Third-party risk has moved well beyond a narrow procurement or security issue. According to the 2026 Verizon Data Breach Investigations Report, breaches involving suppliers rose 60% year-on-year and now account for 48% of all incidents, a sharp reminder that what happens outside an organisation’s own walls can quickly become an internal crisis.
That shift matters because most businesses depend on a web of cloud providers, software vendors and specialist service firms to keep ...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
day-to-day operations running. When one of those links fails, the impact can spread fast. The recent Gainsight incident, which Salesforce said involved unusual activity affecting customer-facing applications, illustrated how a compromise in a third-party tool can raise concerns across many customer environments even when the core platform itself is not breached.
The underlying problem is that companies often inherit risk they do not directly control. They can review a supplier’s policies, but they cannot fully govern the supplier’s behaviour, its subcontractors or the jurisdictions in which it operates. That gap between dependence and control is now wide enough to threaten continuity, not just compliance.
Annual assurance exercises are struggling to keep up. A supplier may look sound when a review is completed, yet change materially within months through the use of unapproved AI tools, new overseas operations, financial strain or altered ownership. By the time the next assessment arrives, the risk may already have rippled through a business network.
Geopolitics is one reason. Tariffs, sanctions and regional instability can turn a once-reliable vendor into one that is unusable, unaffordable or legally problematic almost overnight. AI is another. As suppliers adopt generative tools, sometimes through smaller AI providers with weaker security controls, questions arise over where customer data is stored, how code is reviewed and whether shadow AI is slipping into production workflows.
Cybercrime remains the most immediate concern. The Change Healthcare breach showed how one heavily embedded supplier can expose an entire sector, with attackers gaining access to patient data processed for providers and insurers and affecting about 193 million people. And a 2026 survey by Panorays found that 60% of CISOs had seen more third-party cyber incidents over the previous year, reinforcing the sense that supplier ecosystems are becoming easier targets.
Security leaders, then, need a more pragmatic model. The answer is not to scrutinise every supplier to the same degree, but to focus on the relationships that could genuinely disrupt the business.
That starts with building a single, cross-functional view of the supplier base, bringing together procurement, legal, security and business owners so the organisation knows what each vendor provides, what data it touches and which systems it can reach. The next step is to rank suppliers by business impact rather than contract value, because a modest contract can still support a critical operation.
Companies also need to map fourth-party dependence and concentration risk, including reliance on subcontractors, cloud infrastructure and politically exposed regions. Where a critical dependency exists, leaders should have a fallback plan, whether that means an alternative supplier, a manual process or a tested recovery pathway.
Finally, contracts and monitoring need to reflect the importance of the relationship. For critical suppliers, firms should insist on incident notification, response obligations, audit rights, responsible AI use and clear regulatory duties. Ongoing monitoring should watch for sanctions, ownership changes, weakening security controls, repeated outages and signs of financial distress.
The message from the latest breach data is blunt: supplier risk is no longer something to review once a year and then file away. It is a live business-resilience issue, and the organisations that respond fastest to change are likely to be the ones that absorb the least damage when a supplier goes wrong.
Source: Noah Wire Services
