Three converging trends , geopolitical friction, the rise of AI-enabled attacks and uneven cyber hygiene across supplier networks , are reshaping how organisations approach third‑party risk, industry observers say, and recent incidents underline the urgency of fast, practical change.
According to a report in CSO Online, more than a third of data breaches now stem from compromised vendors or partners rather than from failures of internal controls, a shift that amplifies the po...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
tential impact of supply‑chain incidents. The World Economic Forum’s 2026 outlook and related coverage note that AI‑related vulnerabilities surged in 2025, with many organisations reporting leaks tied to generative AI and rising concern about attackers using automated tools to scale intrusions. Those assessments argue that assuming a partner will eventually be breached and building coordinated response plans in advance are essential to limit disruption.
Regulatory pressure is tightening in parallel. Corporate Compliance Insights warns that registered investment advisers with under $1.5bn in assets under management must meet amended SEC requirements under Regulation S‑P by 3 June 2026. The changes require written incident response programmes, 30‑day customer breach notifications and formal oversight of service providers that handle customer data, including a 72‑hour notification duty if a vendor suffers a breach. The SEC has listed Reg S‑P compliance among its 2026 examination priorities, increasing the risk of scrutiny for firms that delay preparation.
The increasing use of AI by advisers introduces additional compliance complexities. Coverage collated for this package highlights five core considerations for firms: documenting intended AI use cases and material changes, explaining vendor and tool functions to regulators, monitoring autonomous behaviour, and tracing customer data flows to satisfy privacy and fiduciary standards under Regulation S‑P. As automated tools move closer to investment decisions, regulators’ focus is shifting from mere disclosure of conflicts to the adviser’s duty of care in supervising technology.
Operational resilience is also under the microscope. A UK Finance report argues that static or generic exit documentation is inadequate when a supplier fails, underperforms or no longer aligns with strategic needs. It recommends scenario‑specific exit strategies, continuous refresh of supplier documentation and integration of exit planning with business continuity and disaster recovery. The report cautions that hidden sub‑outsourcing chains and cloud dependencies often mask true exposure and can render rapid large‑scale exits impractical.
Practical vendor selection remains a weak point for many banks and credit unions. The American Bankers Association’s core platforms survey shows that institutions tend to overvalue features while undervaluing support and service quality, producing middling satisfaction scores. In one survey cited here, more than half of community institutions whose technology programmes faltered pointed to inadequate vendor support as a primary cause. The implication is clear: procurement must weigh service metrics, case resolution performance and support‑team structure as heavily as functionality.
Experts stress that cyber resilience across supplier ecosystems requires leadership beyond IT teams. Only a small proportion of organisations brief their boards or C‑suites on cyber matters regularly, leaving accountability gaps at the top, industry commentary warns. Strengthening resilience demands mapping root causes, maintaining comprehensive supplier records and embedding incident coordination across the full chain of relationships so that remediation is swift and collective when a supplier is compromised.
Recent events demonstrate the stakes. Lloyds Banking Group confirmed an IT defect introduced during an overnight update to its mobile apps on 12 March 2026 allowed some customers to see other users’ transaction information and personal identifiers. Reporting in Finextra and The Guardian put the number of affected customers at nearly half a million and said the bank had notified regulators and offered compensation for distress and inconvenience, while noting no financial losses had been reported. The episode illustrates how a single software change at a large vendor or client can rapidly become a widespread customer‑protection and regulatory issue.
Taken together, the guidance and incidents compiled this month suggest a practical agenda for firms: assume vendor compromise is possible, harden oversight of third‑party technology and AI, test and update exit plans continuously, elevate cyber risk to executive forums and prioritise vendor support as a key procurement criterion. Regulators, meanwhile, are signalling that they expect documented, tested responses and clear vendor governance to be in place , and will examine firms accordingly.
Source: Noah Wire Services
