MOVEit Transfer Vulnerability: Lack of Supply Chain Visibility Exacerbates Breach View Post

Product Update

Score & Report on your Supplier Risks

We’re improving Risks, making it easier for you to score and report on your Supplier Risks. Now, you can select impact and likelihood values when opening a risk. Depending on your organisation's current approach to risk reporting, you can customise your impact and likelihood levels to match your internal Risk Matrix.

As you start to open and score risks, we’re providing you with a new type of report, which can be accessed within Reporting - we’re helping you and your team to visualise, prioritise which risks need your focus and communicate within your business.

If you’d like to learn more dive straight into our help centre.

Fixes & Improvements

  • When exporting your policy matrix, we now include the domain letter and control number.
  • You’re now able to search by organisation website and number, alongside their name.
  • We’ll no longer display a compliance percentage to suppliers, until after you’ve configured and applied your policies to their profile.
Product Update

Clearer Assessment Columns

We understand that the seven different assessment columns available in your supplier lists can easily lead to confusion. We heard your feedback and today, we're making things simpler for you by only providing three key assessment and reassessment columns. These are:

  • Last Assessment Date - the date of a supplier’s most recent assessment.
  • Next Re-Assessment Due - the date of a supplier’s next reassessment.
  • Assessment Progress - the progress % of a supplier’s first assessment.

Fixes & Improvements

  • 💅 Introduced a 3D Network Visualisation, making it easier for you to understand your connections.
  • 💅 We've made the email you receive when a control is about to expire clearer, so you know exactly what to do next.
  • 💅 Improved clarity in the discussions inbox, know exactly which organisation a discussion is with, without needing to click into each discussion to find out.
  • 🐛 Fixed a bug where files with non-latin characters would fail to download.
  • 🐛 Fixed a bug where changing an answer in the assessment could fail if the initial assessment was done post answer completion removal.
  • 🐛 Fixed a bug where labels wouldn’t be loaded when changing between supplier profiles.
Product Update

Improving Supplier Invites

We're making it easier and clearer for suppliers to sign up directly from an invite. On your behalf, we'll now prompt an invited supplier to join Risk Ledger and connect with your organisation for up to 6 months until the invite expires.

When a supplier accepts your invitation, we'll now also let you know. Enabling you to apply your policies, labels, or any custom properties you may have created. We'll keep you informed of their progress and notify you when they have finished their assessment, so you can begin your review.

If an invitation expires, don't worry! We'll keep you informed so you can decide what to do. You can either resend the invite or check you have the right contact information.

Fixes & improvements

  • 💅 We’ll now hide Intercom from getting in the way on a profiles discussion tab.
  • 💅 To make it clearer, we’ve renamed Quick Connect to Browse All Suppliers.
  • 💅 Depending on which are of the product you’re using, we’ve made it clearer whether you’re searching for clients or suppliers.
  • 🐛 Fixed a bug which prevented some controls from appearing in the Policy Matrix.
  • 🐛 Fixed a bug where some buttons displayed in our emails were not clickable in Outlook.
Product Update

Enhanced Discussions Inbox

Today, we're introducing a new discussions inbox, enabling you to more easily connect and communicate with other security teams on Risk Ledger. You can now view all of your discussions from a central location, with the right level of context, enabling you to focus on what really matters - building trust.

Watch Video

Fixes & improvements

  • Fixed a bug where users were sometimes unable to scroll on the Getting Started page.
  • Fixed a bug where the last and next assessment dates wouldn't appear when logged in via SSO.
  • Fixed a bug which could sometimes result in zero-byte files being uploaded.
  • Fixed a bug in the activity feed that caused it not to load properly.
Product Update

Track & Manage your Supplier Risks

Supplier Risks allow you to open, manage and track risks that matter to you within your supply chain. Helping you and your teams to track and make informed decisions on the risk a supplier poses to you and your business. If you’d like to learn more dive straight into our help centre.

Fixes & improvements

  • Supplier users can now benefit from the same behaviour we provide clients; a powerful data table, with enhanced filtering & sorting.
  • We’ve made it easier for suppliers to view their connected clients with a powerful data table.
  • We’ve added Custom Properties for use in the Risk Ledger API.
Product Update

Policies Matrix

You can now compare your policies with our Policy Matrix - helping you to understand what security requirements you have in place for each control within our standardised controls framework.

Fixes & improvements

  • Suppliers can now benefit from Single Sign-On with Sign in with Google.
  • When setting up 2FA we now provide a secret key for manual entry into an authenticator app.
  • We’ve added your suppliers re-assessment data to your supplier lists, allowing you to filter, sort and create your own views.
  • We now support Outlook Items, so they can be uploaded as files in your private notes.
Product Update

Framework Changes - August 2022

We've made some changes to the standardised controls framework within Risk Ledger.

We do this bi-annually so that the framework stays relevant, useful and practical for all users of the Risk Ledger platform.

New Controls

We've added 11 new controls to the framework - resulting from global user feedback and update to industry standards. For this review, we have taken the recent release of ISO 27002:2022 into consideration. The new controls cover Threat Intelligence, Privileged Access Management, Data Protection and Insurance policies.

We updated the Data Protection domain to make it relevant and useful for all organisations, regardless of their location or jurisdiction. We also added the ability for organizations to select multiple countries / regions where they store or transfer personal data to.

Updated Wording

There were changes made to 26 of the questions to make them clearer and more meaningful. You may wish to check that you're still happy with your corresponding answers, notes, and evidence. For some controls, suppliers need to confirm that their answers are still applicable. This is marked clearly within the platform.


We've changed the order of our domains to improve the experience of suppliers completing their profile for the first time.

Controls relating to Cyber Insurance have been moved from the Business Resilience domain to the Financial Risk domain, alongside the new insurance controls.

To learn more, click here to head over to our help centre.

Product Update

Custom Properties

Custom Properties allow you to add the supplier context that matters to you and your team. Helping you stay organised and giving you the structured data you need when reviewing your entire supplier base. Define your own custom properties with the types below and easily filter, sort and export your full supplier list.

Here are some of the properties you can start using today:

  • Text – basic text for short notes such as the name of an internal business owner.
  • Select – dropdown menu of options, to categorise suppliers as you need.
  • Number – decimal numbers, such an internal identifier or contract value.
  • Date – select past or future dates, for example to record contract renewal dates.
  • Boolean – used to indicate whether something is true or false.
  • URL – a special text field for including website links.
  • Email – a specific text field for including an email address, such as business contact.

Fixes & improvements

  • We now send an email notification to client users 30 days before a suppliers approval is about to expire.
  • We've improved the messaging displayed to users when Business Approval is required.
  • We now include notes from the private notes tab in a supplier's profile PDF export.
Product Update

Introducing Emerging Threats

Today we’re launching a new module to help you respond to a live cyber security threat within your supply chain.

Responding & sharing your status

When an Emerging Threat occurs, such as Log4j, you’re likely inundated with messages from clients who are all asking the exact same questions, whilst you try to juggle your own incident response.

When the next Emerging Threat is identified we’ll ask you whether you’re affected and the current status of your response. We’ll then leverage the Risk Ledger network to share this with your connected clients.

Reviewing your suppliers responses

As suppliers begin to respond, you will see a quick snapshot of how your supply chain is affected on a personalised dashboard. You can then delve deeper into each supplier’s response to collaborate on remediation.

Watch Video

If you’d like to learn more, read our latest blog post or dive straight into our help centre.

Product Update

Risk Ledger API

We're excited to share that the Risk Ledger API is now available. We’re opening this up early as an Alpha, to keep a tight feedback loop. During this time, we might make some breaking changes, and won't guarantee backwards compatibility. If you’d like to learn more, head over to our API reference.

To begin, client organisations will be able to call a single endpoint, to retrieve all of their suppliers. We’d love to hear what you think & we can't wait to see what you create.

Fixes & improvements

  • We've made improvements to supplier discoverability on Quick Connect.
  • You can now optionally give a reason when rejecting or removing a connection.
Product Update

Virus Scanning Uploaded Files

We now pass all uploaded files through a processing pipeline, which will automatically scan for viruses and malware. Until a file has passed a scan, it will not be downloadable by any users. Read more about how we approached this on our blog.

Fixes & improvements

  • Select from 4 & 5 year options, when selecting a re-approval cadence.
  • View a count of your Invites in the Action Centre sidebar.
Product Update

Custom Re-Approval Timeframes

For added flexibility, you can now change your re-approval timeframe on a per supplier basis. Easily customise this to suit your needs, such as needing to re-approve your most critical suppliers on a more frequent basis.

Your default settings will be applied, if no value has been selected.

Fixes & improvements

  • You can now export your Connection Requests & Invites to CSV.
  • You can now download a PNG of your Network Visualisation.
  • We've made improvements to the default Connection Request template.
  • We've fixed a bug with inputs, which now only trim when unfocused.
Product Update

View the supplier data that you need, when you need it

We’ve now made it easier to view the supplier data that you need, when you need it. Select the columns you want to see, filter by many more available attributes and save your own view of the data to share with your colleagues.

Filtering, Sorting & Columns

We know you want to see different pieces of information, filtered in different ways, in different scenarios. We now display your suppliers in a powerful table, allowing you to easily select the visible columns, filter by any number of attributes and quickly sort by what’s important.

Saving your Views

By default, we provide you with three default views which apply commonly used filters to help you get exactly what you need. If you find yourself regularly filtering in other ways, with different visible columns, just save a new view - this will be available to all users within your organisation.


At any point, you can export the current view of your suppliers as a CSV for further analysis outside of Risk Ledger.

Fixes & improvements

  • We’ve drastically improved performance when loading & filtering your suppliers.
  • We’ve moved the search so it can be easily accessed on every page.
  • For suppliers with incomplete assessments, we now show the date they last updated an answer, so you know if they’re progressing and when to reach out via a discussion.
  • We fixed a bug where the submit banner would was not appearing immediately for suppliers at the end of their assessment.
Product Update

Visualise your supply chain

We believe all organisations should understand the risk that their entire supply chain poses to them - not just their immediate suppliers.

As a client, the Network Visualisation will show the names of all organisations within your supply chain on Risk Ledger, including 4th, 5th and 6th parties. This gives organisations who use Risk Ledger unparalleled insights into the breadth and depth of their supply chains.

Spot potential concentration risks

Concentration risk is when there is an over reliance on certain organisations within the supply chain - it’s a problem that organisations often don’t get visibility over.

We’ve spoken to a number of organisations that need to understand and assess potential concentration risks within their supply chain and the threat they pose. Often, gaining meaningful data from third-party suppliers can be painful and time consuming.

Leveraging the power of the Risk Ledger network, we now give visibility of potential concentration risks - we'd love to hear your feedback on this.

Filter out the noise

As the visibility of your supply chain increases, it's important to be able to focus in and cut through the noise. To make it even easier, we've added extra tools such as filtering, which will allow you to filter by Criticality, Confidentiality, PII and your own custom labels.

Control your contribution

We believe it is important for every organisation benefiting from the Risk Ledger network to equally contribute to the network through sharing of their own supply chain.

If you do not wish to share the names of your suppliers with your clients, you can disable the network visualisation in your settings. By disabling this feature, the names of your suppliers will remain private and you will not have access to the network visualisation feature.

Product Update

Supplier Framework January Update

We regularly review and iterate on our Supplier Framework.

Reviews are completed every 6 months so that the framework stays relevant, useful and practical for all users of the platform.

Ensure vulnerabilities are managed appropriately

We have added a new control to the Network and Cloud Security domain to ensure that any identified vulnerabilities are triaged and remediated as appropriate.

Keeping it relevant for the remote world

Following user feedback, the Physical Security domain now has a scoping question asking whether suppliers rely on any physical premises to deliver their services or run their business. This could include, but is not limited to, office space, warehouses or data centres.

Improved clarity

We have updated the wording of 15 controls to make them clearer and more meaningful, reducing ambiguity and ensuring suppliers can provide clear, accurate information to all their clients.

Product Update

Ensuring up-to-date certifications with expiring controls

We now ask suppliers to enter the expiry date of their certifications on relevant controls. They will receive a reminder when one of their certifications has expired and needs updating. Controls with an expiry date in the past will automatically be shown as non-compliant.

We are rolling this out from today for the following controls; A1 (Cyber Essentials), A2 (Cyber Essentials Plus) and A3 (ISO27001).

Fixes & improvements

  • Added a link to the help centre from the navigation menu.
  • Added the current build version & date to the navigation menu.
  • We now display the role of a user in their account settings.
  • Fixed a bug which prevented you navigating to pending remediations from the client dashboard.
  • Fixed a bug which displayed the create label button to view and edit users when creating a policy.
  • Fixed a bug where the assessment wizard had a mind of its own.
Product Update

Greater collaboration when reviewing your Suppliers

When reviewing a supplier's profile, you can now add multiple users as reviewers. Click the approval button to add your reviewers, or to change approval status and request business approval.

Apply policies with Labels

Create policies using your own labels, which offers more flexibility when applying your requirements to a supplier. Add new or edit existing Labels within your Settings then apply these in your policies page.

Client & Supplier User Permissions

For organisations that use both the client and supplier side of Risk Ledger, and have multiple users, you now have access to additional user permissions. Choose which side of the platform users have access to. Select from either the client side, supplier side or both.

Product Update

When proactively sharing your Security Profile with clients & prospects, we now offer a greater degree of control around content, expiry and messaging.

For each shared link you create, you will now be able to:

  • Select your own expiry time, including unlimited access links.
  • Send the link with a personalised message.
  • Select which domains are included.

Risk Ledger Badges

From today, you can now link to your Shared Profile in your website footer, compliance page or email signature using a Risk Ledger badge. Click here to get one.
Product Update

Introducing Profile Sharing on Risk Ledger

Proactively share your Security Profile with clients to reduce questionnaire burden and impress prospects.

You can now easily create a secure link to share your up-to-date profile with anyone at any time. Copy the link, or forward it on to a client or prospect to impress them with your security maturity.

Prospects can sign up for free to connect with your organisation, access evidence & ask questions.

You are in control, so links will automatically expire after 30 days, or can be easily deactivated at anytime.

Fixes & improvements

  • A new Environmental, Social and Corporate Governance (ESG) domain has been added to our Supplier Assessment Framework.
  • Client Dashboard metrics are now display the previous 30 days.
  • We no longer allow negative numbers in control anwsers.
  • Compliance by Label is now sorted by compliance percentage.
Product Update

Supplier Framework August Update

We regularly review and iterate on our Supplier Framework.

Reviews are completed every 6 months so that the framework stays relevant, useful and practical for all users of the platform.

Introducing Environmental, Social and Governance domain

Whilst security remains our key focus, we recognise the importance of understanding the environmental and social risks in your supply chain and the impact they have on the overall sustainability of your business. This evolution of our standardised Supplier Framework is designed to provide our clients and their suppliers with a practical way of sharing and discussing the information needed to do this.

Improved clarity and coverage

We have added new controls and improved the wording of existing controls to make them clear and more meaningful. This will help suppliers provide clear and accurate information to their clients across a wide range of risk domains.

Better flow and separation

Some domains have been renamed to better reflect the controls within them; the Procurement Risk domain has been removed and the controls from that domain have been split between 'Financial Risk' (renamed from 'Financial Crime') and a new Environmental, Social and Governance (ESG) domain. The order of some controls has changed to improve the logic flow.

Product Update


  • We now display a welcome modal for all new users.
  • Suppliers can export a PDF of their Risk Ledger profile.
  • Added IT as a team option for all users.
  • Clients can now select a custom date & export on Compliance Reporting.

Fixes & improvements

  • Selecting Add Users in Getting Started now pushes you to the correct place.
  • The first Unapproved Status will no longer incorrectly show the lead supplier user.
Product Update


  • Clients can access the visualisation page to see a network of their suppliers.
  • Evidence has been changed from a grid to a table with additional filtering options.
  • The temporary password email now contains the inviting user and organisation for more clarity.
  • A cookie banner is included on the website.
  • Users can set a team on their account.
  • A primer email toggle with template is available when sending a connection request.

Fixes & improvements

  • Fixed unnecessary verification code SMS received by newly added users when signing up.
  • The link for support on the 2FA page during login now opens the intercom chat.
  • The reports blog section on the website overlapping the footer has been fixed.
  • The correct remediation dates are shown in the Action Centre.
Product Update

Performance and Activity Reporting

Now you can view all of your organisations Performance and Activity related metrics by heading over to Reporting. Choose from a range of time periods, aggregate and download to CSV.

Fixes & improvements

  • Added additional context to discussion email notifications on controls.
  • Display a placeholder when there are no active discussions.
  • Added a new "none" action to the Business Approval Request flow.
  • Improved the visibility of "apply to selected" on a suppliers profile.
  • Users can now view all of a suppliers evidence on a profile.
Product Update

Control over your email preferences

Risk Ledger sends email notifications for key events that you should be aware of within your organisation.

You are now able to configure what you wish to be notified about, or turn off all email notifications.

Fixes & improvements

  • Single Sign-on users are now able to upload & download files.
  • The Share Assessment copy incorrectly referenced clicking an icon to invalidate a generated link.
  • On Firefox, sometimes users were able to scroll into the void.
  • Notifications incorrectly showing for the action centre.
  • Users can no longer upload evidence to a control that does not allow evidence.
  • Weekly digest emails no longer include compliance changes if a Supplier initial assessment is incomplete.
  • Weekly digest emails will display a fallback image if we're unable to fetch their company logo.