Galink Logo

Home

Solution

Resources

About

Log in

Try now

Galink the TPRM solution No. 1

‹ Return to blog

Vulnerability with an IT subcontractor: Who pays the bill?

Jul 1, 2025

Galink Webinar, vulnerability at a subcontractor
Galink Webinar, vulnerability at a subcontractor

Cybersecurity Challenges for Vendors: A Legal and Practical Overview

Summary of our webinar with Marc-Antoine Ledieu

Cybersecurity has become a crucial issue for businesses, particularly due to the risks associated with contractors. By 2025, 45% of organizations could be victims of an attack via a contractor. Recent examples include companies like Coinbase and Adidas, which suffered cyberattacks through their contractors.

The Risks of Contractors

Contractors represent a significant attack vector. In France, legislation has evolved to regulate operators of vital importance, but contractors often remain the weak link. Cyberattacks frequently exploit weaknesses in the IT supply chain, as illustrated by the SolarWinds case.

Real Cases of Cyberattacks

Two emblematic cases in France demonstrate the importance of contracts in protection against cyberattacks:

  1. Unavailable Hosting Provider: A hosting provider for accounting data suffered a cyberattack, rendering the data inaccessible for a month. The contractual clauses limited compensations to one month of free service, despite the extent of the damages.

  2. Negligence in Advice: An industrial company was poorly advised by an IT service provider, leading to a cyberattack. The Court of Appeal acknowledged the negligence, but compensation was limited to a fraction of the actual damages.

Legal Protection

Contracts with contractors must include detailed appendices regarding responsibilities and security measures. Security questionnaires can be attached to contracts to strengthen their legal enforceability. However, indemnification clauses must be clear and realistic.

Upcoming Regulations

New European regulations, such as NIS2 and the CRA, will impose stricter obligations on software and service providers. Sanctions for non-compliance will include fines and the withdrawal of non-secure products from the market.

Conclusion

Managing risks associated with contractors requires a proactive approach, including well-drafted contracts and ongoing evaluation of suppliers. Companies must prepare for new regulations to ensure the security of their data and systems.

For more information, consult specialized blogs on supplier risk management and legislative developments in cybersecurity.

<DARE #1 - Matej Zachar - CISO @Kontent.ai

Inside LLMs - Foundations and the novel approach of DeepSeek>