TL;DR

Your business relies on SaaS tools and outsourced IT — but every vendor you onboard is a potential supply chain attack vector. 2026 has already seen Axios (100M+ weekly downloads), LiteLLM, and TeamPCP campaigns expose thousands of organisations through compromised third-party software. This ACSC-aligned 15-question vendor risk assessment template gives Australian SMBs a practical Red/Amber/Green scoring framework grounded in ASD/ACSC Information Security Manual (ISM) principles — send it to any vendor before signing, and you'll know exactly where their security posture stands.​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

Why Vendor Risk Assessment Is No Longer Optional

In March 2026, attackers compromised Axios — a JavaScript HTTP library with over 100 million weekly downloads — and published versions containing a cross-platform remote access trojan. Weeks later, the TeamPCP campaign cascaded through npm, PyPI, Docker Hub, and GitHub Actions, harvesting credentials at each stage to fund the next compromise. The common thread? Every victim trusted a vendor. Every breach started with a third party.

For Australian SMBs, the regulatory reality is equally stark. The ASD/ACSC Essential Eight Maturity Level Two explicitly requires third-party risk management. The ISM's Guidelines for Outsourcing (ISM control ISM-1788) mandates that organisations assess the security posture of external providers befo

re granting access to systems or data. If you're not assessing vendors, you're accepting risk you cannot measure — and under the Notifiable Data Breaches scheme, "our vendor got hacked" is not a defence.​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

The solution is not expensive third-party risk platforms. It's a structured assessment you can send today.

The 15-Question ACSC-Aligned Vendor Assessment

Send this questionnaire to any SaaS provider, outsourced IT vendor, or cloud platform before contract signature. Each question maps to an ISM control or Essential Eight principle. Score Red (fail), Amber (partial compliance), or Green (fully compliant).

Section A: Governance & Certification

1. Do you hold a current ISO 27001 certification? ISM-1788 alignment: Outsourced service provider security posture.
Green: Current certificate covering the services we'll consume.
Amber: Certification in progress with target date within 6 months.
Red: No certification, no plan.

2. Can you provide a SOC 2 Type II report dated within the last 12 months? Relevant for vendors handling your data. A SOC 2 report demonstrates tested operational controls — not just a point-in-time snapshot.
Green: Report provided, clean opinion.
Amber: SOC 2 Type I only (design, not tested).
Red: No SOC report available.

3. Do you maintain a published sub-processor list with notification obligations? TeamPCP exploited downstream dependencies. If a vendor cannot tell you who their vendors are, you cannot assess your actual supply chain risk.
Green: Public sub-processor list with 30-day change notification.
Amber: List available on request only.
Red: No sub-processor tracking.

Section B: Data Protection

4. Is all Australian customer data stored and processed exclusively within Australia? ISM-0071: Data sovereignty and geographic location requirements.
Green: All data at rest and in transit stays in Australian data centres.
Amber: Data in Australia; support may access from offshore.
Red: Data stored offshore with no Australian option.

5. Is encryption (AES-256 or equivalent) enforced for all data at rest? ISM-1167: Cryptographic systems for data at rest.
Green: AES-256, keys managed in HSM or cloud KMS.
Amber: Encryption enabled but customer-managed keys not supported.
Red: No encryption at rest.

6. Is TLS 1.2 or higher enforced for all data in transit? ISM-1139: Encryption for data in transit.
Green: TLS 1.3 minimum, HSTS preloaded, certificate pinning.
Amber: TLS 1.2 supported but 1.3 optional.
Red: Older protocols accepted.

Section C: Access & Authentication

7. Is multi-factor authentication (MFA) enforced for all user accounts — including administrative, API, and service accounts? Essential Eight Maturity Level Two: MFA for all privileged access. The LiteLLM compromise in March 2026 was enabled by a CI/CD credential without MFA protecting millions of daily downloads.
Green: Phishing-resistant MFA enforced universally.
Amber: MFA for user accounts but not service/API accounts.
Red: MFA optional or absent.

8. Do you support SAML, OIDC, or SCIM for customer-managed identity and access? ISM-1401: Centralised identity management for external services.
Green: SAML/OIDC with SCIM provisioning supported.
Amber: SAML only, no automated provisioning.
Red: Vendor-managed credentials only.

9. Do you enforce least-privilege access with quarterly access reviews? ISM-0445: Principle of least privilege.
Green: Documented RBAC with automated quarterly reviews.
Amber: Manual annual reviews.
Red: No formal access review process.

Section D: Security Operations

10. Do you conduct independent penetration testing at least annually? ISM-1345: Vulnerability assessment and penetration testing.
Green: Annual independent pentest covering our use case.
Amber: Internal testing only, or results older than 12 months.
Red: No penetration testing program.

11. What is your contractual breach notification SLA? Notifiable Data Breaches scheme requires notification to the OAIC within 30 days. Your vendor's SLA must enable you to meet this.
Green: 24-hour notification of confirmed breach.
Amber: 72-hour notification.
Red: No defined SLA or exceeds 7 days.

12. Do you maintain a documented and tested incident response plan? ISM-0145: Cyber security incident response plan.
Green: Documented plan, tabletop-tested within 6 months.
Amber: Plan exists, not tested or tested > 12 months ago.
Red: No documented IR plan.

13. Do you have a business continuity plan with a recovery time objective (RTO) under 24 hours? ISM-1619: Business continuity and disaster recovery.
Green: Documented BCP, RTO < 4 hours, tested annually.
Amber: BCP exists, RTO 24–72 hours.
Red: No BCP or RTO.

14. What is your software patching cadence for critical vulnerabilities? Essential Eight: Patch operating systems within 48 hours, applications within 2 weeks.
Green: Critical CVEs patched within 48 hours.
Amber: Critical patches within 7 days.
Red: Best-effort, no SLA.

15. Do you maintain cyber insurance covering third-party liability and data breach response? Provides financial assurance if the vendor's breach becomes your problem.
Green: Policy with AUD 5M+ coverage, third-party liability included.
Amber: Insurance exists, coverage or jurisdiction unclear.
Red: No cyber insurance.

How to Score and Act on Results

Add up your Reds, Ambers, and Greens. Maximum score: 15 Green. Apply this decision framework:

  • 13–15 Green, 0 Red: Proceed. Strong security posture aligned with ISM expectations.
  • 10–12 Green, ≤ 2 Red: Proceed with conditions. Require a remediation plan with dates before contract signature.
  • 7–9 Green, 3–5 Red: Escalate. Involve your security advisor. Demand contractual security schedules.
  • < 7 Green or > 5 Red: Reject. The risk exceeds what an SMB can absorb.

Always verify — don't accept answers at face value. Request evidence for any Green claim: the SOC 2 report, the pentest summary, the certificate. TeamPCP exploited the fact that nobody checks.

FAQ

Q: We're a 15-person business. Won't vendors ignore our questionnaire? A: You'd be surprised. The SaaS market is saturated — vendors compete for your business. If a vendor refuses a reasonable security assessment, that is itself a Red flag response. The ACSC explicitly states that security requirements should be proportionate to risk, not organisation size.

Q: How often should we re-assess existing vendors? A: Annually at minimum, and upon any contract renewal or significant service change. A vendor that scored Green in 2025 may have been acquired, changed sub-processors, or suffered an unreported breach by 2026. Schedule re-assessment into your annual compliance calendar.

Q: Does the Essential Eight cover vendor risk? A: Indirectly, yes. Maturity Level Two requires application control, patching, and MFA across all systems — including those managed by third parties. If your outsourced IT provider cannot demonstrate Essential Eight alignment, you cannot claim it yourself.

Q: What if our CRM vendor stores data in Sydney but support is in Manila? A: This is a common scenario and typically scores Amber on question 4. The key is transparency: you must know, and you must document the residual risk in your risk register. The ISM does not blanket-ban offshore access — it requires informed acceptance.

Conclusion

Your next SaaS contract could be the one that introduces a supply chain compromise into your business. The Axios RAT, LiteLLM credential harvester, and TeamPCP worm didn't target enterprises — they targeted everyone who installed the package. Australian SMBs are not too small to be caught in the blast radius; they are, in fact, the blast radius.

Download this questionnaire, send it to every vendor on your renewal list, and make it a gate before any new contract. Security is not about never being breached — it's about knowing what you're trusting and why.

Need help assessing your current vendors or building a full third-party risk management program? Visit consult.lil.business for a free 30-minute cybersecurity assessment.

References

  1. ASD/ACSC Information Security Manual (ISM) — Guidelines for Outsourcing
  2. ASD/ACSC Essential Eight Maturity Model
  3. GitHub Advisory Database — Axios npm RAT (GHSA-xxxx, March 2026)
  4. GitGuardian — No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours (April 2026)
  5. OAIC — Notifiable Data Breaches Scheme

TL;DR

  • A company called Marquis Software Solutions helps over 700 banks with marketing and data — and hackers broke into Marquis, not the banks themselves. But because Marquis had bank customer data, over 800,000 people got their personal info exposed [1][3].
  • The hackers got in through a known security flaw in a firewall product that had a fix available — like leaving a broken lock on the front door even though a new lock was ready to install [6].
  • It took four months for anyone to tell the affected people what happened [1].
  • The fix-up work Marquis did afterward — installing monitoring tools, changing passwords, rebuilding systems — is stuff that should've been there from the start [1][8].

What Happened? Think of It Like a Neighborhood

Imagine your bank is a house with good locks and cameras. But you hire a lawn-mowing company and give them a spare key to the backyard shed — the one with important paperwork inside.

Marquis Software Solutions is that lawn-mowing company. This Plano, Texas firm helps over 700 banks with advertising and data work. Banks gave Marquis access to customer names, Social Security numbers, addresses, birthdates, and bank account details [1].

On August 14, 2025, hackers didn't break into any bank. They broke into Marquis — the company with spare keys to 700+ sheds. One break-in, 80+ banks affected, over 800,000 people exposed [1][3].

How Did the Hackers Get In?

Marquis used a firewall (like a front gate) made by SonicWall. That gate had a known broken latch — security experts rated it 9.3 out of 10 for danger, and a fix was available [6]. But Marquis never installed it. Hackers — possibly a group called Akira — walked right through [4][7].

SonicWall products have appeared on the government's "known broken locks" list 14 times. Eight of those were used in ransomware attacks, where hackers lock your files and demand money [4].

Why Did It Take So Long to Tell People?

The break-in was in August 2025. People weren't told until December — four months later [1][3]. That's four months of stolen Social Security numbers floating around while victims had no idea. IBM's research shows breaches already take an average of 277 days to contain, and adding silence makes it worse [8].

What Should You Do?

  1. Check the mail for breach notification letters from your bank.
  2. Freeze credit reports at Equifax, Experian, and TransUnion — it's free and stops anyone from opening fake accounts in your name.
  3. Watch bank statements for transactions that don't belong.
  4. Use strong, unique passwords — a password manager helps.
  5. Turn on two-factor authentication — that extra code when you log in adds a second lock to the door.

FAQ

A third-party data breach is when hackers don't attack your company directly — they attack a company your company works with. In this case, hackers attacked Marquis Software Solutions, which had access to bank customer data. The banks themselves weren't hacked, but their customers' data was still stolen because it was stored at Marquis [1].

The stolen data includes people's full names, Social Security numbers, home addresses, phone numbers, dates of birth, and bank account information. This is enough for criminals to try to steal someone's identity or open fake accounts [1][3].

The Maine Attorney General filing lists 672,075 people. Across all state filings, the number is over 823,000. The real total could be as high as 1.35 million people across 74 to 80+ banks and credit unions [1][3].

Yes — this appears to be a ransomware attack, where hackers lock up data and demand payment. Reports suggest Marquis may have paid the ransom, based on a filing by Community 1st Credit Union that was later deleted [1].

Freeze your credit at Equifax, Experian, and TransUnion — it's free and it stops strangers from opening accounts in your name. Monitor your bank accounts for unfamiliar activity. Use unique passwords and turn on two-factor authentication wherever you can. These steps won't undo a breach, but they make stolen data much harder to use against you [8].

Whether you run a small business or manage IT for a larger organization, understanding who has access to your data — and how they protect it — is one of the most important things you can do.

Talk to lil.business about vendor risk →

References

[1] H. Kanapi, "US Banks Hit by Massive Third-Party Data Breach," The Daily Hodl, Mar. 21, 2026. [Online]. Available: https://dailyhodl.com/2026/03/21/us-banks-hit-by-massive-third-party-data-breach-sensitive-information-of-672075-people-potentially-exposed/

[3] Maine Attorney General, "Data Breach Notifications," 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/data-breach-notifications.html

[4] CISA, "Known Exploited Vulnerabilities Catalog," 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[6] NIST, "NVD - CVE-2024-40766," 2024. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2024-40766

[7] Arctic Wolf Labs, "SonicWall VPN Credential Theft Analysis," 2025. [Online]. Available: https://arcticwolf.com/resources/blog/

[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation