Vendor cybersecurity due diligence
Vendor cybersecurity due diligence in Trade and Geopolitical Risk is no longer a back-office checklist item: the U.S. Department of the Treasury's Office of Foreign Assets Control and the Bureau of Industry and Security have both issued guidance tying third-party technology relationships directly to sanctions exposure and export control liability. The European Union Agency for Cybersecurity published its updated ICT supply chain risk framework under the NIS2 Directive in late 2023, and compliance teams in cross-border trade are now mapping vendor contracts against those disclosure and incident-reporting requirements before renewals.
Watch
- BIS Entity List additions affecting cloud and software vendors used in trade operations
- NIS2 Directive ICT supply chain provisions: incident reporting deadlines for third-party breaches
- OFAC guidance on technology vendor nexus to sanctioned jurisdiction exposure
- Whether U.S. agencies coordinate a unified vendor vetting standard across trade and cyber mandates
Recent material activity in Trade & Geopolitical Risk
-
OFAC designates 14 entities linked to Russian defense procurement network
The Treasury Department's Office of Foreign Assets Control added 14 entities and 6 individuals to the Specially Designated Nationals list for their roles in procuring critical technology components for Russia's defense i…
Read a full sample brief → -
BIS adds 22 Chinese semiconductor entities to Entity List for advanced chip diversion
The Bureau of Industry and Security expanded export controls targeting Chinese semiconductor entities found to be diverting advanced computing chips through third-country intermediaries. New license requirements affect i…
Read a full sample brief →