Assess first the suppliers that can do you the most technical damage if compromised, not the ones with the biggest contracts or the earliest renewal date. The reflex is to send everyone the same questionnaire; resist it. You have thousands of suppliers; only a handful can hurt you. Black Kite found one third-party breach now cascades to an average of 5.28 downstream organisations, the highest on record. This post explains how to tier suppliers by blast radius, why contract value is the wrong proxy, and what UK and EU regulators already say about it.
Why does assessing every supplier the same way fail?
Assessing every supplier the same way fails because the work scales with the supplier count while the risk concentrates in a few. Venminder’s 2025 State of Third-Party Risk Management Survey found 73% of respondents have two or fewer full-time staff managing vendor risk while more than half oversee 300 or more suppliers, and 94% are not assessing all the vendors they would like to. The answer is not more headcount; it is a different model.
In May 2023 the Cl0p ransomware group exploited a SQL injection zero-day, CVE-2023-34362, in Progress Software’s MOVEit Transfer product. One flaw, and by late October Emsisoft’s tracker confirmed more than 2,500 organisations affected. The pattern recurred in 2024: SecurityScorecard found two file-transfer vulnerability clusters drove 63.5% of third-party vulnerability-driven breaches that year. Risk pools in the suppliers everyone shares, yet a uniform questionnaire treats them like the stationery firm.
Why can’t a security questionnaire tell you which supplier is dangerous?
A security questionnaire cannot tell you which supplier is dangerous because it records what a supplier says about its controls, not whether that supplier can reach your data. A flat 300-question survey measures none of the access, privilege, or live exposure on the supplier’s estate, and does not change when a vulnerability lands there the following week or its credentials surface in a stealer log. Verizon’s 2025 Data Breach Investigations Report found third-party involvement in breaches doubled year-on-year to 30% as questionnaire volume kept rising. More forms did not close the gap, because forms measure the wrong thing.
What is vendor blast radius in third-party risk management?
Contract value is the wrong proxy. Spend-based tiering fails because ranking suppliers by spend, renewal date, or alphabetical order sorts them by the wrong axis, then asks your two-person team to work down the list.
Black Kite examined the 50 vendors most relied upon across the Forbes Global 2000 and found 70% carry at least one CISA KEV-listed vulnerability, 84% a critical vulnerability, and 62% corporate credentials in stealer logs. Across the broader population of roughly 200,000 monitored organisations, only about 54% carry a critical vulnerability and 23% have credentials on the dark web. The most-shared suppliers carry more exposure than the average one — DORA calls it ICT concentration risk (Article 29).
Don’t UK and EU regulators require you to assess every supplier?
No. They require the opposite. UK and EU rules are built on proportionality: assess each supplier in line with the risk it carries.
The NCSC tells organisations to avoid situations where you force all your suppliers to deliver the same set of security requirements when it may not be proportionate or justified to do so. NIS2 Article 21 requires “appropriate and proportionate” measures that account for the vulnerabilities specific to each direct supplier — per-supplier assessment, not a uniform blast.
In finance, the regulator itself decides which suppliers are critical and against what criteria:
Regime | Mechanism | Test for “critical” |
DORA Article 31 (EU 2022/2554) | ESAs designate “critical ICT third-party service providers” | Systemic impact, reliance on critical functions, substitutability |
Contracts distinguish critical-or-important functions from the rest | “Criticality or importance of the service, process or function” | |
UK FCA Critical Third Parties regime (PS24/16, in force 1 Jan 2025) | HM Treasury designates; FCA, PRA and Bank of England oversee | Failure “could threaten the stability of, or confidence in, the UK financial system” |
The UK oversees its critical third parties “in an effective but proportionate manner.” Criticality is a designation tied to systemic impact and substitutability. It is not a line on a purchase order.
How should you tier suppliers in practice?
Third-party tiering sorts suppliers into risk bands by blast radius — three treatments, each a documented decision — so finite capacity goes where a compromise would do most damage:
- Threat-model the critical few. Suppliers with deep data access, high privilege, and live external exposure get full, continuous attention: attack-path mapping from their estate to your data. These are the suppliers a real attacker would target to reach you.
- Monitor the middle. Suppliers with some access but no critical-function role get continuous external monitoring — a daily read of their attack surface that flags drift without consuming the team.
- Baseline, then ignore. Suppliers with no path to your data get a one-time baseline, then a documented decision to stop: a defensible position on the record, not a gap someone forgot to close.
Questionnaire vs. Reality
- Questionnaire Says: “All 2,000 vendors completed our annual security review.”
- Reality Shows: “12 of those suppliers have direct write access to production data, and 9 of them have not been individually reviewed since 2024. Of the 50 suppliers the Forbes Global 2000 most rely on, 70% carry an unpatched CISA KEV and 62% have credentials circulating in stealer logs. A completed review tells you a form was filled in. It does not tell you which supplier can reach your data.”
What does Elasticito do about it?
Elasticito measures each supplier’s blast radius from the outside, using Black Kite’s external signals, so tiering rests on observed exposure, not self-report. Two signals do most of the work:
- FocusTags flag every supplier carrying a live CISA KEV vulnerability, turning the 70% finding into a filtered, actionable list.
- The Ransomware Susceptibility Index scores who is most likely to be hit next: its 0.8–1.0 band is 96 times more likely to suffer a ransomware attack than the band below 0.2.
With that evidence, your security team records “out of scope” as a documented decision for every supplier with no path to your data — a recorded call, not a gap.
FAQ
What is blast radius in third-party risk management?
Blast radius is the technical damage one compromised supplier can do to your organisation, measured as data access × privilege × reachability × known exposure. It is the right basis for tiering because it isolates the suppliers that can reach your data from those that cannot: a cheap tool with an API key into your database outranks a multi-million-pound facilities contract with no network access.
How should I prioritise which vendors to assess first?
Prioritise by blast radius. Assess first the suppliers with the deepest data access, the highest privilege, and the most live external exposure, not the largest contracts or nearest renewals. The NCSC tells organisations to give each supplier an initial risk rating to aid prioritisation rather than applying the same requirements to all.
What percentage of breaches come from a small percentage of vendors?
No public dataset reports a clean “X% of suppliers cause Y% of breaches” ratio, so treat any such number with suspicion. Black Kite found one third-party breach now cascades to an average of 5.28 downstream organisations, and that among the 50 most-shared vendors across the Forbes Global 2000, 70% carry an unpatched CISA KEV. Risk pools in the highly-connected suppliers many organisations share, not evenly.
How do I identify which vendors pose the most systemic risk?
Look for shared, hard-to-replace suppliers that carry live exposure. DORA’s concentration-risk test (Article 29) names the conditions: a provider that is “not easily substitutable,” or multiple contracts with the same or closely connected providers. Combine that with external signals such as CISA KEV exposure, stealer-log credentials, and reachable attack surface. A single upstream provider serving many of your suppliers is the one to map first.
What is vendor tiering and how does it work?
Vendor tiering sorts suppliers into risk bands that set how much assessment each one receives, so finite capacity goes where a compromise would do most damage. Tier by blast radius into three treatments: threat-model the critical few, monitor the middle continuously, and baseline-then-ignore the suppliers with no path to your data, recording each band as a documented decision that UK and EU proportionality rules require.
Conclusion: Why tiering by blast radius beats assessing every vendor the same
Your assessment capacity is finite; your risk is concentrated. Spend the capacity on the suppliers that can reach your data.
See which of your suppliers carry the largest blast radius when you join Elasticito on 15 July 2026 for Your Questionnaire Won’t Save You: Discover the Vendors Most Likely to Breach You Next.
Created: 2026-06-04 / Reviewed: 2026-06-04
