Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
As third-party vendors adopt AI, breaches tied to subcontractors surge, and confidentiality is called into question, traditional oversight models are falling short.
Meanwhile, a large insurance breach is emblematic of challenges facing the insurance industry.
Rethinking third-party risk in the age of AI. As third-party vendors increasingly integrate AI into their services, financial institutions must expand their risk management frameworks to account for how these tools impact data privacy, operational stability, and potential bias. Traditional vendor oversight isn’t enough — firms need to evaluate how AI is used, set clear contractual expectations, and continuously monitor for changes in usage or emerging risks.
Protecting confidentiality when using third-party AI tools. When employees input confidential or proprietary information into third-party AI systems — often cloudbased — organizations must ensure that confidentiality isn’t compromised. That means understanding how data is transmitted, stored, and potentially reused; categorizing data based on sensitivity; and tailoring AI usage policies accordingly. Effective risk management also requires reviewing vendor practices, clarifying contractual obligations around data handling and audit rights, and evaluating whether third-party AI platforms meet your organization's confidentiality standards.
Insurance company third-party breach exposes data of 1.4 million customers. A July 2025 breach of a third-party, cloud-based CRM platform used by a large U.S. subsidiary of an insurance company exposed personal data for most of its 1.4 million U.S. customers, along with some financial professionals and employees. The company reported the incident to the FBI, notified regulators, and is offering two years of identity protection. Experts highlight the ongoing risks of third-party access and human-targeted attacks through social engineering.
Insurance industry facing third-party risks. Nearly 60% of cybersecurity incidents in the insurance sector are caused by vendors, and investors and regulators are scrutinizing insurers’ ability to manage vendor ecosystems. This is pushing firms toward tighter vendor audits, contractual security requirements, and increased monitoring. Resilience hinges on proactive supply chain oversight and strategic incident readiness.
Too many organizations ignoring fourth-party risk. As vendor-related breaches surge to nearly 30% of incidents, many organizations still overlook risks from fourth parties — subcontractors with access to sensitive data. Strong vendor risk management now demands full data flow mapping and tighter contracts that require subcontractor disclosure, pass-through obligations, audit rights, and offboarding protocols. Without these protections, even the best internal cybersecurity can be undone by gaps in your extended vendor ecosystem.
Combatting third-party risk amid federal efficiency efforts. As federal agencies push for greater efficiency, third-party vendors remain a critical weak point. Recent breaches — like the 2024 Treasury incident — highlight the need for continuous oversight, contractual safeguards, and a risk-based approach to managing external partners. Agencies must hold vendors to the same standards as internal teams, especially during periods of organizational change or downsizing.
Vendor cyber gaps cost retailer $390 million. A ransomware attack on a British department store’s supplier crippled online order fulfillment for over a month, leading to an estimated $390 million loss. The incident highlights the need for organizations to apply the same level of cybersecurity rigor to their vendors as they do internally — prioritizing continuous monitoring, strict access controls, and coordinated security efforts across the supply chain, as attackers increasingly target third-party relationships to breach larger enterprises.
Mortgage vendor causes data breach. A breach at a notary service vendor may have exposed sensitive customer information belonging to a mortgage lender and servicer. Unauthorized users accessed loan closing documents, potentially compromising personal financial data for an undisclosed number of individuals.
Mail processor source of hospital data breach. A health system experienced a data breach when its mail processing vendor was breached in March. Personal patient information exposed may include birth dates, Social Security numbers, client account numbers and dates of service. It’s unclear how many patients were affected.
As financial service cyberattacks decline, vendor risk rises. The number of cyberattacks directly targeting financial services companies is declining – but these companies aren’t off the hook. Attackers increasingly focus on these company’s vendors, who are seen as weaker links with fewer security controls. Information security professionals need to be focused on third-party risk management to guard against data breaches and other vendor problems.
Vendor breach exposes data of 25,000 students. An educational organization experienced a data breach that exposed the personal information of approximately 25,000 students. The incident was traced to a compromised vendor account, which allowed an unknown third party to access certain systems without authorization.
Privacy compliance requires vendor resilience. New U.S. regulations, including SEC Cybersecurity Rule, make clear that complying with privacy rules requires vendor operational resilience and vendor risk management. Companies need to understand vendor cybersecurity, incident response and how customer data is protected. Compliance requires more than annual reviews — it demands ongoing monitoring, clear oversight, and coordinated response plans. If your vendors aren’t resilient, neither are you.
Fintech breach impacts U.S. vehicle finance company. A third-party breach at a fintech service provider in February exposed personal data from 1,952 U.S. customers of a vehicle finance company. The breach did not compromise the lender’s own systems but affected data processed through its vendor’s platform. The incident highlights the ongoing need for strong vendor oversight of fintech partnerships.
Call-center cyberattack exposes data of 5.7 million customers. A cyberattack on a third-party call center exposed data from 5.7 million airline customers, including names, contact details, and frequent flyer info. No financial data or passwords were compromised, but the breach highlights growing risks from vendor platforms with access to sensitive customer information.
Murky software supply chain visibility linked to breaches. A new global survey found just 23% of enterprises have strong visibility into their software supply chains – and 80% of those lacking visibility experienced a breach in the past year. Oversight of third-party vendors, including software vendors and cloud providers, is essential.
EU looks to expand TPRM expectations. The European Banking Authority (EBA) released draft guidelines for managing third-party risk in non-ICT services (i.e. non-technology services such as legal, custodial, or HR functions). While this proposal wouldn’t apply to U.S. institutions, it reflects a global trend: regulators are raising expectations for how financial institutions oversee all third-party relationships, not just those involving outsourcing or IT. The EBA’s move signals a shift toward more comprehensive, lifecycle-based TPRM programs that treat third-party risk as a core governance issue.
Best practices and tips to protect against vendor compliance risk: Third-party risk management (TPRM) plays a critical role in helping organizations protect themselves from compliance violations caused by their vendors. A strong TPRM strategy includes identifying and assessing vendor risks, establishing clear contract terms, continuously monitoring vendor performance, and training employees on compliance responsibilities. Remember to set formal TPRM policies, use technology to streamline oversight activities, integrate TPRM into broader enterprise risk management (ERM), and regularly review the program to stay ahead of evolving risks.
Third-party data breach impacts sensitive information: A recent third-party data breach highlights the ongoing risks associated with vendor relationships. A mail processing vendor for a healthcare organization was compromised. Impacted information includes names, contact details, account numbers, and Social Security numbers.
Managing fourth-party risks: Fourth-party risk is a growing cybersecurity blind spot for organizations. Without direct contracts or visibility, it’s difficult to monitor these dependencies. To manage fourth-party risk effectively, start with supply chain mapping to identify critical fourth parties, set boundaries for how your data is used, and use contracts to require your vendors to manage their own third-party relationships. Ultimately, managing fourth-party risk requires cross-functional collaboration, proactive vendor oversight, and a shared commitment to building a resilient, transparent supply chain.
Using vendor tiering in third-party risk management: Assessing third-party risk requires more than checking boxes or relying solely on security ratings. Not every vendor poses the same level of risk, so organizations should tailor due diligence based on the vendor’s access to sensitive data and their impact on operations. Tier vendors by criticality, automate assessments where possible, and focus on meaningful risk indicators, like how a vendor would respond to a major incident. Contracts should include clear response obligations, and continuous monitoring is essential to catch changes in risk posture over time.
Building a risk-resilient strategy to protect your organization: Despite shifting enforcement priorities and deregulatory messaging, compliance remains critical. Regulatory uncertainty doesn’t reduce an organization’s risk, but instead increases the need for proactive, risk-resilient compliance programs. This involves refining risk assessments, enhancing monitoring capabilities, leveraging regulatory intelligence, and integrating risk management across business functions. Be sure to assess third-party relationships with due diligence and ongoing monitoring. This mitigates legal and reputational risks.
Managing third- and nth-party risks: As cyber threats and supply chain attacks surge, organizations must rethink how they manage risk beyond their immediate third-party vendors. Fourth and nth parties present growing vulnerabilities. Instead of trying to monitor every supplier, focus on critical parties, which are essential to your organization. Identify potential single points of failure for your critical processes and perform thorough assessments of suppliers. Understand how a supplier’s failure could disrupt your organization’s operations. Aligning risk efforts with operational impact and resilience helps reduce blind spots, withstand disruptions, and turn robust third-party risk management into a competitive advantage.
Prioritizing third-party cybersecurity during trade disruptions: As tariffs reshape global trade, many organizations are rapidly reworking vendor relationships and supply chain strategies, but it shouldn’t come at the cost of cybersecurity. Sudden changes can expose critical vulnerabilities, especially when third-party vendors aren’t properly vetted or monitored. A single weak link, like an untrained vendor employee or outdated system, can result in significant disruption. To stay resilient, integrate cybersecurity into every stage of third-party risk management. Cross-functional collaboration and proactive oversight are essential to safeguarding both operational continuity and data security.
Third-party data breach compromises patient information: A recent third-party data breach impacted patient information at several regional hospitals in Maine. The vendor supplies sleep study technology. While no Social Security or financial data was compromised, exposed information may include patient names, birthdates, medical record numbers, and test results. This incident highlights the significant risks third-party vendors can pose to sensitive data.
Third-party data breach compromises potentially millions of records: Qantas, Australia’s largest airline, recently disclosed a significant data breach stemming from a third-party customer service platform. The breach exposed personal details, including names, contact information, birth dates, and frequent flyer numbers, of potentially millions of customers. The attack shares characteristics with recent campaigns by the threat group “Scattered Spider,” known for targeting identity systems and service desks in high-profile industries.
Cyberattack on third party compromises Swiss government data: A ransomware attack on Swiss third-party vendor Radix exposed sensitive data from Swiss federal offices. The third party was compromised by a ransomware group that published 1.3TB of stolen data, including contracts, financial records, and communications, on the dark web. This is the second third-party breach the Swiss government has experienced in the last two years.
Insurance claim documents impacted in third-party data breach: Scania, a leading global truck manufacturer, confirmed a May 2025 third-party data breach leading to the theft of 34,000 insurance claim documents. While the company said privacy risk is limited, the leaked documents may contain sensitive personal and insurance-related data.
Tips for effective vendor relationship and risk management: Effective vendor risk management goes beyond contracts and costs. Several organizations emphasized strategies rooted in communication, transparency, and resilience. For instance, creating detailed vendor onboarding plans sets expectations early and allows organizations to identify and address gaps before they become major issues. Others recommend performance-driven scorecards and quarterly reviews to align vendors with business goals, foster accountability, and drive innovation. Regular check-ins and shared service-level dashboards build trust and help vendors act as strategic partners. Together, these practices help build more resilient, collaborative, and value-driven third-party relationships.