As geopolitical instability intensifies and NATO leaders convene in The Hague for the 2025 Summit, a Sparten led audit has revealed an under appreciated vulnerability in the commercial resilience chain: inheriting risk through contracting with a Government provider.

Sparten was recently commissioned by a data and analytics company specialising in supply chain management, commodities data and geopolitical risk; to review their security resilience and in particular their crisis response processes and third party vendors. The investigation uncovered a more complex and systemic concern: the security and operational risk introduced when commercial vendors carry parallel obligations to both sovereign and private-sector customers.

This is particularly true in sectors where governments outsource sensitive capabilities, such as journey management, emergency medical support, site evacuation and security logistics, to commercial crisis response firms. These providers often act as a bridging layer between state and commercial enterprise. But this positioning comes at a cost to other customers of the same services: it can entangle corporate resilience architectures with adversarial state targeting, politicised dependencies, and resource constraints during overlapping crises.

Dual Mandates, Divided Priorities

The audit focused on two crisis response providers supporting the client across multiple jurisdictions, multiple service lines and with multiple products. While their reputations are well established, they both appeared, from open source reporting, to be expanding with a roster of government contracts, including foreign policy and defence support roles, which raised significant questions about priority allocation, capacity scaling, and information compartmentalisation and data quarantining.

In practice, a government affiliated commercial partner may be mobilised first during a crisis, potentially delaying, downgrading, or displacing private sector response commitments. When threats are simultaneous across theatres, it becomes difficult to determine whose interests come first and under what operational security protocols. Historic comparisons of responses and local source reporting confirmed this to be the case. However, more concerning is the assumption that threat actors would perceive a commercial provider as neutral if it had a government contract. In the era of grey zone tactics, neutrality is an illusion. Once a vendor is formally tied to an opposition government, they are treated as extensions of those states. Their systems, staff, infrastructure, and client portfolios become surveillance targets, infiltration routes, or leverage points.

Risk by Association

The Sparten audit identified multiple vulnerabilities that stemmed not from the provider’s competence, but from their structural design. This included the co-location of sensitive infrastructure; where emergency coordination centres or GSOC’s (Global Security Operations Centre) operated from shared commercial premises and shared data centres with government contracts. We also observed elements of subcontractor entanglement, where local sub-contractors had insufficient vetting and no insight into security posture of other client. Asset tracking overlap was common and especially the use of common data platforms for sovereign and corporate clients, thus enabling hostile actors (in this case our own Sparten Red Teams) to triangulate movement or extract metadata. Data fusion also presented as a risk, where the integration of medical, travel, and personnel data across clients were not treated under a rigorous classification protocol that ensured audit clarity and visibility.

These issues are not hypothetical. Ahead of the NATO Summit, threat intelligence groups reported increased targeting of non-state contractors and support personnel. Threat actors have deployed malware focused on logistics and crisis response networks and nefarious groups are believed to be conducting passive reconnaissance of contractors for future disruption. Ideological and criminal entities, from ransomware operators to political hacktivists, exploit the visibility and operational footprint of crisis response vendors.

Identify and Report on Blind Spots

Sparten agreed to write this summary article after consultation with our client and agreement that the benefits of wider awareness across the corporate security realm are paramount. CSO’s and CISO’s must been empowered to scrutinise service providers and establish how far resilience extends and establish if there is a conflict of priorities across contracts, how data is secured internally and externally, what areas of business are exposed to government contracting elements. These questions are especially critical for firms operating in energy, commodities, logistics, finance and defence. The threat actors will not differentiate between state and commercial entities and especially if the commercial route is the path of least resistance. If your vendor is seen as an extension of the state, you may be treated accordingly.

A Higher Due Diligence Standard

Sparten’s view is clear: dual-mandate vendors should be assessed as strategic partners, not transactional suppliers. Corporates must adopt security vetting and threat modelling approaches once only reserved for government contractors. The message is not that these providers are untrustworthy. On the contrary, but dependency must be matched by strategic awareness. If your crisis response partner wears two hats; you need to know. Get in touch with the Sparten Research Team for more details about their Red Team capabilities and resilience building.