May 2025 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of May 22

Third-party data breaches ruled the news this week. New stats report a troubling surge in third-party cyberattacks while devastating vendor breaches make headlines. Catch up below.  

Staggering 41.8% of fintech breaches originate with third parties: Nearly half of breaches impacting top fintech companies originate with a third-party supplier, according to new research. While 41.8% were attributed as third-party breaches, more than 18% were via fourth parties. Fintech companies have become a critical piece to the financial sector – but even fintechs with strong cybersecurity controls can be breach through a third party. Strengthening third-party risk management practices is critical to protecting both your organization and the overall financial system.  

Bribing of third-party contractors leads to breach of crypto exchange and massive financial losses: A third-party data breach impacted a small subset of a crypto exchange’s users –and the company anticipates losses between $180 to $400 million. It was reported that third-party contractors were bribed to provide access to private customer information. That information included masked bank account information, crypto exchange account balances, and transaction histories. The crypto exchange said it will reimburse customers that lost funds and is offering a $20 million reward for information leading to the arrest and conviction of the hackers. The third-party contractors were terminated.

Cause of massive cyberattack traced to third-party vendor: A massive retail cyberattack in the United Kingdom super market came from a third party. The breach significantly impacted retail operations – losing the company millions in sales and disrupting online services. Attackers targeted a third party’s access to execute the breach. Some customer data was stolen, although full credit card numbers aren’t stored on the retailer’s systems. Analysts are predicting the retailer has taken losses of over £40 million weekly since the April breach.

Third-party data breaches increased 15% in 2024: Third parties accounted for 30% of last year’s data breaches – up 15% from the previous year, according to new research. In the report, the year ended Oct. 31. While third-party risk has always existed, third-party cyberattacks have become much more widespread. This is particularly prevalent as organizations rely more and more on third parties to provide critical services.

2024 third-party data breach impacts another healthcare organization: The personal information of more than 200,000 patients was compromised in a third-party healthcare data breach. Although the breach against the third party happened in July 2024, the breached medical clinic wasn’t formally aware of it until February. Compromised information includes financial account details, Social Security numbers, and medical information. The third party reported there’s no evidence of identity theft or fraud at this time, although patients will need to remain vigilant. Other healthcare organizations were impacted in the third-party breach.

Third-party breach exposes information of almost 500,000: A third-party IT services provider shared that the healthcare information of more than 483,000 was compromised in a breach. Data includes Social Security numbers, medical record numbers, and patient account numbers. Often, third-party vendors are targeted due to their access to critical data and systems. The impacted organization has more than 75 locations in western New York, all of which may have been compromised.  

Two-step supply chain attack impacts semiconductor company: In September 2024, a human capital services provider in the Middle East — acting as a business partner to a payroll company — experienced a ransomware attack that resulted in the theft of customer data. The breach impacted chipmaker Broadcom, which was in the process of switching payroll providers at the time. Despite the transition, data was still compromised due to the third-party attack. 

Recently Added Articles as of May 15

The OCC is allowing banks to outsource to third-party crypto providers, so long as risk management practices are still in place, a recent California enforcement action emphasized accountability even when services are outsourced, and a third-party software company alerted to a data breach. Catch up below.

OCC permits banks to outsource to third-party crypto providers – with risk management practices in place: The OCC released an Interpretive Letter clarifying that banks can offer crypto-asset custody services—including safekeeping and transaction execution—by partnering with third-party service providers (sub-custodians), as long as proper risk management controls are in place. Banks may act in either a fiduciary or non-fiduciary role but must maintain oversight, ensure third-party providers have appropriate controls, and conduct all activities in a safe, sound, and compliant manner.

California fines company $345k when vendor tool falls short on privacy compliance: The state of California fined a national retailer more than $345,000 for failing to comply with the California Consumer Privacy Act. The action was rooted in failures with an opt-out tool on a company’s website. The company relied on third-party compliance tools, but the enforcement action said that’s not enough. When things go wrong, it’s up to the company – not the vendor – to ensure the issue is corrected.

Third-party software company notifies of data breach: A third-party software company notified over 160,000 people that their information was compromised in a data breach. The third party provides services to money service businesses. The company’s security team noticed an in-progress file transfer that they were able to stop mid-transfer. Impacted information includes names, driver’s license numbers, and Social Security numbers.  

Setting third-party AI usage guidelines with an AI policy: Creating an internal AI policy at your organization is crucial for ensuring third-party products and services align. It sets clear expectations and guidelines for how a third party can use AI for your organization. Include guidelines for assessing and selecting third-party AI vendors and outline responsibilities for compliance. The AI policy should include how data is collected, stored, processed, and deleted and address sensitive information that’s prohibited from AI. When contracting with a third-party AI vendor, be sure to understand how their practices align with your own policy.

Related: AI and Risk Management Controls: How to Protect Your Institution

Recently Added Articles as of May 8

California issued a consent order over a bank’s fintech relationships, a banking outage shows the importance of third-party contingency planning, and another third-party breach emphasizes the necessity of TPRM. Check out this week’s news below.  

California issues consent order over bank’s fintech oversight, signaling ongoing state scrutiny: The California Department of Financial Protection and Innovation (DFPI) issued a consent order against a bank for inadequate oversight of its fintech partners—specifically those involved in key Bank Secrecy Act (BSA) and anti-money laundering/countering the financing of terrorism (AML/CFT) functions. The deficiencies were directly tied to the bank’s fintech and banking-as-a-service relationships.

The order requires the bank to conduct ongoing, risk-based reviews of every fintech or vendor supporting BSA compliance. While joint federal-state consent orders are common, this action came solely from California — highlighting how states like California and New York may increasingly assert regulatory authority amid continued uncertainty at the federal level.

Banking outage reveals importance of third-party contingency planning: A recent Fiserv outage disrupted money movement on the Zelle platform, impacting roughly 60 applications and limiting customers' ability to transfer funds. The incident occurred during a planned infrastructure update and required Fiserv’s network team to reverse the change and restore service. The outage highlights the importance of contingency planning, that accounts for third-party outages. An incident with a single provider can cascade through the entire system. Vendor service level agreements (SLAs) that outline availability, uptime, and penalties are critical to protect your organization.  

Operational risk a top third-party concern, according to new study: Third-party operational risk is a top concern for executives across industries, according to a new study. As third-party cyberattacks increase, organizations are paying closer attention to their TPRM practices. Third-party financial, cybersecurity, privacy, and regulatory risks were also top executive concerns. As a result, more organizations (39%) are considering business process/function criticality when determining third-party criticality.

Sensitive information breached in third-party incident: A large private healthcare system notified patients of a December data breach where information was inadvertently disclosed to a former business partner. That information was stolen from the partner due to a third-party software vulnerability. Information impacted includes names, addresses, emails, and Social Security numbers.

How AI usage increases your third-party risks: Vendors are quickly implementing artificial intelligence (AI) into their systems, creating greater third-party risks. As many vendors share or process sensitive data to train AI models, your organization must ensure its data remains protected. Before beginning a vendor relationship, understand how AI is used with the product/service and how your data will be used. Ask questions about the AI architecture to understand how the vendor’s AI model works and handles data. You’ll need additional scrutiny for vendors creating their own AI models. Having real-time visibility into the vendor’s risk is essential for protecting your organization – this is where a TPRM platform becomes an essential investment.  

Download Venminder’s Artificial Intelligence Sample Vendor Questionnaire here. 

Recently Added Articles as of May 1

Several third-party data breaches highlight the importance of vendor risk management activities, a new study reveals third-party risk managers aren’t always reporting red flags, and third-party privacy compliance should be a top priority for organizations. Catch up on this week’s news below.

Study reveals why third-party risk managers are reluctant to share vendor red flags: Research from Gartner highlighted a critical gap in third-party risk management. While 95% of third-party risk managers observed red flags in the past year, only about half escalated these concerns to compliance teams. The reluctance stems from three key factors: confidence in identifying risks, personal affinity with vendors affecting objectivity, and the perceived ROI of sharing information. Working on training with relationship managers can help address their confidence. However, 36% of managers said they feel obligated to protect third-party relationships from their own organizations. It’s important to prioritize communication and collaboration with relationship managers to address these potential issues.  

Using vendor risk management to defend against cybersecurity risks: It only takes one third-party vendor to cause a downstream supply chain attack impacting your organization. It’s critical for CISOs to manage these third-party cybersecurity risks. Review your vendor’s security certifications and audit reports. Implement tools to monitor vendor risks in real time and use your third-party contracts to mandate compliance with your organization’s security policies. These are all steps toward a resilient vendor risk management program that protects your organization.  

Don’t forget third-party compliance with state privacy laws: State regulators at a global privacy summit urged organizations to know their third-party vendors their data privacy practices. There are privacy laws across 20 states, plus global privacy regulations and vendors need to comply with them. Regulators are primarily focused on data breaches, security practices, transparency, and opt-out options. Regulators advised organizations to be transparent and responsive when addressing regulator inquiries.

Third-party cyberattack impacts sensitive patient data: A cyberattack against a third-party technology provider compromised patient information at an Australian healthcare organization. Impacted information includes names, addresses, results of a sleep trial, and some limited clinical study notes.  

Patient information compromised in third-party healthcare attack: A third-party healthcare provider was hit by a ransomware attack, impacting the data of nearly 700,000 patients. Although U.S. hospitals didn’t experience any impact to patient care, patient information was posted to the dark web. This latest breach highlights how cybercriminals target third-party vendors to conduct attacks.

Third-party tool misconfiguration leads to disclosure of sensitive data of 4.7 million: A data breach with a health insurer compromised 4.7 million members due to a misconfiguration of a third-party tool. The insurer discovered that Google Analytics was configured to allow member data to be shared with Google Ads, likely including protected health information. Organizations face data breach risks when third-party scripts aren’t properly isolated – leading to regulatory scrutiny, financial penalties, and a damaged reputation.