For many years, cyber risk was viewed primarily as a technology concern. It sat within the remit of the Chief Information Security Officer, supported by IT teams, security tools and incident response plans. That view is no longer sufficient.
As organisations become more dependent on outsourced services, cloud platforms, logistics providers, contractors, technology vendors and specialist suppliers, cyber exposure is increasingly entering the business through the supply chain. A company’s resilience is no longer defined only by the strength of its own systems, but also by the strength of the suppliers and partners connected to those systems.
Director – Centralised Global Operations
Achilles Information Limited
This shift has made cyber risk a procurement issue as much as a technology issue. Procurement teams are responsible for selecting, onboarding and managing the third parties that keep businesses running. In a more digitised and interconnected operating environment, those supplier relationships can also become pathways for disruption, data exposure and operational vulnerability.
Findings from the Achilles Sustainability Survey 2025 indicate that almost 4% of participating organisations cited cyber events or data breaches as a leading cause of business disruption. For procurement leaders, this creates a challenging operating reality. A supplier may be commercially attractive, operationally capable and compliant on paper, while still carrying cyber vulnerabilities that could disrupt production, expose sensitive data or affect business continuity. Traditional procurement processes were not designed to manage this level of digital interdependence.
Why procurement must now own part of the cyber risk conversation
Procurement teams are often the first to engage with suppliers and are among the best placed to influence how those suppliers are assessed, onboarded and monitored. They understand supplier criticality, contract value, operational dependency and the potential impact of disruption. These are essential inputs into cyber risk management.
This is why cyber due diligence cannot remain a one-time questionnaire completed during onboarding. It needs to become part of a broader supplier risk management framework that considers financial stability, ESG performance, modern slavery exposure, health and safety, operational controls and cyber posture together.
Risk rarely presents itself in neat categories. A financially stressed supplier may underinvest in security. A high-growth technology vendor may scale faster than its controls. A supplier operating in a high-risk geography may face both cyber and geopolitical exposure.
This is not a reason to avoid complex markets or global supplier networks. It is a reason to build better visibility into them.
From static checks to continuous intelligence
The next evolution of procurement-led cyber due diligence will be shaped by technology, data and continuous monitoring. Static assessments still have a role to play, but they offer only a snapshot in time.
Cyber risk changes quickly. Credentials can be leaked, vulnerabilities can be discovered, ownership structures can change, systems can remain unpatched and suppliers can introduce new subcontractors or technology platforms with limited visibility to the buyer.
Tech-driven vendor due diligence enables procurement and risk teams to move from periodic assurance to ongoing intelligence. This means looking beyond whether a supplier has a policy and asking more practical questions.
This is where supplier due diligence platforms are becoming increasingly important. They help organisations combine supplier-provided information with external risk signals, verification processes and structured risk intelligence. For procurement teams managing large and complex supplier bases, this provides a clearer view of exposure and supports faster, more informed decision-making.
At Achilles, for example, cyber information can be considered as part of wider supplier due diligence, helping organisations assess supplier risk in a more connected way. Rather than treating cyber as a separate compliance exercise, this approach enables procurement teams to view cyber exposure alongside operational, financial, ESG and compliance risks. The value lies not in adding another questionnaire, but in creating a more complete and usable picture of supplier resilience.
The role of procurement is changing
The procurement function of the future will not be judged only by cost savings, contract efficiency or supplier performance. It will increasingly be measured by its ability to protect continuity, strengthen resilience and provide decision-makers with confidence in the supplier ecosystem.
This requires a shift in how organisations define good procurement governance. Supplier selection cannot be based only on price, capability and delivery history. It must also include an assessment of whether the supplier can operate securely, responsibly and transparently in a connected risk environment.
There are three practical changes that organisations should consider.
- First, cyber risk should be embedded into supplier segmentation. Not every supplier needs the same level of review, but suppliers with access to systems, sensitive data, operational sites or critical services should be subject to deeper scrutiny.
- Second, due diligence should move beyond onboarding. Cyber posture should be monitored throughout the supplier relationship, especially for critical vendors and suppliers in high-risk sectors.
- Third, procurement, cyber security, legal, compliance and business teams need a shared view of supplier risk. Fragmented ownership leads to fragmented visibility. Supplier risk management platforms that can provide a holistic,single source of truth helps organisations act faster when risks emerge.
A forward-looking procurement agenda
Cyber risk will continue to evolve as supply chains become more digitised and AI adoption accelerates. The organisations that respond best will be those that treat cyber resilience as part of supplier resilience, not as a separate technical control.
For procurement leaders, this is an opportunity to play a more central role in enterprise risk management. By bringing cyber intelligence into vendor due diligence, procurement can help organisations make better supplier decisions, reduce hidden exposure and build supply chains that are not only efficient, but more resilient.
The future of supplier due diligence will be more data-led, more continuous and more connected. Cyber risk is now part of that future. Procurement teams that recognise this early will be better placed to protect value, maintain operational confidence and support growth in a world where risk increasingly travels through the supplier network.
Authored by Smitha Shetty – Director – Centralised Global Operations, Achilles Information Limited
