Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recent findings reveal that board-level AI oversight remains inconsistent across industries, creating gaps that cybercriminals are increasingly exploiting through vendor relationships.
From insurance companies exposing over 1 million customer records to telehealth vendors delaying breach notifications by eight months, third-party incidents are demonstrating how vendor vulnerabilities can trigger enterprise-wide consequences that persist for years. These developments underscore that comprehensive third-party AI risk management requires active governance and continuous monitoring — not passive assumptions about vendor security.
AI risks require board-level oversight. While artificial intelligence offers efficiency across core banking functions and competitive advantages, it also creates material risks that traditional frameworks don't fully cover. These challenges underscore the importance of organizations' boards treating AI oversight as a core governance responsibility, ensuring transparency, accountability, and regulatory alignment.
Insurance breach impacts 1M+ customers. Another major insurance company has revealed a data breach affecting the personal info of over 1 million individuals. Exposed data included names, addresses, dates of birth, driver’s license numbers, and the last four digits of SSNs. The breach is the latest cyberattack across the insurance sector, which has impacted Aflac, Erie Insurance, and Allianz Life, among others.
Telehealth app reports data breach eight months after the fact. A telehealth and anonymous reporting app provider for the Los Angeles Unified School District experienced a data breach in December 2024 but did not notify affected families until August 5, 2025. The vendor hasn’t disclosed what information was accessed, though the attacks did involve unauthorized access to its network. The eight-month delay in reporting may violate both state and federal laws, serving as a reminder for companies to enforce prompt breach notification clauses and timely remediation from third-party vendors.
“Limited” breach could lead to phishing or scam attempts. What an Australian telecom provider described as a “limited” cyberattack could be more extensive than the company’s statement suggests. The breach tied to stolen employee credentials gave attackers access to the company’s order management system, exposing 280,000 email addresses, 20,000 landline numbers, 10,000 usernames, residential addresses, and 1,700 modem setup passwords. While no phishing or other social engineering attacks have been linked to the information yet, the breach serves as a reminder of the snowball effect a single incident can have on a company for years to come.
Identity overload slows cyber team responses. Investigating identity-related alerts now takes an average of 11 hours, with compromised credentials driving 20% of breaches in 2025, according to new data. Fragmented identity systems — especially across cloud and on-site environments — make it harder to respond quickly. The insights underscore the importance of ensuring vendors have robust access controls and AI-aligned policies to mitigate cyber risk.
Regulators and cybercriminals alike are spotlighting third-party risk — from the FDIC’s own vendor oversight challenges and DORA in Europe to fresh breaches and credential theft tied to service providers. These developments are a sharp reminder that vendor due diligence and ongoing monitoring can’t be outsourced.
OIG flags gaps in FDIC vendor oversight. An Office of the Inspector General report says the FDIC’s Significant Service Provider (SSP) Examination Program — which oversees major vendors like core and payment processors — needs clearer direction. The watchdog warned that without defined goals and measurable benchmarks, the FDIC can’t effectively gauge the program’s impact. Resource constraints and delays in building a new risk-scoring system have also left exam priorities “highly subjective.” The FDIC agreed with the findings and pledged corrective actions by March. It’s a reminder that vendor due diligence and ongoing monitoring remain a bank’s responsibility, not something they can offload to regulators.
HR vendor breach could fuel social engineering attacks. A third-party data breach at a large HR company is yet more evidence that vendors with troves of data are increasingly appealing targets for hackers. The data of 70 million users and 11,000 corporate customers may have been exposed through a breach of the HR company’s CRM software. The information may be used for social engineering future cyberattacks.
Stolen third-party credentials in demand. Cybercriminals are increasingly buying and selling administrator-level credentials on the dark web. What makes this trend especially dangerous is that many of these credentials originate from third-party vendors. Over-permissive vendor accounts, forgotten VPN logins, and service accounts that were never deactivated give attackers easy entry points into critical systems. The takeaway: vendor access is often the weakest link. Even a single compromised password from a contractor or service provider can give an attacker the keys to sensitive data and operations.
Expanding vendor ecosystems lead to cyber risk. Vendor oversight is increasingly important with vendor portfolios growing. For example, school districts face vendor risk from sprawling networks, lean IT teams, unsanctioned “shadow” apps downloaded by staff, and student records packed with sensitive data that are highly valuable to attackers. Vendor due diligence, vendor tiering, addressing cybersecurity in contracts, and ongoing monitoring are valuable strategies for managing this risk.
TPRM rule takes hold in Europe. Six months after the EU’s Digital Operational Resilience Act went live, financial firms are feeling both the pressure and the progress. Budgets have surged as institutions strengthen cyber defenses, step up incident reporting, expand resilience testing, and tighten third-party oversight. While the workload is heavy, DORA is already changing day-to-day practices — embedding resilience as a core business function rather than a compliance checkbox.
Risk perception differs based on sector and role. New data suggests that digital risks, including cybersecurity, privacy, and third-party, are widely shared but perceived differently across roles and sectors. Dependency on and risks associated with third–party vendors were named the third-highest “top” digital risk among the 600 leaders surveyed in the Navigate Digital Risk Index 2025. The results underscore the importance of not only identifying and mitigating risks but also fostering cross-departmental communication for a 360-degree risk view.
Breach impacting nearly 1M individuals ends in $5M settlement. A New York-based healthcare provider and its third-party IT vendor have agreed to a $5.15 million settlement (pending final approval in December 2025) from a data breach impacting thousands of patients and employees across multiple states. The case is yet another example of the costly consequences of data breaches and the importance of vendor due diligence and ongoing monitoring, especially for cybersecurity best practices.
Airline customers’ data stolen in third-party breach. An attack on a third-party platform used by two major European airlines’ contact centers led to a third-party data breach that exposed customer information. While a spokesperson confirmed no sensitive data was taken, the incident illustrates how weaknesses in vendor systems can put customer privacy at risk.
A risk wake-up call for SaaS providers. A response to an April open letter from JPMorgan Chase’s CISO Patrick Opet emphasizes the importance of stronger supply chain security, especially in highly regulated industries such as financial services. The article emphasizes the importance of limiting third-party dependencies to mitigate concentration risk, ensure continuity planning, facilitate ongoing monitoring, and uphold a commitment to data protection, among other best practices. Ultimately, SaaS providers should see themselves as trusted partners who make security a core value, not just a compliance requirement.
Networking tech giant breached via ‘vishing’ call. An attacker tricked a representative at a multinational technology company into granting access to a third‑party, cloud‑based CRM system used for user accounts through a voice phishing (vishing) attack. The company said the stolen data consisted of ‘basic’ account profile information and did not include customers’ confidential or private data. Security observers believe this attack fits into a broader trend targeting companies using a well-known CRM platform. While the number of users impacted has not been confirmed, the attack is a stark reminder that cyberattacks are advancing and a single incident can have a big impact.
Jewelry retailer confirms third-party data breach. A major jewelry retailer confirmed the loss of ‘very common types” of customer information in a third-party data breach. The company said the data has not been abused but cautioned its customers to remain vigilant. While the threat actors were not confirmed, the incident is allegedly linked to the same wave of attacks impacting many companies’ CRM platforms.
Health record vendor breach impacts FL hospital. A Miami-area hospital disclosed that patient information, potentially including social security numbers and health records, was compromised in a third-party data breach that may have occurred as early as January 2025. While the hospital was aware of the breach by March, no public announcement was made at law enforcement’s request. The incident is the latest in a series of ongoing hacks targeting healthcare organizations.
B2B company's data leak could impact thousands. Following a ransomware attack in July, an InfoSec company with customers including Apple and HP has been added to SafePay's data leak site. The ransomware operation is threatening to release 3.5 terabytes of sensitive customer information unless a ransom is paid. While the threat is ongoing, the situation highlights the residual effects of ransomware attacks and the importance of continually monitoring third parties' cybersecurity programs.
Lack of third-party monitoring impacts organizations' cyber health. A new report, based on a survey of IT professionals globally, found that although most organizations assess third parties for cyber risk, only about one-third of respondents continuously monitor their vendor relationships, revealing a significant gap in the "digital supply chain." Organizations with mature, well-aligned cyber risk programs are 4.5 times more likely to maintain continuous oversight of their third parties, highlighting the importance of investing in TPRM as part of an overall risk management program.