Supply Chain Due Diligence | Third Party Cyber Risk | Redscan
  • Services
    • Protect
      • Offensive Security
      • Penetration Testing
      • Web Application Testing
      • Cloud Penetration Testing
      • Agile Penetration Testing
      • Network Penetration Testing
      • Mobile Application Testing
      • Red Teaming
      • Breach and Attack Simulation
      • Ransomware Preparedness
      • Scenario-Based Testing
      • Advisory Services
      • Cyber Policy Review
      • Cyber Due Diligence
      • Supply Chain Due Diligence
      • Compliance Advisory
      • Virtual CISO
      • DPO Services
      • Dark Web Monitoring
      • Application Security
      • Threat Modelling
    • Detect
      • Managed Detection and Response
      • Kroll Responder MDR
      • MDR for Microsoft
      • Use Cases
      • Redscan Platform
      • Features Table
      • MDR vs MSSP
      • Managed SIEM
      • Managed EDR
      • Managed SOC
    • Respond
      • Digital Forensics and Incident Response
      • Cyber Incident Response
      • Incident Response Planning
      • Breach Notification
      • Digital Forensics
      • Litigation Support
      • Malware Analysis &
        Reverse Engineering
      • Cyber Risk Retainer
  • Solutions
    • Industry
      • Education
      • Energy
      • Finance
      • Fintech
      • Government
      • Healthcare
      • Legal
      • Manufacturing
      • Media
      • Nonprofit
      • Property
      • Retail
      • Technology
      • Transport
    • Compliance
      • GDPR
      • DPA 2018
      • PCI DSS
      • ISO 27001
      • NIS Directive
      • SWIFT CSP
      • NHS DSP Toolkit
    • Cloud Security
      • Hybrid Cloud
      • AWS
      • Azure
      • GCP
      • Office 365
      • G Suite
      • Hyper-V
      • VMWare
    • Security Challenge
      • Mitigating cyber security risk
      • Identifying and responding to threats
      • Testing cyber security readiness
      • Managing cloud security
      • Investigating and reporting breaches
      • Protecting against malware
      • Tackling phishing and BEC attacks
      • Defending against insider threats
      • Achieving GDPR compliance
      • Securing remote workers
  • Company
    • About
      • Company Overview
      • Careers
      • Awards
      • Accreditations
      • Redscan Labs
    • Resources
      • Cyber Security Blog
      • Case Studies
      • Resource Hub
      • Press Releases
      • Media Coverage
      • Cyber Security Glossary
    • Contact Us
      • General Enquiries
      • Incident Response Enquiries
      • Customer Support
      • Partner With Us
      • Media Requests
Get In Touch
Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy
Experiencing a breach? Get emergency incident response assistance.
Redscan Logo
  • Services
  • Solutions
  • Company
  • Protect
    Offensive security assessment and consultancy services
  • Detect
    Outcome-focused MDR fuelled by frontline intelligence
  • Respond
    Unrivaled response through the entire incident lifecycle
    • Offensive Security
    • Penetration Testing
    • Web Application Testing
    • Cloud Penetration Testing
    • Agile Penetration Testing
    • Network Penetration Testing
    • Mobile Application Testing
    • Red Teaming
    • Breach and Attack Simulation
    • Ransomware Preparedness
    • Scenario-Based Testing
    • Advisory Services
    • Cyber Policy Review
    • Cyber Due Diligence
    • Supply Chain Due Diligence
    • Compliance Advisory
    • Virtual CISO
    • DPO Services
    • Dark Web Monitoring
    • Application Security
    • Threat Modelling
    • Managed Detection and Response
    • Kroll Responder MDR
    • MDR for Microsoft
    • Use Cases
    • Redscan Platform
    • Features Table
    • MDR vs MSSP
    • Managed SIEM
    • Managed EDR
    • Managed SOC
    • Digital Forensics and Incident Response
    • Cyber Incident Response
    • Incident Response Planning
    • Breach Notification
    • Digital Forensics
    • Litigation Support
    • Malware Analysis &
      Reverse Engineering
    • Cyber Risk Retainer
  • Industry
  • Compliance
  • Cloud Security
  • Security Challenge
  • Education
  • Energy
  • Finance
  • Fintech
  • Government
  • Healthcare
  • Legal
  • Manufacturing
  • Media
  • Nonprofit
  • Property
  • Retail
  • Technology
  • Transport
  • GDPR
  • DPA 2018
  • PCI DSS
  • ISO 27001
  • NIS Directive
  • SWIFT CSP
  • NHS DSP Toolkit
  • Hybrid Cloud
  • AWS
  • Azure
  • GCP
  • Office 365
  • G Suite
  • Hyper-V
  • VMWare
  • Mitigating cyber security risk
  • Identifying and responding to threats
  • Testing cyber security readiness
  • Managing cloud security
  • Investigating and reporting breaches
  • Protecting against malware
  • Tackling phishing and BEC attacks
  • Defending against insider threats
  • Achieving GDPR compliance
  • Securing remote workers
  • About
  • Resources
  • Contact Us
  • Company Overview
  • Careers
  • Awards
  • Accreditations
  • Redscan Labs
  • Cyber Security Blog
  • Case Studies
  • Resource Hub
  • Press Releases
  • Media Coverage
  • Cyber Security Glossary
  • General Enquiries
  • Incident Response Enquiries
  • Customer Support
  • Partner With Us
  • Media Requests
Get In Touch
Circuits Blue Circuits Blue

Supply Chain Due Diligence

Expertise and technology to protect your organisation against third party supply chain security risks

SC Awards Winner 2022 Logo

Services > Supply Chain Due Diligence

Overview

Assess, identify and remediate third party security risks with confidence

While third parties can add great value to your organisation, they also present significant security risks. In a 2021 report by the Ponemon Instite and SecureLink, 74% of companies breached within the previous 12 months stated that the cause was granting too much privileged access to third parties.

When an incident affects your customers, it won’t matter if the root cause was a third party – your organisation will be held accountable for the consequences. With your reputation and revenue on the line, how are you managing third party security risks?

Kroll’s third party cyber risk management services provide multidirectional insight to support robust cyber security strategies and meet regulatory requirements. Services include:

Clarity360™ platform
Dark web monitoring
Strategic program advice
Security program assessment
Penetration testing
Vulnerability assessment

Clarity360™

Clarity360™ third party cyber risk management platform

Clarity360™ is a field-proven solution trusted by some of the world’s largest organisations to deliver key advantages for managing third-party cyber risk.

Clarity360 streamlines decision-making and simplifies the process of understanding the cyber security and resilience of external partners. Clarity360 quantifies cyber risk through a transparent scoring and analysis system designed to deliver unique insights, better inform risk-related decisions and offer perspectives on often overlooked areas.

Increase velocity and reach

Automate assessment collection to reach more vendors in less time

Validate responses

Smart algorithms uncover incomplete and inconsistent answers

Identify compliance and control gaps

Map assessment results against security and regulatory frameworks, such as NIST CSF and CIS, to identify control gaps

Generate and track remediation

Tailored remediation advice and remediation validation

Real-time risk monitoring

Live dashboards and reporting capabilities, risk disposition and acceptance tracking

Features

Supply chain due diligence service features

Dark web monitoring

Our dark web monitoring services enable organisations to proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Strategic program advice

We provide advisory services to support organisations with their cyber security strategy, including program setup, assessment guidance, remediation management, risk committee meetings, evaluation of on-premise and cloud-based security solutions and incident response planning.

Cyber security program assessment

We can undertake a detailed assessment of the maturity of the third party’s security program and its ability to defend against and respond to cyber security threats. We work to standard security frameworks such as NIST, CIS Controls™ and ISO and can support regulatory requirements including HIPAA, SEC and GDPR.

Penetration testing

The goal of a penetration test is to simulate a real-world attack by attempting to gain access to corporate assets from the internet. Our pen testing services include investigations to identify publicly accessible information that may aid in the attack, as well as targeted phishing exercises.

Vulnerability assessment

The goal of a vulnerability assessment is to assess whether there are any security vulnerabilities which may be exploitable by attackers. Kroll harnesses advanced vulnerability assessment tools to identify potential security vulnerabilities in the corporate environment.

Global risk management expertise

Our end-to-end third party cyber risk management platform solutions are powered by our unrivalled expertise in cyber risk management and the insight acquired by handling more than 3,200 cyber incidents every year. Many of our risk professionals bring years of unique experience in a variety of industries as well as from former service with law enforcement and regulatory agencies.

Find out more

Get in touch

FAQ

Supply chain due diligence FAQs

What is third party cyber risk?

Third party or supply chain risk is any type of risk presented to an organisation by its supply chain or other external parties with access to its data, systems or privileged information. This could be a data breach, organisational damage, IP theft or other security incident. Third parties include vendors, suppliers, consultants and contractors.

What is third party risk management?

Third party risk management (TPRM) is a type of risk management which looks specifically at identifying and reducing the risks related to the use of third parties. It gives organisations an in-depth understanding of the third parties they work with and the quality of the safeguards those third parties have in place. The specific nature and scope of a third-party risk management program will be defined by each particular organisation.

Which type of third party risk do organisations often overlook?

Managing third party risk should not be regarded as a “set-and-forget” security practice. Many organisations fail to recognise the importance of regularly reviewing the risks within their supply chain. They also overlook the fact that different types of relationships with the same vendor can create different levels of risk. Organisations are also vulnerable when a lack of resources or traceability means that they are unable to keep up with tracking and assessing their supply chain risk.

Which risks can third party cyber due diligence protect my organisation from?

Supply chain due diligence can significantly reduce, mitigate or remediate many types of risks created by third party relationships, including:

  • Credential theft
  • Data exfiltration
  • Intellectual Property (IP) theft
  • Network Intrusion
  • Spear phishing
When is a good time for an organisation to undertake third party due diligence?

Because no organisation works in isolation, it is critical to undertake third party due diligence practices on an ongoing basis. In addition to this, organisations should conduct checks when embarking on working with a new vendor or supplier. Companies should also complete checks when making changes to high-risk aspects of the business in order to protect against the fraudulent interception of goods or payments.

How can I minimise third party risk?

An effective third party risk management program is critical to effectively managing and mitigating third party risk. It should provide a comprehensive insight of the many different areas which can create risk and assess areas such as vendor risk management, a consideration of fourth parties (your third party’s own third parties) and creating and maintaining a vendor assessment process.

What we do

Comprehensive support to mitigate the potential risks in your supply chain

Protect your reputation and bottom line with Kroll’s third party cyber risk management services. Benefit from our powerful blend of unique insight gained from in-house experience of managing third-party risk and handling more than 3,000 diverse cyber incidents every year, supported by today’s most advanced technology.

We can help you assess, identify and remediate with confidence and can deploy remote solutions quickly and/or be onsite within hours.

Common types of risk our supply chain due diligence services can defend against:

  • Credential theft
  • Data exfiltration
  • IP theft
  • Network intrusion
  • Spear phishing

About us

Why choose Kroll?

  • Flexible, on-demand services
  • Recognised by CREST and the PCI Council
  • Global team of cyber risk experts
  • >3,200 security incidents responded to every year

Get in touch

Complete the form for a prompt response from our team.

Two Redscan team members analysing cyber security intelligence

1000 characters left
View our privacy policy

Resources

Discover our latest content and resources

From the blog
From the blog Case studies Latest news
Threat-led pen testing and its role in DORA compliance
19th December 2024
The changing face of the incident response retainer
28th October 2024
What are the benefits of an incident response retainer?
26th September 2024
NCSC sets out plans to launch Advanced Cyber Defence 2.0
16th September 2024
Hospitality Company
Securing a hospitality company’s continued global expansion
Asset Management Firm
Enhancing security visibility for a leading asset management firm
National Homebuilder
Ensuring threat visibility across a hybrid cloud network
Specialist Bank
Raising the bar by uncovering vulnerabilities across a bank’s estate
UK companies lose an average of £2.9m to AI risk
New research suggests that the average company in the UK has lost millions due to unmanaged AI risk, with 55% claiming that these risks cost them over £750,000.
20th October 2025
Digital fraud costs companies 7.7% of annual revenue
New research suggests that soaring digital fraud costs companies around the world an average of 7.7% of their annual revenue, with US businesses hit the hardest.
13th October 2025
Agentic AI-powered breach likely to take place in 2026
New analysis predicts that an agentic AI deployment will cause a publicly disclosed data breach next year.
 
6th October 2025
Deepfake attacks impact two-thirds of businesses
62% of organisations have been affected by a deepfake attack in the past 12 months, according to a new survey by Gartner.  
29th September 2025
  • Penetration Testing
  • Managed Detection & Response
  • Incident Response
Contact Redscan: +44 (0)203 972 2500
London Office: Kroll, Level 6, The News, 3 London Bridge Street, London, SE1 9SG
  • Privacy Notice
  • Legal Notice
  • Company Policies
© Redscan (a trading name of Redscan Cyber Security Limited) 2025. All rights reserved.
Company Number - 09786838. ICO Registration Number - ZA184902.
Cookie Notice
We use cookies to analyse site traffic and optimise your browsing experience. Accepting necessary cookies is required to provide you with a minimum level of service.
ACCEPTCookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
__cf_bm1 hourThis cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_oksessionThe cookie is set by Olark live chat software and is used to store most recent Olark site for security purposes.
_okdetectsessionThis cookie is set by Olark live chat software. The cookie is used for detecting when storage contexts have changed due to things like ssl or host transitions.
_oklvsessionThe cookie is set by Olark live chat software. According to Olark documentation, the cookie is the Olark Loader version used for improved caching.
cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent1 yearCookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
hblid1 year 1 month 4 daysThe cookie is set by Olark live chat software and is used as a visitor identifier to remember a visitor between visits.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
CookieDurationDescription
langsessionLinkedIn sets this cookie to remember a user's language setting.
li_gc6 monthsLinkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc1 dayLinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory1 monthLinkedIn sets this cookie for LinkedIn Ads ID syncing.
yt-player-headers-readableneverThe yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-availablesessionThe yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installedsessionThe yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devicesneverYouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-idneverYouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-periodsessionThe yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-appsessionThe yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-namesessionThe yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEYneverThe cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
CookieDurationDescription
_okbksessionThe cookie is set by Olark live chat software and is used to store extra state information of the chat box.
olfsk1 year 1 month 4 daysThis cookie is set by Olark live chat software. This cookies is a storage identifier used to maintain chat state across pages.
SRM_B1 year 24 daysUsed by Microsoft Advertising as a unique ID for visitors.
wcsidsessionThis cookie is set by Olark live chat software. The cookie is a session identifier that is used to keep track of a single at session.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
_ce.gtldsessionCrazyegg sets this cookie to identify the top-level domain.
_clck1 yearMicrosoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk1 dayMicrosoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga1 year 1 month 4 daysGoogle Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*1 year 1 month 4 daysGoogle Analytics sets this cookie to store and count page views.
_gat_UA-*1 minuteGoogle Analytics sets this cookie for user behaviour tracking.
_gid1 dayGoogle Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory1 monthLinkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
cebssessionCrazyegg sets this cookie to trace the current user session internally.
CLID1 yearMicrosoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR7 daysThis cookie, set by Bing, is used to collect user information for analytics purposes.
SMsessionMicrosoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
vuid1 year 1 month 4 daysVimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
CookieDurationDescription
ANONCHK10 minutesThe ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
bcookie1 yearLinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie1 yearLinkedIn sets this cookie to store performed actions on the website.
li_sugr3 monthsLinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
MUID1 year 24 daysBing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
NID6 monthsGoogle sets the cookie for advertising purposes; to limit the number of times the user sees an ad, to unwanted mute ads, and to measure the effectiveness of ads.
test_cookie15 minutesdoubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE6 monthsYouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA6 monthsYouTube sets this cookie to store the user's cookie consent state for the current domain.
YSCsessionYoutube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextIdneverYouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requestsneverYouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
_ce.cchsessionDescription is currently not available.
_ce.clock_data1 dayDescription is currently not available.
_ce.clock_event1 dayDescription is currently not available.
_ce.irvsessionDescription is currently not available.
_ce.s1 yearDescription is currently not available.
_CEFT1 yearNo description available.
_cfuvidsessionDescription is currently not available.
_okckless than a minuteDescription is currently not available.
_okcssessionDescription is currently not available.
cebsp_sessionDescription is currently not available.
Powered by WebToffee Logo