September 2025 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of September 25

The visibility gap is widening. Organizations are losing sight of their risk environment as attacks become more sophisticated. Nearly half of organizations don’t know how long it takes them to detect breaches, while major players continue to fall victim to third-party compromises. At the same time, groups like Scattered Spider and ShinyHunters continue to refine their tactics, and the expansion of AI regulations adds fresh compliance pressure. 

Static, checklist-driven vendor risk programs are no longer enough. With regulators calling for continuous oversight, attackers exploiting supply chains, and technology shifting faster than defenses, organizations need real-time visibility and proactive risk management to stay resilient.  

Vendor visibility gaps leave organizations exposed. A new data security and compliance report reveals that 42% of organizations are uncertain about how long it takes them to detect a breach or security event — a sign that “most companies are still flying blind at the worst possible moments.” What’s even more alarming is that many companies managing 1,000-plus vendors have yet to invest in enterprise-level automated solutions, putting themselves in the “danger zone” and more susceptible to supply chain risks.  

Vendor risk is not static. The stakes are rising for compliance professionals in an increasingly complex third-party risk environment. Regulators expect ongoing due diligence rather than one-time reviews, making proactive vendor risk management essential for protecting compliance, resilience, and reputation. For financial institutions and other organizations, best practices include continuous monitoring, robust contract management, clear oversight of subcontractors, and regular reassessments tied to risk tiering.  

Automaker giant confirms data breach. Stellantis, the company behind Chrysler, Fiat, Jeep, and other major brands, says a breach occurred through a third-party service provider's platform supporting its customer service operations. Reports say hackers (allegedly the ShinyHunters group linked to Salesforce-related breaches) stole 18 million customer records, including names and email addresses, but not financial info. This incident — along with other recent vendor breaches — underscores the importance of robust cybersecurity measures in protecting customer data. 

Experts urge organizations to strengthen cyber defenses. During a recent risk management summit, experts discussed the importance of strengthening defenses against Scattered Spider tactics after the group successfully targeted major retailers this year. The group bypasses multifactor authentication using social engineering, and similar tactics are now seen from others like ShinyHunters. Security professionals recommend focusing on three key areas: implementing identity-based protections like number-matching MFA codes, updating processes to counter social engineering attacks, and reinforcing third-party risk management to reduce vendor-related compromises. 

AI regulation is accelerating globally. As AI regulations expand internationally, the intersection of AI and third-party risk management is becoming increasingly critical. While each country takes its own regulatory approach, the U.S. remains patchy with state-by-state rules stacking up. To stay updated, FIs and organizations across all industries can refer to regulatory guidance, track enforcement actions, and use automated compliance tech to receive updates tailored to their services and geography.  

Recently Added Articles as of September 18

Amid delayed breach notifications and mounting regulatory scrutiny, credit unions and organizations across many industries are discovering that effective third-party risk management isn't just checking a box — it's about security and survival.  

As AI tools proliferate across vendor ecosystems and cyber insurers demand stronger oversight, the gap between governance frameworks and real-world execution is becoming impossible to ignore, underscoring the critical need for continuous risk assessments, enhanced due diligence, and accountability at every level of the vendor relationship.  

TPRM key for credit union AI oversight. Third-party risk management is highlighted as an important part of AI governance on NCUA’s new Credit Union Artificial Intelligence (AI) Resources pages. It also references the NIST framework and the importance of having controls and continuously monitoring third-party AI systems. Credit unions should understand what it means when vendors say they are using AI and how vendors will use their data. 

Credit union takes two years to announce breach. Experts are raising eyebrows at a credit union that took 20 months to investigate and notify members of a breach of more than 187,000 people — exposing names, PINs, healthcare and account details, Social Security numbers, and other sensitive information. The breach took place in September and October of 2023, was discovered in January 2024, and the credit union didn’t inform members until September 2025. It’s unclear why the investigation — conducted by a third party — took so long or whether the breach was internal or caused by a third party. 

SLA enforcement may get boost from AI. AI may make it easier to enforce service-level agreements (SLAs) by allowing companies to analyze audio or video that signal call center shortcomings, customer complaints, and other legal and compliance issues. The key will be to ensure data is protected. 

Cyber insurers raise the bar on vendor oversight. The growing number of third-party breaches are causing cyber insurers in the United Kingdom to scrutinize how organizations manage their vendor and enforce security practices. Policyholders are being pushed to strengthen supplier contracts and oversight — particularly when third parties handle sensitive or regulated data. 

Railway vendor breach leads to phishing fodder. A British railway operator suffered a third-party breach exposing personal customer information, including travel history. Experts warn this data is valuable for phishing, social engineering, and identity theft, underscoring the importance of vendor oversight and strong governance. Continuous risk assessments are essential to staying ahead of such threats. 

Recently Added Articles as of September 11

Amid the continued fallout of the Salesloft-Drift breach, organizations face a stark truth: their most significant cybersecurity risks often don’t come from direct attacks, but from the vendors, software, and AI tools they depend on every day. As companies expand their services and grow through M&As, these vulnerabilities can remain hidden until it’s too late, highlighting the importance of vendor due diligence, cyber resilience, and ongoing monitoring.  

CISOs struggle with third-party software risks. 71% of CISOs dealt with a third-party security incident in the past year, with some facing multiple breaches, according to a new survey. The findings point to a key lesson: heavy reliance on external software creates exploitable weak points when permissions are too broad, dependencies aren’t vetted, or vendor oversight is lacking. For CISOs, the takeaway is clear: security programs must extend beyond the enterprise to include rigorous monitoring of third-party software use, tighter access controls, and stronger supply-chain governance.

AI and third-party oversight gaps leave organizations exposed. Nearly half of organizations don’t know who has access to their sensitive data, and those blind spots create a cascading threat. Over 40% of firms are unsure when breaches happen. AI governance is another glaring weak point: only 17% of organizations have technical controls in place. C-suite and compliance leaders must rethink their third-party and AI strategies now. Without robust controls, policies and monitoring tools, risks compound quietly until it’s too late.

Third-party risk: the hidden cyber threat in M&A. In acquisitions, inherited vulnerabilities often come from outside the target company itself. Reliance on vendors, suppliers, and cloud providers creates multiple attack vectors, and if those third parties lack strong security, they can open the door to breaches, ransomware, or data theft. Cyber resilience must be embedded into every stage of the M&A process — from due diligence to implementation — to safeguard both value and reputation.

The impact of the Salesloft-Drift breach continues. Another tech giant has confirmed it’s one of the latest victims of the Salesloft-Drift breach, a major cybersecurity incident that is being called the “next MOVEit MFT fiasco.” In August 2025, attackers exploited the Salesloft Drift integration to access Salesforce CRM data, putting the customer data of hundreds of companies at risk. The ongoing impact of a single breach serves as a reminder that fourth-party risk is real, and vendor risk assessments must go beyond simply checking the boxes to ensure proper security practices are in place.   

Shadow AI creates downstream risks. As more employees rely on artificial intelligence-driven tools to streamline their tasks, vendor risks grow. Employees may use vendor AI tools outside approved channels, exposing sensitive data, while downstream integrations or partner tools add fourth-party risk. Traditional contracts often miss these threats, so organizations must ensure they monitor embedded AI features, enforce clear usage policies, and ensure governance to prevent regulatory exposure.

Recently Added Articles as of September 4

Third-party and even fourth-party vendors are now a prime source of cyber risk, driving phishing scams, ransomware incidents, and breaches impacting credit unions, financial advisors, and even investors. 

From a new TransUnion breach to the potential expansion EU outsourcing rules, the message is consistent: stronger vendor oversight, continuous monitoring, and investment in TPRM are essential not only for compliance, but also for protecting customer trust and organizational value.

Vendors drive 43% of phishing attacks. Nearly four in ten fake invoice scams and 43% of phishing incidents stem from vendor compromise, according to PYMNTS Intelligence. Social engineering training is an important cyber control for vendors. Preventing these incidents requires ongoing monitoring of vendor risks, including reviewing security audits like SOC 2s.

Third- and fourth-party risk are a common credit union blind spot. Many credit unions stop at basic vendor vetting, leaving them blind to the cybersecurity practices of vendors’ subcontractors. Reducing this risk goes beyond onboarding — it takes updated vendor inventories, stronger outsourcing contracts, audit and breach notification rights, and periodic reviews tied to each vendor’s risk level. Without ongoing oversight, downstream partners can quietly expand the attack surface and create vulnerabilities that credit unions never see coming.

Third-party cyber risk puts investor value at stake. Investors are encouraged to consider a financial organization’s investments in TPRM and other forms of cybersecurity and whether they spend enough to keep up with TPRM regulatory compliance. Third-party data breaches can create significant financial and reputational damage, ultimately affecting the value of the organization.

Advisors face risk through vendor vulnerabilities. Financial advisors need to research vendors’ cybersecurity before partnering with them. Criminals engaged in phishing, social engineering, malware, and ransomware don’t just target advisors directly — they also target their vendors. Contracts defining data security provisions are a must. 

Third-party app hack hits TransUnion. Credit reporting agency TransUnion disclosed a July 28 breach that exposed personal details of about 4.4 million people, including names, Social Security numbers, and birthdates. The incident was traced to a third-party application.

EU regulators target wider third-party oversight. The European Banking Authority is proposing to broaden its outsourcing rules to cover all third-party (nonICT) service arrangements — not just traditional outsourced functions — while excluding services already governed by DORA. If adopted, the change would require institutions to update contracts and extend their risk frameworks to a wider set of vendors, enforce DORA-like contract standards, and keep detailed registers of third-party relationships. They are accepting feedback until October 8, 2025.