The Clorox Breach Is a Wake-Up Call for Third-Party Cyber Risk Management (Webinar)

In late July, Clorox filed a $380 million lawsuit against Cognizant over a 2023 cyberattack allegedly enabled by a third-party helpdesk employee who granted unauthorized access to attackers impersonating internal users. The result? Disrupted operations, lost revenue, and a reputational hit that continues to unfold.

The cause, reportedly a breakdown in identity verification protocols, may sound like an isolated incident, but it’s emblematic of a larger truth: third-party cyber risk is business risk.

This exact theme was at the heart of a recent FAIR Institute webinar I had the privilege of moderating: “Reimagining Third-Party Cyber Risk Management: Quantifying Business Risk to Improve Prioritization and Treatment.” I was joined by two industry veterans who have led third-party risk programs at large, complex enterprises:

• Greg Rasner, former SVP of Cybersecurity Third Party Risk at Truist and author of Cybersecurity and Third-Party Risk, shared hard-earned lessons on executive governance and risk oversight.
• Vincent Scales, Lead Director of Third Party Security at CVS Health, brought practical insight into managing third-party risk across large-scale ecosystems in highly regulated sectors.

While our conversation didn’t reference Clorox specifically (I don’t think the news had broken yet), the strategies and concerns discussed could not be more relevant in light of the breach. Here are four key takeaways from that panel that point to how organizations must modernize their approach to third-party cyber risk management.

1. TPRM Must Scale With the Business, Without Losing Control

As enterprises grow more reliant on external vendors, partners, and platforms, third-party ecosystems are expanding rapidly. Imagine the numerous vendors, partners, and other third parties with whom Clorox must conduct business on a daily basis. Yet most TPRM programs still rely on manual assessments, static tools, and fixed review cycles, none of which scale effectively.

Our webinar discussion emphasized that volume alone isn’t the problem, misalignment is. Many TPRM teams try to cover all vendors equally instead of prioritizing based on risk exposure. Without automation, standardized risk-tiering, and continuous reassessment, it’s impossible to keep pace with the demands of the business.

Unlike many technology domains where AI remains hype, third-party risk management tools in use today regularly use AI to improve scale, consistency, and accuracy. As Greg Rasner said in our discussion, analystsanalyst should rarely read a bare SOC 2 report or vendor contract; AI should be used to assess them, providing analysts with focus areas to further investigate. 

The key is to scale strategically, focusing resources on the vendors that can materially impact operations or data, and doing so with support from automation and workflow orchestration, not just headcount.

2. Risk, Not Compliance, Should Drive the Program

One of the most consistent themes from the panel was the danger of equating compliance activity with risk management. Just because a vendor has filled out a questionnaire or submitted documentation doesn’t mean they can effectively protect your data, services, or customers.

The distinction is critical: compliance is about meeting requirements; risk is about reducing loss.

The panelists advocated for using models like FAIR to move beyond checklist thinking and assess vendor risk in terms of business impact, including the likelihood and magnitude of potential loss. This approach enables security teams to make better decisions about which vendors to escalate, which controls to test, and how to communicate risk to stakeholders in meaningful, measurable terms.

3. One-Time Assessments Fall Short in a Dynamic Environment

Another issue that surfaced during the panel was the continued reliance on point-in-time reviews, such as onboarding assessments or annual surveys. While these might satisfy procedural requirements, they often miss changes in vendor posture, operations, or threat exposure that occur in between reviews.

The panel made the case for shifting toward continuous monitoring and risk detection, supported by automation, inside-out scanning, and external threat intelligence. TPRM programs should view vendor relationships as dynamic, evolving risk surfaces, rather than static partnerships.

This continuous view is essential for timely intervention and early detection of risks that could otherwise escalate into major incidents.

4. TPRM Needs to Be Embedded Across the Business

A final insight from the webinar was that even the most well-designed TPRM frameworks will underperform if they’re isolated from the broader enterprise. Many programs operate in silos, with limited engagement from procurement, legal, IT, or senior leadership.

The panel emphasized the importance of embedding cyber risk management into vendor selection, contract negotiation, performance management, and enterprise risk governance. When done this way, TPRM becomes a business enabler, guiding secure innovation and protecting growth, not just checking security boxes.

Here again is where FAIR can help. By putting cyber risk into the context of the business, with a careful consideration of both the probability of potential for loss and the likely magnitude of loss, FAIR-based assessments and quantification gives business owners a better perspective of the third-party related cyber risks they face.

This level of integration allows organizations to align expectations across stakeholders and hold vendors accountable, not just for contract terms, but for real-world performance and resilience.

The Broader Lesson: Now Is the Time to Modernize TPRM

The Clorox–Cognizant breach has put third-party cyber risk back on the front page, and with good reason. But it shouldn’t take a public lawsuit or operational disruption to realize that current approaches to TPRM are overdue for transformation.

The insights shared in our webinar reinforced what many in the risk community already know, and what many more are now being forced to confront:

• You can’t scale TPRM manually.
• You can’t equate documentation with protection.
• You can’t manage dynamic risk with static tools.
• And you can’t succeed in silos.

A modern TPRM program must be scalable, risk-based, continuous, and integrated. Doing so is fast becoming a business necessity.

Watch the webinar now: Reimagining Third-Party Cyber Risk Management: Quantifying Business  Risk to Improve Prioritization and Treatment.

We’ll be diving deeper into third-party cyber risk management at this year’s annual global FAIR Conference in New York on November 4-5, 2025. Learn more and register for FAIRCON25 here.