurance is great but you need to invest in additional tools that help detect and respond to risks


Supply Chain Compliance Opportunities

The good news is that it’s possible to get ahead of supply chain compliance issues by taking advantage of tools that can manage supply chain risk efficiently, regardless of the economic environment.

A healthy supply chain compliance strategy for the economic downturn hinges on visibility. Visibility into how your supply chain works and how it impacts your organization is critical for making informed decisions about supply chain compliance issues. It can also help companies manage costs. As Ed Winterschladen, executive vice president Europe at Proxima, puts it, “In a volatile supply market, running towards cheaper options won’t necessarily deliver value – identifying waste and spending better will prove more effective than reducing costs in areas of essential spend.”

Smart organizations will achieve the visibility they need using AI tools. With the help of AI tools, companies can “make supply chain planning and sourcing more cost efficient through real-time analytics and insights to help drive efficiency and productivity through its supply chain,” according to GEP. GEP also reports that two-thirds of executives identify enhanced supply chain visibility as a top priority for mitigating disruptions in 2022.

The value of improved supply chain visibility extends beyond controlling costs and supply chain compliance issues. It’s also a way of demonstrating to partners, investors and customers that your organization can thrive through times of challenge. As Accenture notes, “Consumers, investors, governments and communities may ultimately judge companies on how they respond to this period of disruption.


Harden your supply chain against uncertainty

In short, now is the time for organization’s to invest in efficient, comprehensive supply chain visibility and risk management. The threat of non-compliance within supply chains increases during times of economic uncertainty. AI-assisted supply chain visibility solutions make this challenge easy to meet without breaking the bank or burdening risk management teams with manual effort.

Contact Findings to learn more about how we can help protect your supply chain – in both the best and worst of economic times.

Supply Chain Risk Management: Your Black Friday Weakest Link

Supply Chain Risk Management: Your Black Friday Weakest Link

Black Friday is the time of year that is bound to put stress on many businesses’ supply chains. With demand soaring for items across the board, supply chains have already come under pressure from the effects of the past two years, and these delays are becoming more evident every day. So what does this mean for your risk management?


Unfortunately, not all risks originate internally. As you know, risks can also arise from within your supply chain. With increased strain (American consumers spent $8.9 billion online during Black Friday 2021), comes increased focus on your business’s reputation and possible fast tracking vetting of alternative vendors in your supply chain to keep up with demand. But thorough vetting should not be sidestepped. 


The Consequences Of Poor Supply Chain Risk Management On Black Friday Sales


Supply Chain Risk Management strategies that focus only on internal threats and ignore the supply chain fall short for 2 main reasons:

More threat opportunities

The threats that impact internal systems represent only a subset of all threats. But within your supply chain, attack vectors are far broader and numerous. You can’t always control the types of security exposures that your vendors or suppliers introduce to their products. And the last thing you want is this impacting your Black Friday sales. 

Lack of efficiency

If supply chain risk management isn’t part and parcel of your broader risk management strategy, it’s hard to manage supply chain risks efficiently. If you protect against supply chain threats at all, it ends up being through one-off audits or action against isolated threats.

At one of the busiest times of year, time and efficiency take center stage and It’s much more efficient to monitor for and address all types of risks – internal and external – through centralized tools and processes.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)


Major Holidays Leave The Door Open For Major Attacks

Retailers are particularly vulnerable to client-side attacks. Many online retail sites are built on CMS frameworks with a plethora of third-party plug-ins, from blog posting to popups to SEO maintenance. On average, 31 JavaScript resources are used per site, making retailers vulnerable to many forms of supply chain fraud such as formjacking, data-skimming and Magecart attacks.

Kaseya Attack Affecting the Supply Chain

Though initially thought to only affect 40 of its clients, it was further discovered that over 1,000 downstream companies were affected by this 4th July attack by Russian group, REvil. With over 40,000 organizations worldwide using at least one Kaseya software solution, the potential impact of this supply chain attack was massive. By exploiting zero day vulnerabilities in Kaseya’s software, it caused a major Swedish grocery store to completely shut for 24 hours as well as 11 schools in New Zealand. 

Magento Magecart Attack Prevented in 2021

With millions of transactions being carried out over the Black Friday period, it’s no surprise that this is a key target for threat actor’s to leverage vulnerabilities in the supply chain. In fact the UK’s National Cyber Security Centre (NCSC) notified small businesses about the risk of magecart attacks on and around Black Friday last year. They’re unique because they exploit third party scripts on companies’ websites. Because highly critical services, like Adobe’s Magento, are trusted and there are not many services like them, these attacks can impact 1000s of sites simultaneously. When the NCSC notified these businesses over 4000 were at risk.

A Better Approach To Supply Chain Risk Management And Intelligence

How do businesses avoid those shortcomings this Black Friday? How can they implement risk management that addresses both internal and external threats?

The answer is to deploy risk management processes and tools that provide the following features:

  • Continuous, real-time intelligence: Businesses need to know – immediately, before performance and security is affected – whenever a risk emerges within any internal or external asset.
  • Complete supply chain risk management: It’s crucial to identify risks that exist at any point in the supply chain. This includes risks introduced not just by third-party vendors with whom you do business directly, but also “fourth-party” vendors, meaning those who supply your direct vendors. Risks can arise from these vendors, too.
  • Automated, scalabile compliance: Checking for risks manually doesn’t scale (and takes away precious time, when time is a short commodity). Whether you have one vendor or one thousand, you need automation to ensure that you can detect all potential risks across all internal and external assets – and that nothing falls through the cracks.
  • Centralized compliance: Risk management is inherently fragmented because risks come in many forms and affect many types of systems. Nonetheless, businesses should be able to manage all risks comprehensively using a platform that works across the enterprise. When you centralize risk management, you save time and maximize risk coverage.

The Findings Difference

With Findings, you are provided with an automated, comprehensive supply chain risk management solution that empowers businesses to manage supply chain risks proactively by getting ahead of issues before they happen. Instead of treating the supply chain as a black box from the perspective of compliance, leverage Findings to implement centralized, enterprise-wide supply chain risk management for both internal and external threats. 

Don’t get caught out this Black Friday (or any day!). Get started at

5 Critical Steps In Maintaining A Vulnerability Disclosure Policy

5 critical steps vulnerability disclosure policy

Once upon a time, the vendors that your company chose to work with were your own business. There was little pressure to disclose supply chain vendors to the world at large.


Those days are gone. Today, businesses face pressure from a variety of sources to establish a vendor and vulnerability disclosure policy in order to maintain a transparent supply chain.


Government regulators are demanding vulnerability disclosure policies in the wake of initiatives like the White House’s call for more stringent supply chain cybersecurity protections. Partners expect transparency, too – which is why companies like Palo Alto Networks and Nestlé detail their suppliers on their websites.



From the perspective of consumers as well, vulnerability disclosure policies have become a priority. Alexis Bateman and Leonardo Bonanni note in the Harvard Business Review, “researchers at the MIT Sloan School of Management found that consumers may be willing to pay 2% to 10% more for products from companies that provide greater supply chain transparency.”



For all of these reasons, now is the time for company shareholders and security teams to establish strong vulnerability disclosure policies and supply chain transparency, if they have not already. While it’s important to avoid giving away too much information – because doing so could harm your competitive advantage – CISOs also don’t want to be left playing catchup when a vulnerability arises within their supply chain. They don’t want regulators, partners, customers and shareholders asking questions about why there wasn’t more transparency and disclosure before an incident, especially in situations where proactive disclosure could have helped to mitigate the impact of a rapidly spreading attack or threat.



Of course, establishing and managing a vulnerability disclosure policy is easier said than done. To help with this mission, we are unpacking the five critical steps they should be taking to establish supply chain transparency and ensure effective disclosure of vulnerabilities (Also known as VDP).



Step 1: Set vendor disclosure goals

Supply chain transparency doesn’t mean disclosing every detail of your supply chain to the world. Instead, CISOs should set goals about how much information to disclose. Their policies should reflect the level of risk that each supply chain component or vendor poses to stakeholders.


For example, a vendor that supplies software that your business uses internally poses less of a risk than one who helps to provide customer-facing systems., A security issue in the latter is likely to be harder to contain and to have a bigger impact on your users and business. For that reason, a vulnerability disclosure policy might treat suppliers for line-of-business apps and customer-facing apps differently.


Keep in mind, too, that risks constantly change, so you should revisit your vendor disclosure goals at least yearly.



Step 2: Map suppliers and flow

Supply chain transparency is about more than just listing who your vendors are. It’s equally critical to understand how information flows between vendors, and how a vulnerability in one part of the supply chain impacts the rest of the chain.

CISOs can unpack this information by mapping suppliers to the ‘flow of information’. From there, look for gaps where failure to contain a vulnerability or disclose it quickly could impact other vendors or customers.


Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)



Step 3: Optimize reporting systems

A strong vulnerability disclosure policy requires effective reporting about where vulnerabilities like to hide and which vendors they involve. Since it’s not practical to generate this information manually at any kind of scale, CISOs should leverage automatic vendor disclosure reporting systems that can generate disclosure information automatically.


Baking vendor disclosure into existing business processes, can also help to make reporting more systematic and automated. Supply chain transparency is an important component of corporate responsibility. Many businesses are also considering ESG as an integrated part of their cybersecurity risk management, so including it in your vendor disclosure policy just makes sense.



Step 4: Gather information continuously

Again, risks change constantly. So do the vendors within your supply chain and the role they play in it. That’s why security teams must continuously gather and update information about vendors and vulnerabilities, then adjust vulnerability disclosure policies accordingly.

They should also make sure that information is available to all stakeholders. Every person in the organization should be able to see whether there is a supply chain risk and report it to the security team.


Step 5: Report findings and engage vendors

Vulnerability disclosure shouldn’t be a passive affair. You can’t just list vendors or report vulnerabilities periodically on your website.

Instead, you should engage actively with your vendors to report findings, make collaborative decisions about vulnerabilities and address specific risks as quickly as possible.


The point of vulnerability disclosure policies, after all, is to lower risk for everyone. You can do that only by acting on the information you discover.



Continuous monitoring for vendor disclosure is essential

You may have noticed a theme running throughout the vulnerability disclosure steps described above: The importance of continuous monitoring and disclosure.


Continuous monitoring and disclosure means the ability to detect, report on and react to supply chain risks in real time. They’re critical because, once again, risks and vendors constantly change, so continuous monitoring is the only way to ensure you never miss a threat. Periodic audits or one-off reports are not enough to stay on top of risks or demonstrate a genuine commitment to your supply chain security.


Keep in mind, too, that continuous monitoring and reporting will support the image of your business as one that takes supply chain security seriously. In turn, it helps you to gain a competitive advantage, since partners and customers will see continuous transparency and reporting as a positive quality.



While continuously monitoring risk across your supply chain may seem daunting, Findings makes it easy with automated supply chain security, and our innovative continuous and cloud monitoring apps to support and scale your entire supply chain. 


See for yourself by signing up for a free trial.

The Insider Guide To Coordinated Vulnerability Disclosure Programs


When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.


What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.



The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and  rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited. 

Consider CVDP as a  “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.


Did you know that your supply chain security can affect your stock value?


5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

Schedule a call to learn more

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:


$10 / Month
$10 / Month
$25 / Month
Integrated Apps
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!