@Glenn 6
Yes, that. The company giving third parties access also have a responsibility to vet these third parties/make sure they abide by security policies, monitor for security intrusions and actually are responsible (versus their own clients) for everything that is done once logged in with that account.
But it makes nicer spin if you just repeat "third party" as if it wasn't their own shoddy IT security... it's just that it's not ONLY their own shoddy IT security.