November 2025 Vendor Management News

U.S. CISA and UK cyber agency issue guidance for operational technology systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI, alongside the UK’s National Cyber Security Centre, released new joint guidance to help organizations strengthen cybersecurity for operational technology (OT) systems. It urges OT owners and operators to create a continually updated “definitive record” of all assets to improve visibility, manage third-party risks, and bolster resilience. It outlines five core principles, including maintaining accurate asset inventories, managing vendor connections, and implementing an OT information security management program.  

Securing Internet of Things devices. Insecure Internet of Things (IoT) devices can create new entry points for cyberattacks and expand organizational risk. To mitigate these risks, treat IoT vendors like any other high-risk third party—requiring transparency, secure update practices, and clear accountability throughout the device lifecycle. Enforce strong security standards, including verified software bills of materials (SBOMs), tamper-proof logging, and tightly controlled vendor access.  

Cultivating the right bank-fintech partnership. Bank-fintech partnerships offer powerful opportunities for growth, innovation, and expanded market access, but success hinges on three key factors: selecting the right partner, respecting regulatory requirements, and ensuring smooth technical integration. Conduct thorough due diligence, align culturally, and establish clear performance and compliance expectations. Strong governance, transparent data practices, and proactive third-party risk management are essential. When executed well, these partnerships combine fintech innovation with banks’ scale and regulatory expertise to deliver better services, resilience, and customer-centric solutions. 

Why third-party risk is critical for SMBs to manage. Third-party risk is emerging as a major cybersecurity vulnerability for small and midsize businesses (SMBs), as vendors and service providers increasingly handle sensitive data and have network access. Outsourced IT, cloud apps, payroll, and other services can become gateways for attackers. Modern tools and standardized workflows make TPRM practical for SMBs, helping them identify gaps, prioritize risks, and maintain compliance, while also positioning service providers as strategic advisors and trusted partners in managing vendor-related cybersecurity threats.