Who proactively asks their software stack providers about security?

I'm glad ASIC is keeping cybersecurity top of mind. Regarding supply chain risk, my guess is fewer than 20% of firms have proactively vetted their software vendors' security. Many see it as the vendor's responsibility. But we must take ownership too. If we don't ask the tough questions, we may be caught unaware. I think framing security reviews as collaborative partnerships, not interrogations, can open doors. Protecting client data is a shared priority.