TL;DR

Australian SMBs are in the blast radius of supply chain attacks that compromised billions of downloads in 2025–2026 alone. This 15-question vendor risk assessment template, aligned to the ASD/ACSC Information Security Manual (ISM), gives you a Red/Amber/Green scoring framework you can send to any SaaS or outsourced IT vendor before you sign a contract. No cybersecurity expertise required.​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

Why Vendor Risk Assessment Matters Now

Between September 2025 and April 2026, supply chain attacks hit unprecedented scale. The Axios npm compromise in March 2026 pushed a remote access trojan through a library with over 100 million weekly downloads [1]. The Chalk/Debug campaign compromised 27+ packages with a combined 2.6 billion weekly downloads, using stolen maintainer credentials to inject a crypto wallet drainer [2]. The TeamPCP campaign moved across npm, PyPI, and Docker Hub simultaneously, weaponising trusted tools like Trivy and Checkmarx KICS to steal credentials from CI/CD pipelines [3].

For Australian SMBs, the lesson is blunt: your security is only as strong as your weakest vendor. The ACSC's Essential Eight and the broader ISM make clear that third-party risk manag

ement is not optional — it is a core security control [4].​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

The 15-Question Vendor Risk Assessment

Send this questionnaire to any vendor before contract signature. Score each answer using the Red/Amber/Green framework below.

ISM Principle: Controls 0403, 0404, and 0405 require organisations to identify and manage risks from external service providers, including assessing their security posture and ensuring contractual security obligations are defined.

Section A: Security Certification and Governance

1. Do you hold a current ISO 27001 certification?

  • GREEN: Certified, certificate available on request, scope covers the services we would use
  • AMBER: Certification in progress or covers only part of the relevant scope
  • RED: No certification and no plans to obtain one

2. Do you have a current SOC 2 Type II report?

  • GREEN: Type II report available, independently audited within the last 12 months
  • AMBER: Type I only, or Type II older than 12 months
  • RED: No SOC 2 report available

3. Can you provide a complete list of sub-processors who access our data?

  • GREEN: Full sub-processor list published and maintained, advance notice given before changes
  • AMBER: List available on request but not proactively updated
  • RED: Cannot or will not disclose sub-processors

ISM Principle: Control 0405 — organisations must understand where their data flows, including through third-party and fourth-party processors.

Section B: Data Protection and Residency

4. Where will our data be stored and processed? Can you guarantee Australian or at least APAC-region data residency?

  • GREEN: Data stored in Australia or APAC with contractual guarantee and no transfers outside region without written consent
  • AMBER: Data stored in APAC but may be replicated to other regions for redundancy
  • RED: Data may be stored or processed anywhere globally with no regional guarantee

5. What encryption do you apply to data in transit and at rest?

  • GREEN: TLS 1.2+ in transit, AES-256 (or equivalent) at rest, encryption keys managed separately from data
  • AMBER: Encryption used but specifics not documented, or older TLS versions accepted
  • RED: No clear encryption policy or unencrypted storage acknowledged

6. What is your data retention and deletion policy when a customer offboards?

  • GREEN: Documented deletion within 30 days of contract termination, certified deletion available
  • AMBER: Deletion within 90 days, but no certification offered
  • RED: No documented retention or deletion policy

ISM Principle: Controls 0401, 0402 — data must be protected at rest and in transit using approved cryptographic algorithms.

Section C: Access Control

7. Do you enforce multi-factor authentication (MFA) for all administrative and privileged access to customer environments?

  • GREEN: MFA enforced for all privileged access, phishing-resistant MFA (FIDO2/hardware keys) available
  • AMBER: MFA enforced for admin access but not all privileged roles, or SMS-based MFA accepted
  • RED: MFA not enforced or only optional

8. Do you support role-based access control (RBAC) and can we define custom permission levels?

  • GREEN: Granular RBAC with custom roles, principle of least privilege enforced by default
  • AMBER: Basic RBAC with predefined roles only
  • RED: All-or-nothing access, no role differentiation

9. Can you provide audit logs of access to our data, and can we integrate those logs into our own SIEM or monitoring?

  • GREEN: Comprehensive audit logs with API-based export, tamper-evident logging
  • AMBER: Basic audit logs available in the platform UI but no export API
  • RED: No audit logging or logs not available to customers

ISM Principle: Controls 0641, 0642 — MFA is required for all privileged access and all remote access. The Essential Eight lists MFA as a mandatory control.

Section D: Incident Response and Continuity

10. What is your breach notification SLA? Will you notify us within 72 hours of discovering a breach affecting our data?

  • GREEN: Contractual commitment to notify within 72 hours (or less), 24/7 incident response team
  • AMBER: Notification within 72 hours but not contractually guaranteed, or notification within 7 business days
  • RED: No defined breach notification SLA or refusal to commit in writing

11. What is your incident response capability? Can you describe your process and provide evidence of regular testing?

  • GREEN: Documented IR plan, dedicated team, tabletop exercises conducted at least annually, post-incident reviews shared
  • AMBER: IR plan exists but testing is irregular or not documented
  • RED: No formal incident response plan

12. Do you have a documented business continuity and disaster recovery plan? What is your Recovery Time Objective (RTO)?

  • GREEN: Documented BCP/DRP with RTO under 4 hours, tested at least annually, results available
  • AMBER: BCP/DRP exists but RTO exceeds 24 hours or testing is irregular
  • RED: No documented business continuity plan

ISM Principle: Controls 0671–0674 — organisations must have and test incident response plans, and notify affected parties promptly.

Section E: Technical Security

13. How often do you conduct penetration testing, and can you share a summary of findings?

  • GREEN: Annual penetration testing by an independent third party, executive summary available to customers
  • AMBER: Penetration testing conducted but not annually, or only internal testing
  • RED: No penetration testing or refusal to discuss

14. Do you run a vulnerability management program with defined patching SLAs for critical, high, and medium vulnerabilities?

  • GREEN: Documented patching SLAs (critical: 48 hours, high: 2 weeks, medium: 30 days), evidence of compliance
  • AMBER: Patching occurs but no defined SLAs or SLAs exceed industry norms
  • RED: No formal vulnerability management program

15. How do you protect against supply chain compromise in your own dependencies and build pipeline?

  • GREEN: Dependency scanning, pinned versions, signed builds, SBOM available, CI/CD pipeline hardened
  • AMBER: Some dependency scanning but no signed builds or SBOM
  • RED: No supply chain security measures or awareness of the risk

ISM Principle: Controls 0406, 0407 — software and services must be assessed for supply chain risks, and integrity verification mechanisms must be in place.

How to Score and Decide

Add up the results. For a vendor you are trusting with sensitive data:

  • All GREEN or mostly GREEN with 1–2 AMBER: Proceed with standard contractual protections
  • 3+ AMBER or any RED in Section B (data protection) or Section D (incident response): Require a remediation plan before signing
  • 2+ RED in any section: Do not proceed. Find an alternative vendor

Document every assessment. The ACSC expects evidence of due diligence, not just good intentions.

FAQ

Is this checklist enough on its own, or do we need a formal third-party risk policy?

This checklist is a starting point. For organisations subject to the Privacy Act 1988 or handling sensitive data, a formal third-party risk management policy aligned to the ISM is recommended. Use this checklist as the screening tool; build the policy around it.

What if a vendor refuses to answer some questions?

A refusal to answer is a RED by default. Vendors handling Australian data should be transparent about their security posture. If a vendor cannot answer basic questions about encryption, MFA, or breach notification, that tells you everything you need to know.

Do we need to reassess existing vendors?

Yes. Vendor risk is not a one-time exercise. Reassess critical vendors annually and whenever there is a material change — a merger, a data centre migration, a public breach, or a significant change in the services they provide to you.

How does this align with the ACSC Essential Eight?

Questions 5 (encryption), 7 (MFA), 8 (RBAC), and 14 (patching) directly map to Essential Eight controls. The broader checklist aligns to the ISM's supply chain and outsourcing sections. Both frameworks expect organisations to extend their security requirements to third parties.

Conclusion

Supply chain attacks in 2025–2026 proved that trusting a vendor without verification is a security decision in itself. The Axios compromise, the Chalk/Debug drainer, and the TeamPCP campaign all exploited the same gap: organisations that assumed their vendors were secure without checking. Australian SMBs cannot afford that assumption.

Send these 15 questions before you sign. Score honestly. Walk away from vendors that will not or cannot answer. Your customers, your reputation, and your compliance obligations depend on it.

Visit consult.lil.business for a free cybersecurity assessment and hands-on help building a vendor risk management program tailored to your business.

References

  1. Software Supply Chain Attacks 2025–2026: Axios, Shai-Hulud, Chalk/Debug, TeamPCP — Cyber Army Security Research
  2. No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours — GitGuardian Blog
  3. The npm Threat Landscape: Attack Surface and Mitigations — Palo Alto Unit 42
  4. ASD/ACSC Information Security Manual (ISM) — Australian Signals Directorate

TL;DR

  • A company called Marquis Software Solutions helps over 700 banks with marketing and data — and hackers broke into Marquis, not the banks themselves. But because Marquis had bank customer data, over 800,000 people got their personal info exposed [1][3].
  • The hackers got in through a known security flaw in a firewall product that had a fix available — like leaving a broken lock on the front door even though a new lock was ready to install [6].
  • It took four months for anyone to tell the affected people what happened [1].
  • The fix-up work Marquis did afterward — installing monitoring tools, changing passwords, rebuilding systems — is stuff that should've been there from the start [1][8].

What Happened? Think of It Like a Neighborhood

Imagine your bank is a house with good locks and cameras. But you hire a lawn-mowing company and give them a spare key to the backyard shed — the one with important paperwork inside.

Marquis Software Solutions is that lawn-mowing company. This Plano, Texas firm helps over 700 banks with advertising and data work. Banks gave Marquis access to customer names, Social Security numbers, addresses, birthdates, and bank account details [1].

On August 14, 2025, hackers didn't break into any bank. They broke into Marquis — the company with spare keys to 700+ sheds. One break-in, 80+ banks affected, over 800,000 people exposed [1][3].

How Did the Hackers Get In?

Marquis used a firewall (like a front gate) made by SonicWall. That gate had a known broken latch — security experts rated it 9.3 out of 10 for danger, and a fix was available [6]. But Marquis never installed it. Hackers — possibly a group called Akira — walked right through [4][7].

SonicWall products have appeared on the government's "known broken locks" list 14 times. Eight of those were used in ransomware attacks, where hackers lock your files and demand money [4].

Why Did It Take So Long to Tell People?

The break-in was in August 2025. People weren't told until December — four months later [1][3]. That's four months of stolen Social Security numbers floating around while victims had no idea. IBM's research shows breaches already take an average of 277 days to contain, and adding silence makes it worse [8].

What Should You Do?

  1. Check the mail for breach notification letters from your bank.
  2. Freeze credit reports at Equifax, Experian, and TransUnion — it's free and stops anyone from opening fake accounts in your name.
  3. Watch bank statements for transactions that don't belong.
  4. Use strong, unique passwords — a password manager helps.
  5. Turn on two-factor authentication — that extra code when you log in adds a second lock to the door.

FAQ

A third-party data breach is when hackers don't attack your company directly — they attack a company your company works with. In this case, hackers attacked Marquis Software Solutions, which had access to bank customer data. The banks themselves weren't hacked, but their customers' data was still stolen because it was stored at Marquis [1].

The stolen data includes people's full names, Social Security numbers, home addresses, phone numbers, dates of birth, and bank account information. This is enough for criminals to try to steal someone's identity or open fake accounts [1][3].

The Maine Attorney General filing lists 672,075 people. Across all state filings, the number is over 823,000. The real total could be as high as 1.35 million people across 74 to 80+ banks and credit unions [1][3].

Yes — this appears to be a ransomware attack, where hackers lock up data and demand payment. Reports suggest Marquis may have paid the ransom, based on a filing by Community 1st Credit Union that was later deleted [1].

Freeze your credit at Equifax, Experian, and TransUnion — it's free and it stops strangers from opening accounts in your name. Monitor your bank accounts for unfamiliar activity. Use unique passwords and turn on two-factor authentication wherever you can. These steps won't undo a breach, but they make stolen data much harder to use against you [8].

Whether you run a small business or manage IT for a larger organization, understanding who has access to your data — and how they protect it — is one of the most important things you can do.

Talk to lil.business about vendor risk →

References

[1] H. Kanapi, "US Banks Hit by Massive Third-Party Data Breach," The Daily Hodl, Mar. 21, 2026. [Online]. Available: https://dailyhodl.com/2026/03/21/us-banks-hit-by-massive-third-party-data-breach-sensitive-information-of-672075-people-potentially-exposed/

[3] Maine Attorney General, "Data Breach Notifications," 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/data-breach-notifications.html

[4] CISA, "Known Exploited Vulnerabilities Catalog," 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[6] NIST, "NVD - CVE-2024-40766," 2024. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2024-40766

[7] Arctic Wolf Labs, "SonicWall VPN Credential Theft Analysis," 2025. [Online]. Available: https://arcticwolf.com/resources/blog/

[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation