April 2026 Vendor Management News

 Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of April 16

Third-party analytics breach ripples across dozens of companies. More than a dozen companies are dealing with the fallout from a vendor breach. The ShinyHunters extortion group breached Anodot, an AI-powered cloud analytics platform, stealing authentication tokens that granted access to customer data stored in Snowflake environments.

Wealth management firms hit with class action lawsuits over data breaches. Two wealth management firms face class action suits over alleged failures to protect client data, joining a growing list of firms. One of the suits alleges ShinyHunters stole Salesforce records containing client PII and over 200GB of internal corporate data. On a more proactive note, FINRA launched a new Financial Intelligence Fusion Center — a secure portal for member firms to share and act on emerging cyber threat intelligence.

OneDigital warns nearly 28,500 clients of Salesforce data breach. OneDigital Investment Advisors notified clients that their data stored in Salesforce, the firm's CRM platform, was potentially accessed and copied by an unauthorized actor. The entry point was Drift, a connected chat tool, not the core Salesforce platform itself. The breach is part of a pattern of third-party and integration-layer attacks hitting financial advisory firms, with ShinyHunters linked to several incidents across the industry.

Vendor coercion is a governance problem for financial institutions. When access to business opportunities gets conditioned on adopting a vendor's technology, normal procurement and risk governance breaks down — and AI makes this more dangerous than ever. Security experts warn that tools adopted under pressure often bypass security review, create data exposure risk, and embed themselves in workflows before anyone has fully evaluated them.

The financial fallout from breaches extends well beyond the incident itself. The real cost of a data breach is the long tail of litigation, regulatory investigations, customer notification obligations, and reputational damage that can persist for years. A new report shows that losses from data-theft incidents were more than double those without, and that data theft now accounts for 40% of the value of cyber claims in the first half of 2025. Organizations are increasingly leaning on insurance brokers and peer networks to benchmark exposure and stay ahead of evolving threats. 

Recently Added Articles as of April 9

AI adoption at wealth management firms is raising the bar for vendor oversight. As the SEC shifts toward principle-based oversight under Chair Paul Atkins, RIAs and wealth managers have more flexibility in designing compliance programs — but face less tolerance for ambiguity when things go wrong. AI amplifies risk across cybersecurity, vendor management, and data governance simultaneously, and regulators now expect firms to know exactly how AI is being used across their organizations, including by third-party providers. Exam requests increasingly include vendor lists, due diligence records, and technology governance documentation.

Insurance regulators are increasing AI vendor scrutiny. At the NAIC's 2026 Spring Meeting, regulators advanced a proposal to create a registry for AI model and data vendors used by insurers, signaling heightened scrutiny of third-party governance in underwriting and pricing. State pilot programs are already underway to assess how insurers use AI across business functions, with a focus on high-risk applications. Regulators also flagged growing concern around agentic AI systems, noting the difficulty of assigning accountability when errors cascade across multiple automated agents. Business continuity planning, not just breach containment, must be standard.

Regulators remove reputation risk from the supervisory playbook. The FDIC and OCC jointly finalized a rule prohibiting both agencies from criticizing institutions or taking adverse action against them based on reputation risk. That protection now explicitly extends to third-party relationships. Regulators can no longer require, encourage, or pressure an institution to terminate or modify a contract with a vendor based on that vendor's political views, lawful business activities, or perceived reputational exposure. The rule takes effect 60 days after publication in the Federal Register.

AI-powered attacks and supply chain vulnerabilities are evolving cybersecurity. Cybercriminals are increasingly using AI to run more convincing phishing campaigns, develop self-replicating malware, and manipulate AI models. Supply chain exposure remains a critical weak point, as a single vendor's compromised credentials can cascade into hundreds of millions in losses. With class action lawsuits, state AI legislation, and heightened executive liability all adding to the pressure, cybersecurity is a business, legal, and governance issue that demands continuous third-party oversight and tested incident response plans.

RIAs need AI policies and incident response plans ready for SEC exam season. With the SEC zeroing in on compliance program policies and procedures in its 2026 examination priorities, investment advisers that use AI tools need a formal policy covering appropriate use, client data protection, vendor due diligence, and recordkeeping. The more urgent deadline is June 3, when all SEC-registered RIAs must have a written incident response plan under Regulation S-P — one that outlines how the firm will assess a breach, contain and remediate the incident, notify affected clients, and ensure service providers report any security breach involving customer data within 72 hours.

GLBA reaches further than most vendors realize. Many organizations that serve financial institutions ¾ such as data brokers, call centers, or technology providers ¾ assume GLBA doesn't apply to them, but that assumption can be costly. Under GLBA, financial institutions must contractually push data security, confidentiality, and breach notification requirements down to every vendor handling customer information, effectively extending GLBA-level obligations into the vendor's environment regardless of whether the vendor is directly regulated. Vendors that cross into financial activity themselves by offering credit scoring, consumer wallets, or direct lending can trigger compliance obligations.

Open banking is expanding fast — and credit unions' third-party risk programs may not be keeping pace. The open banking ecosystem now includes more than 4,000 financial institutions and 10,000 fintech companies, with over 100 million consumers linking financial accounts. But that growth is outpacing governance. Unlike traditional vendor relationships with formal reviews and contractual safeguards, open banking is consumer-initiated, meaning data can flow through aggregators, platforms, and downstream service providers that the credit union never directly vetted. When something goes wrong, the institution typically absorbs the reputational and operational fallout, making continuous monitoring, sub-processor visibility, and strong consent management essential.

Vendor breach at an AI data company exposed proprietary training secrets. Meta suspended its relationship with Mercor, an AI data labeling and processing vendor, after a security incident potentially exposed closely guarded details about how the company — and several other leading AI labs — train their models. The breach highlights a fundamental vulnerability in the AI supply chain: the demands of training frontier models have pushed even large organizations to rely on specialized outside vendors, creating multiple points of compromise around some of the industry's most sensitive intellectual property.

Attack on a third-party support platform exposed customer data. Hims & Hers confirmed hackers broke into its third-party customer service ticketing system over a three-day window in February, compromising customer names, contact information, and support ticket data. The breach was a social engineering attack that tricked employees into granting system access.

Third-party ransomware attack compromises Nissan data. The Everest ransomware group claimed to have stolen 910 gigabytes of customer, dealership, and auto loan data after accessing a file-transfer system. Nissan said its own systems were not compromised, but the vendor's infrastructure reportedly had publicly exposed credentials that hadn't been rotated in years and no multi-factor authentication in place.

The riskiest vendors aren't always the ones you're watching most closely. Over-privileged access and weak everyday workflow controls can pose a greater threat than dramatic ransomware attacks. When it comes to third-party vendors, treat them as integrated parts of the supply chain rather than external counterparties. Keep a live vendor inventory, require subcontractor disclosure, and perform ongoing monitoring. Before onboarding any AI-native tool, ask detailed questions about data retention, model training practices, jurisdictional rules, and contractual liability — and require independent audits to verify the answers. 

Recently Added Articles as of April 2

Three forces are escalating your third-party risk. Geopolitical conflict, AI-powered attacks, and cyber inequity across vendor ecosystems are converging to create an environment where well-defended organizations still suffer serious incidents. More than 35% of data breaches now originate from a compromised vendor or partner — not from any failure in internal controls. Organizations need to plan for incidents, assume a partner will eventually be compromised, and build coordinated response into their programs before disruption hits.

Smaller investment advisers face a June 3 deadline on Reg S-P. Registered investment advisers with less than $1.5 billion in assets under management must comply with the SEC's amended Regulation S-P requirements by June 3. The amendments require written incident response programs, 30-day customer breach notification, and formal oversight of service providers with access to customer data, including a 72-hour notification requirement if a provider experiences a breach. The SEC has named Reg S-P compliance a 2026 examination priority, so smaller firms should start preparing now.

Financial services firms need tested exit strategies. Static exit plans and generic documentation aren't enough when a critical supplier fails, underperforms, or no longer fits your strategy. Leading organizations are building scenario-specific strategies that distinguish between planned and stressed exits, continuously refreshing documentation as supplier models evolve, and embedding exit planning into business continuity and disaster recovery functions. Hidden sub-outsourcing chains and cloud dependencies remain a persistent blind spot. Without deeper dependency mapping, a rapid large-scale exit may not be as feasible as it looks on paper.

Investment advisers using AI face five key compliance considerations. As AI moves closer to investment decisions, regulators are shifting focus from conflicts of interest to fiduciary duty of care. The SEC's 2026 examination priorities specifically flag the use of automated investment tools and AI technologies. Advisers should be prepared to explain what their AI tools and vendors do and how they monitor them, document intended use cases and material changes, and assess how customer data flows through these systems under Regulation S-P, particularly as tools become more autonomous.

Service and support are the vendor criteria banks keep underweighting. Banks and credit unions under pressure to keep up with fast-moving technology often prioritize features over everything else when making vendor decisions — but that instinct can backfire. The ABA's most recent Core Platforms Survey puts average vendor satisfaction at just 3.19 out of 5, with core provider effectiveness scoring even lower at 2.78. When credit union leaders whose tech plans fell short were asked why, 53% cited insufficient vendor support. For community banks and credit unions already squeezed by competitive pressure, regulatory change, and AI deployment demands, evaluating vendors on service quality, client satisfaction data, case resolution times, and support team structure is critical.

Supply chain cyber resilience demands leadership, not just IT fixes. Supply chain attacks scale easily — compromise one vendor and you can reach hundreds of downstream networks. Yet only 16% of UK organizations brief their C-suite on cybersecurity monthly or more, leaving meaningful accountability gaps at the top. Building real resilience requires more than reactive patching: it means mapping root causes, maintaining clear supplier documentation, and embedding incident response coordination across the entire vendor ecosystem, including every supplier relationship.

Lloyds Banking Group data exposure hits nearly half a million customers. A software defect during an overnight update at Lloyds Banking Group allowed customers to briefly view transaction data belonging to other users, including account numbers and National Insurance numbers. Almost 450,000 customers were affected.